What is 3-D Secure?

Online payment processing usually requires that a shopper provide their credit card payment details to purchase goods and services. 3-D Secure authentication is a protocol that was created in 1999 during the heyday of the desktop computer and was designed to minimize the risk of identity theft, fraud, and other types of cybercrime during card-not-present online transactions.

The “D” in 3-D refers to the three different domains or parties involved in these payments. They consist of the acquiring or merchant bank, the cardholder’s issuing bank, and the infrastructural systems that support secure payment processing, such as the internet and the processing company.

Although 3DS is slightly different from one credit card company to the next, consumers will notice certain commonalities. In general, 3-D Secure works like this.

• After proceeding to the merchant’s checkout page, the customer enters their unique credit card payment data.
• The system checks to be sure that the information is entered as well as whether the consumer has enabled 3-D Secure.
• If 3DS is enabled, the user is redirected to a separate site or frame.
• In this location, the user will be asked to authenticate their identity, often with a predetermined question and answer or a one-time PIN sent to their phone.
• If the information is entered correctly, the payment is accepted.
• The shopper is redirected back to the merchant’s site and receives confirmation of payment.

Consumers are becoming increasingly familiar with 3-D Secure and are much more willing to go through the extra authentication step it requires in exchange for optimized security.

The benefits of 3-D Secure.

The most obvious upside of 3DS is that it helps to minimize the chances of fraud. This is a boon for any customer whose credit card has been compromised and also represents a huge advantage for merchants. That’s because the liability resulting from fraud shifts to the card issuer if 3-D Secure is in place.

That being said, there are two scenarios in which the merchant remains responsible for any liability.

• If a cardholder fails 3-D Secure but the merchant still chooses to complete the purchase.
• If the cardholder encounters an error during 3DS authentication that is at the merchant’s end.

The limitations of 3-D Secure lead to 3-D Secure 2.

Considering that the 3-D Secure protocol was developed in 1999 and implemented in 2001 (over six years before the iPhone burst on the scene), it should come as no surprise that this guideline was no match for the technology onslaught of the early 21st century. The protocol was equipped to address desktop computers and online browsers, not mobile purchases. In addition, the old system required that customers set up and remember lengthy passwords. Countless dollars and hours were spent helping people reset these passwords, and frustration abounded on all sides. Many customers abandoned 3-D Secure altogether right along with their online shopping carts.

These shortfalls paved the way for a major makeover of the 3DS landscape, and it came in the form of 3-D Secure 2, released by EMVCo in 2015. The new system provided merchants and customers with the following benefits over its predecessor:

• It is designed to provide a more frictionless user experience on all platforms, including mobile.
• In accordance with the European Payment Services Directive (PSD2) that became law in 2019, 3-D Secure 2 provides Strong Customer Authentications (SCAs) to aid in verifying the customer’s identity during the payment transaction.
• 3-D Secure 2 collects a great deal more information than its predecessor, including things like IP address, merchant category code, and browser language. This greatly cuts down on the need for cardholders to enter additional details and reduces the number of false declines. As a result, more legitimate purchases go through without a hitch, with a greater likelihood that only the most suspicious will be flagged for further investigation.

Should you implement 3-D Secure or 3-D Secure 2 in your business?

If you sell goods or services online, offering secure payment processing to your customers is essential. Without taking significant data safety precautions, you leave yourself and your customers’ sensitive data vulnerable to compromise and theft.

At the same time, it must be said that you might be just fine if you accept standard 3-D Secure payments without necessarily updating to 3-D Secure 2. This is because 3-D Secure 2 is particularly relevant for merchants doing business in the European Union who are required to comply with PSD2. If this does not apply to you, your business and customers may be able to continue with 3-D Secure 1 without any appreciable loss of security.

There is no doubt that the technological evolutions that have taken place in recent decades made the roll-out of 3-D Secure 2 a necessity. However, several questions still remain about the efficacy of this version of the protocol.

For one thing, there are concerns about how adept card issuers will be at processing the numerous added data points that the new protocol gathers. Moreover, not all gateway vendors and payment processors are equipped to give merchants access to valuable post-checkout transaction data to gain information about shopping behaviors and even fraud patterns. In addition, the jury is still out as to whether 3-D Secure 2 will live up to its promise of reduced shopping cart abandonment and higher conversion rates. Only with broader adoption of 3-D Secure 2 will experts truly come to understand if this will be the case.

The 3-D Secure and 3-D Secure 2 protocols are a lifeline for both merchants and shoppers. Through the checking of data points, flagging transactions that require further investigation, and requiring consumers to verify their identity, these protocols protect the integrity of transactions and foster customer trust. On the merchant side, they work to prevent chargebacks and make the card-not-present environment a much less risky place for shopping.