bankingciooutlook

3-D Secure 2.0: What Does it Mean for Issuing Banks?

By Terrence Clark, General Manager-Payment Security, CA TECHNOLOGIES

Terrence Clark, General Manager-Payment Security, CA TECHNOLOGIES

A recent report from Juniper research states that global online fraud is on pace to top $25 Bn by 2020. Also, contributing to the increased volume of online fraud is the recent rollout of EMV chip cards in the United States. Despite this fraud growth, consumers are expanding the channels they use to transact in an effort to make their shopping experience simpler and faster, whether it’s via desktops, laptops, tablets, or mobile phones.

These factors make the EMVCo announcement of the 3-D Secure 2.0 specification in October an important initiative that all merchants and issuing banks need to understand and support.

What is 3-D Secure?

3-D Secure (3DS) is the enabling technology behind the cardholder authentication programs run by the card schemes, for example Verified by VISA and MasterCard SecureCode.

EMVCo describes 3DS as a messaging protocol that enables consumers to authenticate themselves with their card issuers when making card-not-present (CNP) purchases or verifying their identity for various non-payment activities, like adding a payment card to a digital wallet. The exchange of data between the merchant using 3DS and a card issuer to authenticate a cardholder reduces the risk of fraud.

The initial version of the 3DS protocol was co-developed fifteen years ago in 2001 by Arcot (now CA Technologies) and Visa USA. At that time cardholders were asked to remember and enter in static passwords or answer knowledge based questions to authenticate themselves during an online shopping transaction. This would allow the banks to make sure that the person making the transaction was in fact the cardholder.

What’s new in 3DS 2.0?

Two related major shifts have happened since 2001. First, the growth in adoption of tablets and smartphones has changed the way people live their daily lives. People now are using these devices to carry out many of their daily tasks, including making online purchases from them.

"The exchange of data between the merchant using 3DS and a card issuer to authenticate a cardholder reduces the risk of fraud"

The second thing that has happened is that these devices have raised the level of expectations on customer experience. Apps on these devices are simple to use and provide an outstanding customer experience. This has caused customers to expect that same experience in every digital interaction.

Since the initial version of 3DS was rolled out prior to the boom of tablets and smartphones it obviously didn’t account for people buying from browsers on those devices or making in-app purchases. Additionally, asking your cardholders to remember yet another static password didn’t make for an amazing user experience. These issues caused friction in the customer experience and often led to cardholders abandoning their transaction. This in turn led to lost revenue for the merchant and the issuing bank, as well as a poor perception of the merchant and bank by the cardholder.

3DS 2.0 is aimed at providing the right balance between reducing fraud in the system and providing an excellent cardholder experience, whether you’re making an online purchase on your PC, tablet, or smartphone or whether you are buying something from a website or within a merchant’s application.

Additionally, instead of prompting the cardholder to remember a static password each time, it uses risk-based authentication, which allows only highly suspicious transactions to be challenged. These improvements will still reduce the fraud, but more importantly provide a much improved customer experience.

Why should issuing banks care?

Issuing banks should care about 3DS 2.0 for the benefits they stand to gain, such as:

• Liability Shift–for online 3DS transactions that the issuing bank receives, the bank takes on liability for them in the case that they turn out to be fraud. Therefore it is important for the bank to make sure that the cardholder is not a fraudster. By implementing 3DS 2.0, the bank can authenticate the suspicious transactions to identify and reduce the fraudulent transactions.

• Increased Revenue–Between the lack of support for mobile web and in-app purchases with the earlier version of the protocol and the increased customer friction due to the static passwords, the number of cardholders that abandoned their transactions could be high. By implementing 3DS 2.0, it will now provide improved support for online web and in-app purchases and will only interact with the cardholder on suspicious transactions. Therefore, the number of abandoned transactions will go down, leading to an increase in revenue for the banks and merchants.

• Reduced Operational Expense–Purchases often required cardholders to put in a static password. And when the cardholder forgot their password they may call the bank to have it reset. This required the banks to have staff to answer these type of requests. Additionally, banks have fraud teams that look into suspicious and fraudulent transactions. By implementing 3DS 2.0, the banks can reduce the number of password resets and the amount of fraud giving them an opportunity to drive down operational expenses.

• Cardholder Experience–The bank wants its card to be top of wallet. In order for this to happen the cardholder must have a positive experience when using the card. That means they want to have a simple, quick and easy way to transact, but they also want to make sure that the bank is protecting them in case the card is used in a fraudulent way. Improving the cardholder experience for online shopping is core to the 3DS 2.0 protocol. It provides that positive experience while still maintaining a high level of fraud protection.

What do merchants and issuing banks need to do?

Merchants and issuing banks will need to update their internal systems to support the new 3DS 2.0 protocol. Now that the 3DS 2.0 protocol has been announced, the expectation is that the card schemes will be imposing mandates on the merchants and issuing banks indicating the timeline for when adoption will be required.