The online payments landscape is one of the fastest growing industries in the world. Global retail eCommerce transaction volumes for products and services reached US$1.9 trillion in 2016 and are estimated to grow to over US$4 trillion by 2020.
With such large volumes and the constant evolution of the digital payments sphere, security is naturally the number one concern.
The 3D Secure protocol has been around since the early 2000’s and provides an extra layer of security in card-not-present online payments. The benefits of implementing 3DS are widely known and accepted.
In a recent article, the upcoming W3C Web Payment standard has been heralded as a “potential 3D
Secure killer”.
The W3C Web Payment standard is a forward-thinking initiative that will aim to answer many questions surrounding current online payment processes. And although the article contained valuable insights and highlighted some concerns with the 3DS protocol, below
I’ve outlined some counter arguments against the notion of the standard becoming a 3D Secure “killer”.
Traditional financial institutions are slow to adopt change.
Banks, credit unions, and other financial institutions will have to adopt and implement the W3C Web Payment standard, either through their websites or in existing mobile apps, before they can fully utilise its functionality.
Unfortunately, traditional financial institutions are notoriously slow to adopt change. This is one of the main reasons why we are seeing the financial technology revolution happening within the industry, as consumers are looking for more efficient ways
of interacting with financial providers.
It will, therefore, take years of small scale testing and analysis before the W3C standard will have an impact on the main markets that big financial institutions and card providers (Visa, Mastercard, etc.) operate in.
3DS 2.0 will address concerns about the current protocol.
There have been some issues raised by merchants with the current 3DS protocol, like shopper abandonment due to the extra security steps in the transaction process.
Although the online payments landscape is complex and no clear correlation can be drawn between 3DS and a drop in conversion rates, the 3D Secure industry has addressed these concerns with simple solutions.
This includes wording on the check-out page to educate consumers and using a rules-based approach to drop the extra authentication step where the conversion rate loss outweighs the benefit.
EMVCo has also been working on an updated version of the 3D Secure protocol (3DS 2.0) that will provide a more frictionless experience and solve many of the issues merchants are concerned about, including online checkout abandonment.
With Visa expecting early implementation of 3DS 2.0 to begin in the latter stages of 2017, and taking into consideration the wide adoption rate of the current 3D Secure protocol, it would be much easier and cost effective for financial institutions to adopt
3DS 2.0 once it’s fully rolled-out, instead of switching to the W3C standard. Users will also be completely unfamiliar with the W3C process which, because of this unfamiliarity, will bring its own set of complications.
The W3C Payment standard currently lacks the appropriate backing.
W3C formed the Web Commerce Interest Group, whose task it is to work on the implementation of the new payments standard and what the platform would look like.
Although American Express is represented on the board of this group, it looks like the other major card providers, i.e. Visa, MasterCard and JCB International, are noticeably absent.
On the other hand, all of the above-mentioned card providers (including American Express) have adopted the 3D Secure protocol. Considering the combined market reach of the excluded card providers, it would be hard for the W3C Payment standard to gain any
real traction.
Unless the standard gets more influential backing, it’s highly unlikely for it to become the “3D Secure Killer”, so to speak.
3D Secure authentication doesn’t necessarily look like a phishing attempt.
One of the main concerns of the 3D Secure authentication process is that consumers pull out of a transaction before completion. As discussed in the aforementioned article, this is due to the fact that card issuers have outsourced the 3D Secure Access Control
Server operations (ACS) and consumers are therefore directed to a different URL, other than that of the online domain from which the purchase is taking place, the issuing bank, or corresponding card payment network. The consumer might, therefore, become weary
and abandon the transaction.
It does make sense, however, the simple truth is that not all card issuers have outsourced their 3D Secure ACS operations and for those that have, the 3D Secure page can easily be changed to a subdomain of the bank (e.g. 3dsecure.mybank.com). In fact, most
of the card issuers have done this by simply talking to their ACS provider or vendor (who will do this for them), therefore minimising the risk of shopper abandonment.
The W3C Payment standard is not a straight replacement for 3DS.
The main focus of the W3C working group seems to be to increase the interoperability of the multiple payment systems available, by creating a standardised platform, therefore making online payments a smoother experience for end users. The W3C Web Payment
framework doesn’t address consumer authentication and is more like a model of what the payment interface should look like.
The 3D Secure protocol, however, focuses specifically on the authenticity of card-not-present transactions by providing an additional layer of security. The two standards are therefore not in direct competition but there might be room for future collaboration,
depending on how the two technologies evolve going forward.
Although there are some good implementation practices merchants need to consider before implementing 3D Secure, the protocol is not going anywhere anytime soon. It’s more likely for the W3C Web Payment Standard to become a friend, rather than a foe, in the
fight against fraudulent online transactions.