Blog article
See all stories ยป

The cold hard truth about 3DSecure

Even protocols whose mission and process remain the same need updating

In the world of online commerce, customer confidence is incredibly important. In the early days of the internet, 3D Secure was one of the most significant drivers of consumer confidence and eCommerce growth.

3-D Secure helped to instill trust and confidence in consumers who wanted to shop safely on-line, and also offered an established recourse process if there was any dispute with the merchant. Commercially 3-D Secure has significant benefits. Not only is the cost per transaction much less, merchants also benefit from a shift in liability.

3D-Secure recently described by a large gaming operator "As a merchant, why wouldn't you push all transactions through 3DSecure? It's cheaper and defers fraud liability. It's a no-brainer" yet purposefully do not process transactions being made via a mobile device through 3DSecure.  

So what's the problem?

3D Secure was originally invented in 2001; the first iPhone went to market in 2009. We can see the problem right here. The original protocol was never designed with the proliferation of mobile in mind.

As every organization with a desire to compete in the application economy undergoes a digital transformation, they embrace the mobile world and engage their customers who are using new devices and platforms.

Although the 3-D Secure industry has implemented solutions to improve the customer journey for mobile, like risk-based authentication and reconfigured customer facing pages, 3-D Secure was never designed for mobile devices. 

The journey for customers using a mobile device for eCommerce is typically faced with a poor and less-desired experience. Merchants are desperate to offer customers 3-D Secure security via mobile, to take advantage of the preferred transaction rates and liability shift. Merchants have a simple need to process a transaction as quickly, simply and cost-efficiently as possible.

Good news! There is a solution and it's due to arrive in the market very soon       

A huge project is in progress, which involves the entire payment security industry including, merchants, issuers, technology vendors, and card schemes collaborating to design the next generation 3-D Secure protocol.

The new design will address the poor experience on smartphone devices, integrate mobile wallets into the equation, as well as in-app transactions. EMVCo is due to release details of the new specifications in November of this year. Merchants and consumers alike are looking forward to seeing a much-needed improvement in the mobile experience.

Having seen early prototypes and doing a lot of personal research I can say the new solution focuses on simplifying the customer experience dramatically. 


Comments: (4)

Arnab Sinha
Arnab Sinha - Accenture - Amsterdam 02 September, 2016, 10:441 like 1 like

Nice post, Hannah. However, must point out that the bigger problem with 3D Secure today is that the user experience is tremendously clunky and leads to the majority of the shopping cart abandonments. For an online merchant, the pains of lost sales more often exceeds the benefit of liability shift and reduced interchange. Mobile friendly checkout wil not do away with these fundamental issues.Use of biometrics/touch id as the additional authentication factor can probably help. What do you think?

A Finextra member
A Finextra member 02 September, 2016, 11:052 likes 2 likes

Arnab thank you for taking the time to read this post and comment.

Abandonment in the UK is minimal these days, as most issuers are taking a risk based approach typically 90% of transactions are processed without the need to authenticate with a password and this is becoming more widespread globally. Biometrics are in scope for the new protocol Mastercard already supports selfies.

The new protocol promises to be much more flexible than the existing protocol to accommodate modern methods of authentication. The holy grail, however, is using the data to make very accurate risk-based decisions. Any friction to the transaction creates an abandonment risk.

I'd love to share more with you, but I'm limited what I can say until EMVco release specifications later in the year. I anticipate there will be a lot of information available at the begining of next year. I'll definetely look to share what I can to help the industry plan, and realise the value.   

A Finextra member
A Finextra member 02 September, 2016, 13:39Be the first to give this comment the thumbs up 0 likes

The program is getting a minor upgrade this year, yes. But it's still a very out of date to newer technologies. It will help cut down on the frictionless flow because we are able to submit more data for risk review but 90% would be nice here in the USA. Instead we are seeing 60-70%. They still want to see a really out of date iframe for a challenge and also still need the banks to participate and update their experience. All in all it is a step in the right direction. 

A Finextra member
A Finextra member 02 September, 2016, 13:42Be the first to give this comment the thumbs up 0 likes The US is poor in it's adoption of risk based, most issuers are still challenging 100%. My colleagues are working hard to educate the industry in the US.

Now hiring