January 13, 2022
With ecommerce continuing to grow at a rapid pace, and with consumers using a variety of devices to purchase and pay, there is also an increase in fraud and potential fraud. Preventing fraud is of prime importance to consumers and business owners alike - it’s in everyone’s best interest to ensure that online transactions are safe and secure. At the same time, consumers don’t want their speedy online shopping experience to become clunky and slow - so the challenge is to provide a safe checkout solution without compromising on speed and efficiency.
3D secure and its new and improved version, 3DS2, are authentication protocols that were designed to increase the protection of consumers making purchases online as well as to protect companies from fraudulent transactions. In this article, we will explain how these verification solutions work and why they are an important tool for your ecommerce business.
If you have ever been redirected to your bank’s website and asked to put in a password or a one-time code when making a purchase online, you have experienced 3D secure. This is a merchant’s way of adding an additional level of security and requiring the issuing bank to verify the identity of the cardholder. 3D secure shifts the burden of any fraudulent chargebacks to the bank instead of the merchant, protecting them from unnecessary losses.
The problem with the original 3D secure protocol was the often-confusing authentication process that consumers were prompted to complete. In many situations, shoppers would just give up and abandon the cart, causing online businesses to lose out on sales.
From a customer perspective, if 3D secure is being used, they are asked to enter their personal code as part of the checkout process. If they are not already enrolled in a 3D secure program, they are redirected to the bank site and given the option to sign up.
Behind the scenes, the protocol uses a three-domain model (hence the name 3D) to add an extra layer of security in between the financial authorization process from the bank and the online authentication process done by the merchant. The three domains are:
In a nutshell, what happens is the customer enters their card information and then is asked to verify that they are who they claim to be by entering in a personal code that only they would know. This code is verified by the issuing bank who then takes on the responsibility in case the charge is actually fraudulent.
To address the challenges of the original 3D secure, a new standard known as 3DS2 was introduced, offering a more user-friendly and stronger way to detect and prevent fraud. This new version offers real-time information sharing between merchants, payment networks and banks so that transactions can be authenticated more accurately without negatively impacting the consumer’s checkout experience.
Merchants that use 3DS2 get the benefit of 10 times as much data, which greatly speeds up the authentication process and increases the security. Because so much data is shared, merchants and card issuers have more context in which they can verify a cardholder’s identity, meaning that not every purchase will require a customer to manually input a password.
3DS1 was the original 3D secure protocol, requiring high-risk transactions to be authenticated. While merchants could choose whether or not to implement 3D secure and for which transactions, there was a huge downside to the process which was the increased friction experienced by customers. The original 3D secure was not mobile-friendly, and was a particularly difficult challenge especially as so many online purchases are made via mobile devices.
3DS2 was built to improve upon 3DS1 and address the challenges inherent in that protocol. Specifically, 3DS2 was intended to improve the user experience in the following 3 ways:
The value of 3DS2 is that it prioritizes the consumer experience, making it possible for merchants to retain customers while also protecting themselves from fraudulent purchases and chargebacks.
3DS2 works as follows:
In order to authenticate a transaction using 3DS2, if a cardholder is asked to verify their identity, they need to provide one of three pieces of information: something they have, something they know and something they are. Something they have is confirmed by data from the device they are using; something they know is their bank login or a one-time password; and something they are can be confirmed using biometrics.
Collecting device data happens without the consumer even knowing - in most cases this is enough to authenticate the transaction providing a completely seamless experience for the user. Even if further authentication is needed, it can also be frictionless if all it entails is the user using their fingerprint to provide biometric data or approving the use of a saved password.
While it is recommended, 3DS2 is not yet mandatory worldwide. In Europe, the Payment Services Directive (PSD2) requires companies to follow certain regulations when it comes to accepting payments in the countries in which the directive is enforced. One of the major requirements within PSD2 is Strong Customer Authentication (SCA) - 3DS2 makes it easy to comply with SCA requirements. Both Brazil and Australia have also adopted SCA mandates making the adoption of 3DS2 there more popular as well. Other countries are likely to follow suit as the need for more security around online payments continues to grow.
Merchants need to work with a 3DS2 service provider in order to integrate this protocol into their payment infrastructure.
We’ve already described the major limitation to the original 3D secure protocol and the difficulties it caused in the checkout experience. A second limitation involved card issuers being overly cautious and declining transactions due to potential fraud that where actually legitimate transactions.
Both of these limitations have been addressed with 3DS2, and for merchants operating in Europe and other countries where such protections are mandatory, it is a good solution. But for those who are not required to use 3DS2, there are a few limitations to consider when deciding whether or not to jump on the bandwagon:
While it’s important to consider the potential limitations, there are also many benefits that come from 3DS2, including:
Pay.com can help you easily integrate 3SD2 into your payment infrastructure. You’ll offer your customers the smooth and seamless checkout experience that they expect, while ensuring that transactions are secure and all sides are protected from fraud.
With Pay.com, you don’t have to worry about ever-changing regulations as we will always make sure that the system is up to date and that you are in full compliance. All you have to do is focus on bringing in customers and we handle everything that goes on behind the scenes.