Where has the road with 3D Secure brought us today?
Now that the UK deadline for enforcing Strong Customer Authentication (SCA) has passed, since March 14th 2022, all non-compliant transactions will be declined.
But on the PSD2 journey, with merchants and issuers traveling along, is the performance of 3D Secure (3DS) already where we need it to be? Does it guarantee secure online purchases while also providing a smooth customer experience and optimized conversion?
Let’s hit the road and find out.
Point of departure - PSD2
When we speak about the Payment Services Directive 2 (PSD2), we refer to a set of laws and regulations for payment services in the European Union (EU) and the European Economic Area (EEA). It’s been around for a while - it was passed in 2015 - but the most important aspects for online payments came into effect in stages from 2019 all the way through to 2022.
Let’s have a look back at a few driving factors that have lead to PSD2 coming into effect in the first place.
One of these decisive factors is the rise of the API economy. Application Programming Interfaces (APIs) allow different systems to talk to each other. APIs are fundamental to the success of companies like Amazon, Google, Stripe etc. and they’ve supported the creation of whole new business models, including Fintechs. APIs provide the means for banking and payments to become more open, and with that, make the European payments market more integrated and efficient.
Then there is the challenge of dealing with these new business models – regulation needs to catch up. Since PSD1, there has been growth and innovation in the digital payments market with new Fintech players entering the arena.
PSD2 is to provide standards and structure while allowing these new companies to access customer bank accounts. With that, they will level the playing field for existing as well as new payment service providers.
The multi-factor authentication landscape
An important goal of PSD2 is to drive secure online payments and therefore, the SCA requirement was introduced. SCA stands for Strong Customer Authentication and it demands multi-factor authentication on all payer-initiated payments including at least two of the following methods: something you know (e.g., pin or password), something you have (e.g., phone or device), something you are (e.g., facial scan or fingerprint).
Despite the many (many) delays to the roll-out of SCA across Europe, January 1st 2021 marked the passing of the official European Banking Authority (EBA) recommended enforcement date for SCA. However, multiple countries then released their own roll-out plans with a range of final deadlines up to the last quarter of 2021.
From an earlier AirPlus article on how SCA has affected the payment industry, we can already derive that the boost in online payments in the last couple of years required those card-non-present payments to be as secure as with the traditional chip and pin authentication with plastic cards.
So, neither cardholders nor merchants could get around these security requirements. The cardholders are looking for a smooth process to authenticate transactions while the merchants have been striving to maintain a good conversion rate without suffering too many transaction declines.
Non-compliance is not an option
Payment providers and banks have not been able to ignore the SCA requirements for a while now either. In fact, they are legally required to enforce PSD2. Online businesses that don’t fulfill the SCA requirements will see their decline rates shoot up and conversion rates fall as customer banks start rejecting non-authenticated payments.
Non-compliance puts both sellers and payment providers at risk of losing transaction volume – that much is clear. But for payment providers, non-compliance carries more serious consequences. National regulators have the power to impose fines and even revoke a payment provider’s license. Unlike GDPR, there are no fines specified, and as different members of the EEA are at different stages of implementation, the fine amounts may also vary.
Exit roads ahead – the exemptions to the rule
A bit of relief among all those rules is fortunately offered here. This comes in the form of four key exemptions to strong customer authentication: trusted sellers, recurring payments, payments under €30 and low-risk payments. The latter is the most commonly used in cases where a payment provider has low fraud rates within the prescribed PSD2 fraud limits. They will be able to use real-time transaction risk analysis to apply for exemptions on behalf of its sellers for all low-risk payments up to €500.
Fasten your seatbelts for 3D Secure
3D Secure (3DS) is an additional security protocol for online credit and debit card payments. It has actually been around since 1999 and was developed long before mobile-friendly standards were applied. The protocol first came into being before in-app purchases grew into a $37 billion channel, before devices like Amazon Alexa learned to do consumers’ shopping for them, and before mobile commerce existed at all. 1999 – that’s even before the smartphone itself. [1]
Mastercard SecureCode, Verified by Visa (VBV), American Express SafeKey, Discover ProtectBuy, Secure Online Transactions (SOT), EMV 3-D Secure, and Mastercard Identity Check are just a few of the first names of this security protocol since its creation in 1999.
One of the biggest misconceptions about the original 3D Secure is that it covers all types of e-commerce transactions. But considering that it has been conceived before mobile and voice transactions, how could it possibly cover all modern e-commerce transactions? That’s why 3D Secure 2.0 was (and is) so much needed today.
