An Overview of 3DS 2.0
E-commerce fraud has become a growing problem as customers increasingly purchase online. According to Mastercard, the worldwide chargeback volume hit 615 million in 2021, with predictions that the situation will continue to grow. Nonetheless, a key concern of e-commerce is to keep clients safe when they make online purchases.
For almost two decades, Visa has been using 3-D Secure (3DS) to help online merchants and credit card issuers to identify fraudulent activities. 3DS is a security protocol that seeks to combat credit card fraud by authenticating cardholders during card-not-present (CNP) transactions. The term “3D” refers to the “three domains” of the issuer domain, acquirer domain, and interoperability domain.
Personal technology, customer behaviour, and payment systems have all changed substantially over the last 20 years. Internet-enabled phones, tablets, and wearables are common technology used globally. Mobile devices are also expected to be always available, facilitating online purchasing and in-store transactions.
The progression to 3DS 2.0 demonstrates businesses’ commitment to continually improve fraud detection and prevention while offering cardholders a smooth purchasing experience. 3DS 2.0 takes an updated approach to authentication by including a broader variety of data, biometric authentication, and an enhanced online experience, particularly on mobile devices.
Moreover, 3DS 2.0 helps card issuers and retailers detect more e-commerce fraud while lowering customer friction.
Protecting the Merchant
3DS 1.0 used to be a big issue for merchants because it made customers less likely to buy from them. Many websites were not optimised for mobile operations, trailing behind the boom of mobile commerce. Long loading times and complicated form filling led to a lot of mobile customers giving up on transactions.
3DS 2.0 is designed to be a significant improvement, not a hindrance. Encouraging merchants and issuers to share data passively increases security without adding extra verification steps. This decreases payment friction for consumers, reduces cart abandonment, and protects both the company and the customer from payment fraud.
Users will also have a better experience after the initial sign-up process as the need for cards to use static passwords are eliminated. Hence, there should be less shopping cart abandonment.
Ultimately, 3DS 2.0 is intended to improve the authentication and denial of unlawful transactions. Additionally, retailers may transfer the accountability for fraudulent transactions to the issuing bank under 3DS 2.0.
In 3DS 2.0, there are two authentication flows:
- Frictionless Flow
- Challenge Flow
With Frictionless Flow, cardholders do not have to be involved in transactions. Risk-based authentication (RBA) is used to do this. While the transaction is being processed, RBA takes the cardholder’s information and sends it to the issuing bank’s ACS (Access Control Server) for analysis.
As long as the risk of fraud is low enough, people who use credit cards can be trusted. This means that there is no longer a need for someone to check their ID manually, as was the way with 3DS V1.
Within the Challenge Flow, the technology casts doubt on the user’s identity throughout and needs an extra one-time password or biometric verification. The user is then forwarded to the card issuer’s ACS website, where they may provide the required information.
The Liability Shift Rule
Currently, any merchant who tries to use 3DS 1.0 authentication could be held liable. Whether the issuing bank supports 3DS 1.0 or the cardholder is not registered in the protocol, this is still valid.
Before, if fraud happened during an authenticated transaction, the bank was liable. This liability concern was worsened because 3DS 1.0 was not particularly strong on a security level, as static passwords posed a concern since they were relatively easy for determined fraudsters to breach and then exploit to circumvent the 3DS 1.0 procedure.
The issuer would only get ten static data items to estimate the possibility of fraud. Finally, issuing banks were responsible for developing and maintaining access control servers (ACS) to receive 3D Secure communications, process them, and authenticate the card user.
With the new protocol of 3DS 2.0, each card scheme has its own rules for transferring liability. Beginning in October 2018, Mastercard started to enable Liability Shift, whereas Visa will activate Liability Shift based on the merchant’s location.
The main benefit of 3DS 2.0 for retailers is the liability transfer coupled with the promise of decreased fraud. By requiring cardholders to verify themselves with the bank that issued their credit or debit card, fraud liability was transferred away from the merchant and onto the card issuer.
