News

May 28, 2020

3D Secure Authentication



by Parul Sharma, Senior Director at LexisNexis Risk Solutions

Maximizing protection and conversion during these unprecedented time of uncertainty

Per Due Inc.1, the projection for eCommerce sales was to reach $632 billion by 2020, increasing online fraudsters' incentives to innovate their tactics.1 As people continue to stay home and transact more on a digital level during lockdown, we expect the projected numbers will further increase.

It is logical to expect new digital identities and also expect increase in transactional volume for existing digital identities. This creates more opportunities for fraudsters to blend into the new trends. If more action isn't taken, it is projected that CNP fraud losses by banks and other merchants in the United States could total more than $12 billion by 2020.2

These numbers above indicate the need to get secure transactions and keep fraudsters at bay. In this article we will learn more about risk-based workflows with or without 3DS.

What is 3DS?

3DS or 3D-Secure is a secure protocol designed to ensure enhanced security and stronger authentication for customers when they use their debit or credit cards for online purchases.

Benefits for merchants include reduced fraud risk and a shift in fraud liability from merchant to issuer. Version 1 of the 3DS protocol was developed in 1999 and as technology evolved, shortcomings in the protocol became apparent. 3DS 2.x was developed to address the 1.x shortcomings, and contains developments that includes additional contextualized data (100+ fields) that can be supplied by the merchant to the issuer, consistency in the way authentication screens are presented to the customer, mobile friendly options, and the ability for specialist third-party device and digital identity intelligence vendors to enrich the risk decision process -- better identifying trusted, returning customers while providing enhanced protection against fraudulent activity.

Is 3DS SCA compliant?

PSD2 mandates the principles of strong customer authentication. PSD2 is not enforced yet but will be at some time and we need to be ready.

A combination of a minimum of two of the following authentication factors are required for a successful transaction:

  • Something the customer knows: OTP (one-time password), SMS code, PIN, password, security question, etc.
  • Something the customer owns: Mobile device, wearable device, etc.
  • Something the customer is: Biometric data like a fingerprint, iris scan, or facial or voice recognition.
That being said, 3DS provides a mechanism for SCA to be performed during an eCommerce payment journey -- the authentication itself isn't through 3DS but its interaction in the payment process enables the authentication actions to take place.

What does a 3DS-enabled customer experience look like?

The transaction is assessed for risk by the credit or debit card issuer's 3D Secure service provider. 3DS is used to authenticate the online payment event. If the transaction is determined as high-risk, the transaction goes through a challenge or is declined.

In other words, it prompts the cardholder to verify their identity using one of the three authentication factors chosen by 3DS provider. If the transaction is deemed as low risk, no further action is required on the cardholder's end. Once authenticated, the transaction is then submitted for final authorization and approval.

Do merchants have a choice in the USA?

Merchants struggle between friction and conversion and because 3DS does create some amount of friction, some merchants do not prefer the 3DS security protocol.

If they do not use 3DS, they take the responsibility and control the level of risk they are willing to accept as per the merchant's risk and consumer appetite. If they decide to implement 3DS, there is a fraud liability shift from the merchants to card issuers, but they do incur a cost as a result of pushing the transactions through 3DS. Yes, they pay for this level of security but they also know that they will not be taking any fraud loss or incremental operational cost to manage chargebacks. It also means the merchants will be leaving money on the table and will no longer control the level risk of they are willing to take on.

How do merchants ensure an effective balance between fraud, friction, and customer authentication?

Whether the merchants implement 3DS or not, it is important for them to evaluate risk-based workflows for these two reasons:

  1. If the merchant is 3DS-enabled, there is a risk assessment undertaken on the online event, and 3DS enables merchants and card issuers to make an informed risk decision
  2. If the merchant is not 3DS-enabled, they need risk-based workflows even more to reduce the fraud losses and operational cost
What should a person look for in a third-party solution while evaluating the workflows? The idea behind leveraging a third-party solution is to ensure reduction in liability such as fraud losses and operational losses. Merchants should look for the following characteristics in a solution:

  • Device and digital identity related attributes: Whether applied by the merchant directly as part of their own risk assessment, or through 3DS as part of the card issuer, risk assessment device and digital identity analysis could provide a whole new set of data of components.
  • Decisioning: Merchants should use deep and rich information to make that risk assessment -- whether that is all the information the merchant has (including data such as delivery address, webpage activity, etc.), or the extended amount of data shared with the card issuer through 3DS. For additional insights, merchants can go one more level up and leverage data from their peers by leveraging existing consortiums.

    When it comes to decision making, speed and accuracy are most relevant. Leveraging more data as mentioned above can bring accuracy. To ensure speed, merchants can use machine learning models, passive authentication capabilities like behavioral biometrics and flagship models.
  • Ease of deployment: The capability to deploy multiple types of customer journeys based on risk score can create an additional layer of fraud protection. This will also ensure routing the user down an appropriate path based on this outcome and enabling merchants and / or card issuers to strike an effective balance between fraud and friction.
To summarize, risk-based workflows can add value to both a 3DS- and non-3DS based authentication. For 3DS authentication, a risk-based approach will help merchants build trust with credit and debit card issuers. If the issuer trusts the workflows implemented by the merchant, they will be less conservative and accept more transactions. For non-3DS based authentications, risk-based workflows become even more important because this can help merchants maximize protection and conversion.


1Due Inc.: https://due.com/blog/addressing-rising-payment-fraud-rates-u-s/

2Forbes: https://www.forbes.com/sites/rogeraitken/2016/10/26/us-card-fraud-losses-could-exceed-12bn-by-2020/