At its most basic level, 3D Secure stands for “Three Domain Secure,” which refers to the three parties involved in any secure payment: the issuer, the acquirer, and the network processing the transaction. Visa was the first to develop and introduce the standards. Later, other major global networks also adopted them to support effective security and authentication in the growing e-commerce space.
3D Secure 1.0 relied on features like static passwords, pop-up boxes, and user registration to verify and authenticate cardholders. However, this created barriers for legitimate customers, leading to frustration and cart abandonment. Credit unions and banks ramped up their fraud strategies, but this led to higher rates of false declines, which only added to customer frustration.
It also didn’t stop the fraudsters. Sometimes, these criminals even had enough information (and patience) to impersonate a customer and complete the 3D Secure registration.
Jumping forward 20 years, it’s only natural that a new and improved protocol needs to be developed. Putting some numbers to how much 3DS is affecting payments, data from Q1 2019 showed that out of millions of payments, 22% of those sent to 3DS were being lost. Further analysis revealed that 3DS authentication took an average of 37 seconds. 91% of payments caused friction, taking over 5 seconds to authenticate, while acceptance rates of the top 20 global banks by volume range from 68-92%.[2]
Since October 2021, 3DS1 has started to be decommissioned by card schemes. Merchants will lose the liability shift advantage with 3DS1, so it’s important to move forward with the newer versions as soon as possible.
3D Secure 2: A (se)cured customer experience?
3D Secure 2.0 does away with these inconvenient user requirements. Say goodbye to pop-ups and hello to Risk-Based Authentication. Static security keys are being swapped out for one-time passwords (OTPs) and dynamic authentication through biometrics and token-based authentication methods. And no longer will legitimate customers bear the burden of registering their card with Visa or Mastercard to receive the benefits of the security protocol.
Another key difference with the new version is the amount of data behind each decision. With 3DS2, merchants can send far more data to the issuing bank than with 3DS1. 3D Secure 2.0 pulls information like IP address, shipping address, device information, and more info about customers themselves, allowing issuers to improve risk scores and make better authentication decisions. With the extra data, issuers can apply frictionless authentication to approve a transaction without requiring any manual input from the cardholder - this is called Frictionless Flow. This risk-based authentication will be key to keeping the checkout processes friction-free for most low-risk transactions from trusted customers. [3]
The below graphic provides a comprehensive overview of the main standards and enhancements with 3DS2:
As 3D Secure 2.0 continues adding features, the user experience will no doubt become even more seamless and secure. In fact, with both the new versions of 3DS 2.1 and 3DS 2.2 meeting the demands for SCA compliance and merchant fraud liability protection (as is the case with 3DS1), 3DS2 stands out because it can enable better customer experience through less friction.
Where did the journey lead us so far?
Continuing our way to the second half of 2021, we must ask: what does the performance of 3DS look like globally?
3D Secure 2.2 transactions are already taking place. Denmark had the highest percentage at 6%, but there’s still a long way to go until this version is dominant. It’s still very early for 3DS 2.2, but a huge increase in the number of 3DS 2.1 transactions can be seen compared with Q1 2021. Across all global regions analyzed, 3DS 2.1 transactions grew from 16% to 65%. [4]
Authentication success rates have broadly increased too. This could mean that customers are getting more comfortable with authentication but could also signal that fraudsters have developed ways around 3DS.
Surprisingly so far, successfully authenticated 3DS2 payments have failed authorization at a much higher rate than 3DS1. According to merchants, 3DS is being initiated for transactions paid with alternative payment methods, which indicates something has gone wrong.[5]
Merchants also mention that the implementation work around 3DS2 is causing problems for them, with some saying it’s the most confusing they’ve seen in years. This could be behind the failure rate for 3DS2 transactions, with many issuers rushing preparations and causing mass confusion across the market.
Road ahead
So far, 3DS2 doesn’t look ready yet to deliver on its promise of improved customer experience and higher authorization rates.
To arrive at this 3DS destination equipped with the right mix of successfully implemented security measures while safeguarding the frictionless customer experience and maximizing conversion, some more miles are ahead of issuers and merchants to travel together.
We've got more great topics coming up. Subscribe now for our newsletter to get the latest blog posts and more each quarter.
[1] A Credit Union’s Guide to 3D Secure 2.0 - PaymentsJournal
[2] PSD2, Strong Customer Authentication and 3D Secure
[3] What's the difference between 3D Secure 1, 2.1 and 2.2?
[4] Global Payment Regulation & Authentication 2022 report – Ravelin
[5] Authentication update March 2021: rocky start for PSD2 across Europe