With 3DS 2.0 it should also be straightforward to fight and win if transactions that have been authenticated are disputed. Even if the customer says they have an unauthorised payment from you on their card, much of the time the card company will have to refund them.
This means that merchants will have more money in their pockets if there are less chargebacks. 3D Secure helps cut down on the time and money it takes to deal with disputes, chargeback penalties, and fees, which can add up quickly.
Overall, 3D Secure 2.0 can be a simple way to stop both fraud and the chargebacks that come with it.
3DS 2.0 in Practice
To understand the impact of 3DS 2.0, we can explore the scenario of a furniture shop.
High ticket companies like furniture stores accept card payments, with significant charges that might go up to a single £14,000 purchase. To accomplish this, they must go to the supplier and request that it be produced; nevertheless, they cannot cancel a week, two weeks, or a month later.
So, what happens when, two weeks later, funds cannot be retrieved if a payment turns out to be fraudulent? Also, what happens if there is an extra chargeback associated with that transaction, but they want £14,000 worth of furniture to be built?
Suddenly, merchants get a five-figure charge from their furniture supplier for items they cannot sell to the individual. Therefore, it is critical that the transaction is not fraudulent at the point of payment. To guard against this, they might use 3D Secure Version 2.
A possible issue for some retailers would be how to do this over the phone, to which PayGuard provides a solution, with two distinct payment link options.
The first is where the customer is sent a link via text message, in which they click the link and fill out their card information on the phone and click submit. During this process, the agent only sees the xxxx’s and is shielded from the actual details on their screen, this completes the payment and bypasses 3DS 2.0, which is beneficial because it reduces friction at checkout and can help the entire process run more smoothly.
To prevent fraud further, the second option may be preferred. In this process, instead of the customer just typing in their card information to the agent for processing, they process it directly which would then go through the secure 3D V2 process. Effectively they’re doing all of this on their mobile, whilst still on the phone to an agent. So you can then take a phone payment that is actually classed as an e-commerce payment, which then fits under 3D secure V2 requirements. As it is classed as an e-commerce payment, because the customer is submitting the payment directly, better rates on the transactions are available.
As a result of this second process you immediately get lower acquiring costs, which on big transactions with charges of 1%, represent a significant saving. Even if the fee is reduced from 1.5% to 1%, half a percent of a £14,000 purchase is a significant saving and of course you also eliminate the possibility of fraud chargebacks.
PayGuard ultimately allows merchants to accept payments that are both PCI Compliant, 3DS 2.0 protected and provide minimal consumer friction.
Why Businesses Should Take Advantage of 3DS 2.0
Since VISA released the original 3DS protocol in 2001, the online payments ecosystem has changed a lot in terms of legislation and ways to make online payments. This has required changes to the solution’s user experience and a more flexible approach. By addressing previously identified issues with 3DS 1.0, 3DS 2.0 can deliver a more efficient, coherent and unobtrusive authentication solution.
The new standard uses encryption to assure high conversion rates while maintaining security. Moreover, the increased security does not hinder users’ interaction with the system. The new protocol supports SCA in mobile apps, biometric authentication and exemptions.
Cart abandonment rates will improve for retailers as 3DS 1.0 has always required cardholders to input a password manually. Many cardholders forget their static password, while others thought it was an unnecessary additional step. Therefore, many cardholders simply discontinue purchases. Frictionless Flow eliminates this additional manual step is, increasing the likelihood that cardholders will finish their transactions.
3D Secure 2 captures and sends extensive data on the cardholder and the transaction to the issuer. The issuers may use this vast information to make better risk judgments. Chargebacks from cardholders are reduced, as is the time and expense associated with resolving disputes by providing issuers with more information.
For both issuers and retailers, 3DS 2.0 could be a very important tool in the fight against card-not-present (CNP) fraud. Issuers and merchants will be able to gather more information from each other because of this new data stream. Moreover, the new protocol is mobile-friendly, which is important because mobile commerce is only set to continue growing worldwide year-on-year.
Get in Touch to Find Out more...
To find out more, contact us using the form below. We are always happy to talk through your options and how PayGuard can help take your business to the next level!