If you've paid for something online, you will have probably used 3D Secure. And if you're a small business owner that takes ecommerce payments, it's likely that your customers will have used it to pay you securely and efficiently.
Although you may have been using 3D Secure for years, you may have no idea what it is, why it's used, or why it's an integral part of payment security.
Alternatively, you may have come across 3D Secure in relation to the Payment Services Directive 2 (PSD2), which is an European Union legislation which went into effect in 2019.
In this guide, we'll take you through all things 3D Secure, from its origins, how it works, the benefits, how it relates to PSD2 and any limitations.
3D Secure or sometimes known as 3DS, is short for 3-domain server. It's a security protocol designed to prevent online fraud for credit and debit card transactions.
It was first invented by Arcot Systems (now CA Technologies) in 2001 and taken to market and made popular by Visa with their 'Visa Secure'. Since its successful launch with Visa, many other card networks have developed and implemented their own 3D Secure protocols.
For example, Mastercard has SecureCode, American Express has its version called SafeKey, and the Discover Global Network has ProtectBuy. These are all branded names for their 3DS solutions. Although they all use 3D Secure technology, each solution varies in its functionality.
The term 3DS refers to the three-domain servers that it uses. These are:
3D Secure is a strong customer authentication (SCA) that typically asks cardholders to answer a security question or enter a specific PIN sent to them via SMS or email.
The steps involved for consumers are:
The most apparent advantage of the 3D Secure protocol is that it protects both merchants and customers from online payment fraud.
Although transaction speeds take marginally longer – with customers asked to provide identification – the benefits for merchants should not be understated.
The most significant advantage of using 3D Secure is that in the instance of fraud and, therefore, a merchant chargeback, the liability shifts to the card issuer.
A 3D Secure ‘liability shift' can occur in the following scenarios:
However, the liability is still with the merchant in the following scenarios:
When merchant chargebacks occur, some issuing banks such as Visa will ensure that you don't receive the chargeback on your account. This can help minimise 'friendly fraud' when a cardholder deliberately files for a chargeback hoping that the bank will automatically side with them.
Some 3D Secure transactions create friction for both customers and merchants. They often require lengthy passwords that are easy to forget, or the account is connected to an old phone number. This creates inefficiencies at the point of sale and can lose merchants money.
Also, not all card issuers take part in the scheme, which means that chargebacks are only limited but not completely eradicated.
And finally, sometimes you can get false declines, whereby the card issuer declines a legitimate transaction, which is costly for the merchant.
To fully understand the necessity of card security and 3D Secure, it's helpful to understand the role of the Payment Services Directive 2 (PSD2).
PSD2 is a legislation passed by the European Union in 2018-2019, designed to encourage safer payment services, cut down on fraud, give customers more control, and help lead innovation with open banking.
One way PSD2 aims to tackle payment fraud is with Strong Customer Authentications (SCAs). These are essentially checks by the merchant to assess and verify the customer's identity when making a transaction either online or in person.
With PSD2's new legislation, the customer should be able to prove their identity when purchasing with two out of the three options:
Knowledge: Something that only the cardholder will know, such as a password or PIN.
Possession: Something that only the cardholder will have, such as their digital wallet or physical debit or credit card.
Inheritance: Something unique to the cardholder – such as biometric information including fingerprints or facial recognition.
Not all of these requirements need to be met all of the time. A contactless face-to-face payment can be made with the value up to £45, the cumulative value of £150, or five transactions without the customer providing their 'knowledge', i.e. their PIN.
Bypassing SCAs is only typically done in low-risk situations. This helps customers and merchants take frictionless payments that are easy and efficient for both parties.
There is a higher risk of cardholder, not present fraud when it comes to online payments, which is costly for consumers, merchants, and banks.
This is because there wasn't a way to identify if the person purchasing something using their laptop or smartphone was the card owner.
However, 3D Secure provided a method of identification for online payments and was a Strong Customer Authentication.
This meant that cardholders would need more than just the details printed on the card for a transaction to be verified, making it a lot harder for fraudsters.
With the growth of mobile ecommerce, 3DS needed to evolve to provide a better consumer experience on device. So in 2015, a new standard called 3DS2 was introduced by EMVco. It’s aim is to deliver a better experience but has also been extended to incorporate the demands of PSD2 and provide a reliable method of SCAs for online payments.
3DS2 collects a lot more information than its predecessor, which means that the cardholder rarely has to input anything for the fraud checks to be made.
When a 3DS2 transaction happens, specific data points are collected, sent to a 3DS server and routed to the card issuer for approval. The issuer will then make a decision based on the data presented, which includes IP address, browser language, merchant category code – among many others.
Depending on the decision, the issuer will send back two customer flows:
As well as making the process easier for consumers, it helps merchants too. With 3DS, issuers would err on the side of caution when it came to their liability, declining any transaction they weren't sure about based on very little information which was at the cost of the merchant and cardholder.
With access to a lot more data, 3DS2 helps the card issuer make better-informed decisions and reduces the liability exposure for themselves and the merchant.
3D Secure technology is branded under different names and acronyms, which can confuse merchants at the best of times. And with an ever-changing landscape and new technologies formed at such a rapid pace, we're here to keep you at the forefront of technology.
That way, you can take the necessary steps to protect your customers from fraud and your business from the costs associated with it.