The boost of e-commerce and the deployment of the Europay-MasterCard and VISA (EMV) framework for cardholder-present payments has resulted in the increase of fraudulent card-not-present transactions. Card-not-present (CNP) transactions take place over the internet or phone without Chip&PIN, where the merchants/point-of-sale terminals are not in the same location as the card holders. CNP transactions are increasing day by day due to the rapid increase in e-commerce transaction volumes. This situation has also resulted in sensitive card data becoming much more accessible.
To protect worldwide information security and prevent CNP fraud, 3D Secure protocol - meaning 3-way authentication between the cardholder, issuing bank and merchant- was deployed on December 2001 by Visa. Immediately after, banks started to authenticate online card transactions using the 3D Secure protocol, which is driven by payment authorities Visa and Mastercard and branded as “Verified by Visa” and “MasterCard SecureCode”.
The main mission of the 3DS protocol is to improve online transactions’ security to protect both the cardholder and merchant by defending cardholders from fraudulent use of their card and by decreasing chargeback ratio caused by fraudulent transactions.
How does 3D Secure Work?
When an online shopping customer makes an online purchase on a web/mobile site or a mobile app, they will be requested to enter their card details into the payment gateway (PGW). The PGW submits the card details to an authorized participant of the 3DS system and then checks whether the card issuing bank is a participant in the 3DS program. If so, the customer is redirected to their bank, and if not the transaction is performed as a non-3DS transaction. If the card is enrolled, the issuing bank asks the customer a One Time Password (OTP) which will be provided by SMS or e-mail to prove that the genuine cardholder is making the transaction. After that, the issuing bank confirms the cardholder customer and authenticates the credit card payment.
The rapid increase in the volume of e-commerce (Global retail e-commerce volume reached $1.6 billion by 2016 and is expected to reach $3 billion by 2020, according to Tüsiad’s e-commerce report, April 2017) and our mobile-driven lives have resulted in the need for a new age of faster payment systems, authentication mechanisms, and additional security precautions. Verifying an online transaction and the identity of the consumer becomes much more challenging, and unfortunately results in the rejection of half of all digital commerce transactions due to suspected fraud, according to Ethoca, 2016.
In the light of all these facts, as well as the need to improve the user experience of version 1.0.2, 3D Secure 2.0 has been re-designed and launched. The new version of the 3DS protocol enables merchants to send an extremely high number of transactions, issuers to authenticate customers more accurately without asking for a static password, and consumers to experience seamless digital payment journeys.
3-D Secure Version 1 lets cardholders authenticate themselves to the issuing bank by activating the bank’s 3-D Secure service. When making an online payment transaction, the system pops up a window or an i-frame appears, requiring the user to enter a one-time password (OTP). In this flow, the pop-up window credentials cannot be authenticated and handling frames or pop-ups in mobile browsers is highly troublesome.
In 3-D Secure 2.0, token-based biometric authentication will be used instead of static passwords, and risk-based decisions will be possible by analyzing customers’ previous usage habits. Also, the elimination of the initial sign-up process and removal of the need for static passwords will simplify the customers’ flow. Thanks to these innovations, mobile, in-app and digital wallet payment flows will now be much more convenient and fast.
3-D Secure 1.0 transactions will transform to version 2.0 by the beginning of April 2019. According to Visa, early adoption had already begun in the latter half of 2017.
Beril Dikmen - Product Manager