Blog article
See all stories »

Why W3C Web Payment Standardisation Won’t Be The 3D Secure Killer

The online payments landscape is one of the fastest growing industries in the world. Global retail eCommerce transaction volumes for products and services reached US$1.9 trillion in 2016 and are estimated to grow to over US$4 trillion by 2020.

With such large volumes and the constant evolution of the digital payments sphere, security is naturally the number one concern.

The 3D Secure protocol has been around since the early 2000’s and provides an extra layer of security in card-not-present online payments. The benefits of implementing 3DS are widely known and accepted.

In a recent article, the upcoming W3C Web Payment standard has been heralded as a “potential 3D Secure killer”.

The W3C Web Payment standard is a forward-thinking initiative that will aim to answer many questions surrounding current online payment processes. And although the article contained valuable insights and highlighted some concerns with the 3DS protocol, below I’ve outlined some counter arguments against the notion of the standard becoming a 3D Secure “killer”.

Traditional financial institutions are slow to adopt change.

Banks, credit unions, and other financial institutions will have to adopt and implement the W3C Web Payment standard, either through their websites or in existing mobile apps, before they can fully utilise its functionality.

Unfortunately, traditional financial institutions are notoriously slow to adopt change. This is one of the main reasons why we are seeing the financial technology revolution happening within the industry, as consumers are looking for more efficient ways of interacting with financial providers.

It will, therefore, take years of small scale testing and analysis before the W3C standard will have an impact on the main markets that big financial institutions and card providers (Visa, Mastercard, etc.) operate in.

3DS 2.0 will address concerns about the current protocol.

There have been some issues raised by merchants with the current 3DS protocol, like shopper abandonment due to the extra security steps in the transaction process.

Although the online payments landscape is complex and no clear correlation can be drawn between 3DS and a drop in conversion rates, the 3D Secure industry has addressed these concerns with simple solutions.

This includes wording on the check-out page to educate consumers and using a rules-based approach to drop the extra authentication step where the conversion rate loss outweighs the benefit.

EMVCo has also been working on an updated version of the 3D Secure protocol (3DS 2.0) that will provide a more frictionless experience and solve many of the issues merchants are concerned about, including online checkout abandonment.

With Visa expecting early implementation of 3DS 2.0 to begin in the latter stages of 2017, and taking into consideration the wide adoption rate of the current 3D Secure protocol, it would be much easier and cost effective for financial institutions to adopt 3DS 2.0 once it’s fully rolled-out, instead of switching to the W3C standard. Users will also be completely unfamiliar with the W3C process which, because of this unfamiliarity, will bring its own set of complications.

The W3C Payment standard currently lacks the appropriate backing.

W3C formed the Web Commerce Interest Group, whose task it is to work on the implementation of the new payments standard and what the platform would look like.

Although American Express is represented on the board of this group, it looks like the other major card providers, i.e. Visa, MasterCard and JCB International, are noticeably absent.

On the other hand, all of the above-mentioned card providers (including American Express) have adopted the 3D Secure protocol. Considering the combined market reach of the excluded card providers, it would be hard for the W3C Payment standard to gain any real traction.

Unless the standard gets more influential backing, it’s highly unlikely for it to become the “3D Secure Killer”, so to speak.

3D Secure authentication doesn’t necessarily look like a phishing attempt.

One of the main concerns of the 3D Secure authentication process is that consumers pull out of a transaction before completion. As discussed in the aforementioned article, this is due to the fact that card issuers have outsourced the 3D Secure Access Control Server operations (ACS) and consumers are therefore directed to a different URL, other than that of the online domain from which the purchase is taking place, the issuing bank, or corresponding card payment network. The consumer might, therefore, become weary and abandon the transaction.

It does make sense, however, the simple truth is that not all card issuers have outsourced their 3D Secure ACS operations and for those that have, the 3D Secure page can easily be changed to a subdomain of the bank (e.g. In fact, most of the card issuers have done this by simply talking to their ACS provider or vendor (who will do this for them), therefore minimising the risk of shopper abandonment.

The W3C Payment standard is not a straight replacement for 3DS.

The main focus of the W3C working group seems to be to increase the interoperability of the multiple payment systems available, by creating a standardised platform, therefore making online payments a smoother experience for end users. The W3C Web Payment framework doesn’t address consumer authentication and is more like a model of what the payment interface should look like.

The 3D Secure protocol, however, focuses specifically on the authenticity of card-not-present transactions by providing an additional layer of security. The two standards are therefore not in direct competition but there might be room for future collaboration, depending on how the two technologies evolve going forward.

Although there are some good implementation practices merchants need to consider before implementing 3D Secure, the protocol is not going anywhere anytime soon. It’s more likely for the W3C Web Payment Standard to become a friend, rather than a foe, in the fight against fraudulent online transactions.



Comments: (2)

Milos Dunjic
Milos Dunjic - TD Bank Group - Toronto 26 August, 2017, 14:021 like 1 like

Hi Sadra thanks for your own article as a direct response to this one. I have read your arguments and understand your reasoning. I may need to clarify the basic premise of my theory ... I do agree that W3C Web Payment Standardization won't kill 3DS immediatelly and I also generally agree with most of observations in your counter-article (not all though).

However IMO, over time, as every single 'obstacle to wide adoption of W3C Web Payment Standardization' that you listed here is eliminated, 3DS will most likely become obsolete ... simply because there would be no '3 domains' anymore ... we will simply have Merchant Domain and Issuer Domain only, mediated directly by the compliant browser. There will be no need for Merchant Plug-Ins, 3DS Directories, 3DS flow, etc, etc.

In future W3C compliant Web Payment world, once the Issuer W3C compliant Payment App is triggered (and I see most major FIs becoming main providers of these), the Issuer's W3C compliant Payment App can use any authentication method to securely and reliably authenticate the customer and guarantee payment.

How long will it take for W3C Web Payment Standard to become widespread? I beilieve 5 years from now, the funny current "Nascar of pay-with buttons" on online merchant sites, shall be replaced with only 1 PAY button. But fully agree with you - FIs may be slow (innovative ones and clearly aware of the W3C potential and are catching up quickly though), politics of current players play a big role, etc. 

Hope this clarifies my thinking.


Sadra Boutorabi
Sadra Boutorabi - GPayments - Sydney 30 August, 2017, 07:10Be the first to give this comment the thumbs up 0 likes

Thanks for reading my article and for your response Milos

I do agree with the vision but it's more about the "when" for me.

In an ideal world, we can potentially have the merchant and issuer domains but the journey is not as easy it sounds.

I can't seem to be able to underestimate the politics of those players in slowing this down. Of course, at the end of the day the payment world will favour efficiency but is that in 5 years?

And when the time comes, will this standardisation be the most efficient solution?

Sadra Boutorabi

Sadra Boutorabi

Product Marketing Director


Member since

28 Jul 2017



Blog posts




This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all

Now hiring