What is 3D Secure and why merchants need it

June 4, 2020 Maxpay Blog
What is 3D Secure and why merchants need it

Security is one of the highest priorities for any online merchant, and it goes both ways: you need to protect your clients’ financial data to remain reputable, and also barrier your business from fraudulent transactions and chargebacks. And in today’s blog post we’d like to focus on the latter.

Recently Maxpay shared some advice on how companies can avoid and manage chargebacks, but there are other instruments you can use to spot and prevent fraud before the order at your site is even made. We are talking about 3D secure – a technical standard developed to make the card-not-present transactions safer for both customers and merchants.

So, how does 3D secure work, what are its advantages, and why merchants in some countries are required to have it? Let’s figure it out piece by piece.

What is 3D secure?

3D secure or 3DS is a security protocol that allows verification of a customer’s identity when they purchase something off of the merchant’s website. Created by Arcot Systems (now acquired by CA Technologies), the protocol was deployed by Visa in 2001 and later by other major payment systems like Mastercard, JCB International, etc.

The 3DS solution was timely, as e-commerce started gaining popularity since the emergence of the internet, but proved to be more prone to fraud, as it was harder to confirm a buyer’s identity and intentions.

In 2016, the protocol got an update to a 3D Secure 2.0 version and now can provide better user experience by eliminating flaws of a primary version. But before comparing them, let’s outline the basic steps of the 3DS verification process.

How does 3D secure authentication work?

Before describing the 3D secure payment processing solution, we really have to mention a 2D secure one. You see, the “D” in 2DS and 3DS stands for domain and a digit shows the number of entities taking part in the processing. Thus, 2D secure verification combines intercommunication between customer’s and merchant’s domains.

Here’s how a 2DS transaction happens: a client adds a product or a service to their cart and needs to complete the purchase by filling in their financial data. Basically, all a customer has to enter are credit card number and expiry date – and it’s done.

As for 3DS, the third “D” stands for an interoperability domain – an infrastructure that supports the security protocol. 

With that said, the 3DS payment gateway works like this: a customer still needs to enter their card details to buy something. Then an identity verification follows: they either required to enter their permanent password for a 3D-secure service, a one-time password (OTP) they will get on the phone, or use the phone for biometrics authentication. If the data is correct, your purchase will be complete.

Thereby, 3D secure makes it more difficult for fraudsters to buy something with customer’s stolen card information, as they also will need to know the permanent password or have access to the cardholder’s phone to use OTP.   

The difference between 3D secure and 3DS 2.0   

Even though the implementation of 3D secure protocol was essential to customers’ and merchants’ protection, its early version had issues, which made some merchants refuse to adopt it on their sites. Fortunately, the problems were addressed and dealt with by a 2.0 version update.
Let’s compare 3DS and 3DS2 to see how the protocol’s features improved:

Authentication method. The permanent passwords used for verification in a 3DS version proved to be a letdown for some clients, as you need to memorize a code to buy something online. Naturally, some people tend to forget things easily, which meant a worse buying experience for them – they either had to lose time calling their bank to change the password or abandon carts altogether. 3DS2 introduced authentication through OTPs or biometrics, which is much more comfortable: you don’t have to remember anything; hence the transaction goes faster and smoother, and this data has minimal chances of being stolen from you. 

Integration with a mobile phone. The first version of the secure protocol had been developed before smartphones were being used for e-commerce, hence it was only for purchases in browsers. The 3D secure 2.0 version is integrated with both mobile apps and browsers. 

The amount of data gathered. The updated protocol has access to 150 data points to evaluate the transaction, while the old one only had 15 of those. More information means that the 3DS2 protocol is more likely to point out a suspicious transaction – in this case, it will undergo an additional cardholder verification. If the transaction seems just right, a card owner will not be subjected to the verification, spending less time to complete the purchase. The additional data also allows to significantly reduce false operation declines.

Taking all these into consideration, it is clear that, thanks to the update, 3DS2 payment processing makes the verification process faster and more customer-friendly with less friction and cart abandonment issues. Thus, more merchants give the security protocol a shot. Moreover, in some countries, the use of 3D secure is a must because of the regulation, and we’ll discuss it in the next part of the blog post.

What is PSD2 and how it impacts merchants and banks?

The Revised Payment Services Directive (PSD2) is a regulation within the European Union aimed at controlling payment processes, which came into effect on September 14, 2019. 

The directive allows for two important changes. First of all, it’s the formation of Open Banking, which means that now Third-Party Providers of financial services (TPPs) can use API to access clients’ banking data so that the latter can use the services for online banking. This, in turn, allows for the EU’s financial ecosystem to become more integrated with convenient data exchange between TPPs, banks, and clients.

The second change, that is more relevant to us, is the Strong Customer Authentication requirement (SCA) that is an essential update to clients’ and merchants’ safety. 
It means that to make a purchase a person has to go through a two-factor authentication procedure. To do that a customer has to provide two out of three types of information. The types of data are tied to:

  • something a client knows (a PIN, a password, or a security question);
  • something a client possesses (a phone or an app to approve the authentication request);
  • something a client is (biometric data like a fingerprint, or iris recognition);

As you can see from the authentication types, the 3DS2 protocol is the most suited to perform this verification, thus the EU merchants need it on their webpage. 
The SCA must be implemented till 31 December 2020, but there may be delays due to the COVID-19 pandemic. For instance, in April the British Financial Conduct Authority announced that the deadline for SCA enforcement in the UK will be moved to 14 September 2021.

The benefits of 3DS2 protocol for merchants

Now when we’ve described the way 3D Secure 2.0 works and why more and more businesses implement it, let’s indicate the main advantages of the protocol:

Security. This seems like an obvious one, but some merchants still ignore the safety precautions in favor of lowering potential cart abandonment rates. But not only did 3DS2 check become more frictionless with an update, but it also provides the most important type of protection for e-commerce companies – the protection from fraudulent transactions, and, as a result, from chargebacks.

Liability shift. Speaking of chargebacks – even if someone who bought your product or service will demand their money back, claiming they didn’t make a purchase, your business will not incur losses. All thanks to liability shift: if a person verified their identity with the 3DS2 protocol, the fraud-related chargeback will be redirected from the merchant to the issuing bank. 

EU regulation. If you are a merchant that operates within the European Union you will need to comply with the PSD2 and the 3D secure 2.0 already has all you need for the Strong Customer Authentication requirement. 

The trust of your customers. By implementing a 3DS2 protocol you are showing your customers the willingness to go an extra mile to protect their data from being used by fraudsters, and it builds up merchant’s reliability.

Have you made up your mind about a 3D security protocol? If so, to use it you will need a bank or a PSP that complies with such a service, and Maxpay does exactly that.  
We provide seamless and secure payment gateway services and acquiring solutions for high-risk businesses that are more prone to chargebacks. Not only Maxpay is compliant with 3DS2 to eliminate fraudulent transactions, but also uses Covery anti-fraud platform to minimize chargebacks by filtering out potential fraudsters.

Find out more about our international payment gateway service provider at Maxpay’s website. If you have any questions you can contact our support team directly through an online chat in the right lower corner of our webpage. Read more about how to reach out to us here.