3-D Secure 2.0: A Guide for Merchants and Banks

Listen to 3-D Secure 2.0: A Guide for Merchants and Banks (9 mins):

What is 3-D Secure?

3DS is a set of opt-in security authentication protocols to keep digital and online payments safe from fraud. It initially debuted in 1999 by major payment providers (including Visa and Mastercard) to protect eCommerce transactions. 3DS refers to the three domains of a transaction: the merchant or acquirer, the issuing bank, and the payment network. The protocols are essentially operating rules designed to add an additional layer of security to card-not-present (CNP) transactions. 

So what does it mean in practice? With a 3DS protocol in place, customers must authenticate their identity through a password or a code delivered via SMS or email. After the cardholder submits their data, the merchant transmits it to the issuer for authentication. The issuer then reviews the transaction and assesses the consumer’s risk level. If the issuer considers the transaction to be higher risk, they ask the merchant to have the cardholder perform an additional authentication step. Consumers could be prompted to provide biometric information like a fingerprint, facial scan, or a one-time passcode.

What is 3-D Secure 2.0?

When 3DS initially debuted in 1999, only computers were used for eCommerce transactions. As consumers’ buying habits shifted to newer technologies like smartphones, laptops, and tablets, the password requirements of 3DS became cumbersome. Many merchants complained it added too much friction to the customer journey without giving them the ability to resolve it and contributed to cart abandonment. 

As a result, an updated 3-D Secure 2.0 protocol has been launched for the broader array of technologies that eCommerce merchants use to make the consumer experience more seamless while having passive risk monitoring (e.g., biometrics or CAPTCHA tests) to mitigate fraud. 

How 3DS 2.0 Changes the Game

Banks and merchants must understand how 3DS affects their operations and brace for significant changes once it is more widely adopted. 

What 3DS 2.0 means for merchants

Merchants will face greater onus to authenticate their customers. 3DS effectively places a higher mandate to ensure merchants are only dealing with real, trustworthy customers. This means merchants will have to be more diligent in authenticating buyers. In other words, they will need to establish a digital trust to quickly review the customer’s data and approve the transaction.

Merchants who opt-in to 3DS have greater responsibilities to authenticate customers’ identities to prevent fraud. While this adds additional responsibilities to the merchants’ workload, it comes with a valuable trade-off: reduced chargeback liability. Chargebacks are a double hit for merchants because they lose both the revenue from a sale and the value of the inventory itself. They also can lose time and money processing the chargeback cost. 

3DS gives merchants the opportunity to demonstrate that they performed additional checks to authenticate customers’ identities during eCommerce transactions. This allows merchants to shift chargeback liability for potential fraud to banks. 

What 3DS 2.0 means for banks

As more merchants adopt 3DS 2.0, issuing banks will need to perform greater authentication and authorize a greater share of CNP eCommerce transactions. Banks will also intake more data as a result of this new arrangement. As merchants transmit consumer data for authentication, banks will need to correlate the data and determine the transaction’s risk level. For example, does the customer information provided by the merchant, such as the customer’s email or IP address, match the email and IP address the bank has on file. If not, the bank can request the merchant to perform an additional authentication step. 

Banks will now own a greater share of liability for fraudulent transactions. At the same time, banks can’t add friction to the merchants’ customer experiences. If their authentication process is too cumbersome or contributes to cart abandonment, merchants will consider switching banks as a result.

Tips for Smoother 3DS Adoption

To date, adoption of 3DS has been stronger in Europe than in the U.S. As recently as 2017, only 18% of U.S. merchants had implemented 3DS. However, there’s ample evidence that 3DS will be more broadly adopted, especially as fraudsters continue to target CNP transactions. The Feedzai Q2 2021 Financial Crime report found that while CNP transactions only accounted for 18% of all transactions, they made up 83% of all fraud attempts. 

As eCommerce increases globally, the market for 3DS adoption is also poised to expand. By some estimates, the market is on track to increase at a compound annual growth rate (CAGR) of 20.8% between 2020 and 2027. Here are some tips on how to make 3DS adoption go smoothly.

Merchants need to think like a bank

With 3DS in place, merchants now have skin in the authentication game and a strong motivation to deliver digital trust. As eCommerce activity increases, merchants must ensure that they are performing the strongest possible authentication measures. By adopting the mindset of a bank and raising the authentication threshold, merchants can offset the risk of incurring chargebacks for fraudulent transactions.

Watch cart abandonment activity

As merchants leverage technology to establish digital trust with their customers, they must also ensure that the same technology does not create a burden for customers. That was the key issue with the original 3DS protocol. Merchants that opt into 3DS 2.0 should keep a close eye on their cart abandonment rate to determine if their heightened authentication measures alienate customers. Cart abandonment can be an important bellwether to determine if this is the case. If merchants find customers are getting frustrated by their additional authentication experience, they can consult with their banks about improving the process. 

Banks need to prepare to intake more data

As more merchants adopt 3DS, banks will receive large volumes of customer data. They’ll need the right technology to ingest and review the merchant’s customer data with the existing data they have on file. By putting the technology in a sandbox environment, banks can create customer profiles based on the 3DS 2.0 data and sync it with their own online banking data. If the 3DS 2.0 data matches the banking profile data, it will add digital trust to the transaction. 

As 3DS 2.0 expands, some common dynamics of both merchants and banks are bound to change. It’s important that both banks and merchants understand the principles of digital trust in order to prepare for the new realities that 3DS 2.0 will implement. 

Digital trust is the foundation of today’s connected economy. Watch our on-demand webinar, 4 Key Elements of Digital Trust to learn why traditional methods of assessing trustworthiness frequently fall short and how banks can ensure digital trust across the customer journey.