By Jim Daly
@DTPaymentNews
The new version of the 3-D Secure online-authentication technology is better for merchants and consumers and thus likely to get more adoption than the old version, according to security experts.
EMVCo, the chip card standards body owned by the world’s six leading payment card networks, released 3-D Secure 2.0 last week. Visa Inc. originally developed the 3-D secure technology for protecting e-commerce transactions about 15 years ago and branded it as Verified by Visa. The company offered the underlying technology to other networks, which put their own brands on it. But many merchants refused to use 3-D Secure because of the “friction” it generated by having a buyer leave the merchant’s Web site to complete authentication steps on a pop-up window, leading to abandoned transactions.
Over the years, card issuers and processors worked out protocols that reduced the use of pop-up windows, but the original, wonky perception of 3-D Secure stuck, as did fears about lost sales. With version 2.0, however, transaction abandonment should be much less of an issue, says Mike Keresman, founder and chief executive of CardinalCommerce Corp., an e-commerce services firm. The new specification puts the complexities of online authentication behind the scenes, he says.
“It will address quite a few of the issues, and yes, merchants will adopt, because they’re going to get higher authorization rates,” says Keresman. “It is designed to be smoother, a friction-free environment for the consumers.”
A new report from Pleasanton, Calif.-based Javelin Strategy & Research says that the cost of false positives—legitimate transactions denied because a risk-control system incorrectly suspects they might be fraudulent—actually far exceeds that of fraud losses.
“I do think we’ll see an uptick in use of 3DS 2.0,” Julie Conroy, a security analyst and research director at Boston-based Aite Group LLC, tells Digital Transactions News by email.
The new spec is more than 200 pages long, but Conroy says “there were no big surprises in it. The networks have been talking about the direction this is going in for quite some time.”
Among other things, the specification addresses security for technologies that have bloomed since 3-D Secure first appeared, including app-based purchases on smart phones and other mobile devices, as well as traditional browser-based e-commerce channels. It also addresses so-called step-up authentication systems such as one-time passcodes and biometrics.
“Besides security, the consumer experience is central to EMVCo’s work,” Jonathan Main, chairman of the EMVCo Board of Managers, said in a news release. “In addition to engaging with industry experts, we conducted user testing in multiple markets to understand consumer preferences for verifying their identity online. Feedback has been incorporated into the new global specification to also accommodate country-specific preferences and regulatory requirements.”
While one-time passcodes, which could be sent by text message to the buyer during the transaction and entered into the checkout page to confirm the transaction, are seen by many in the payments industry as more secure than static passwords, they aren’t invulnerable, according to Conroy. “We are seeing criminals have success in compromising that in a number of countries,” she says. “This highlights the importance of looking to other capabilities, such as biometrics, as the stepped-up form factor.”
CardinalCommerce developed the online security service called Cardinal Consumer Authentication, which uses 3-D Secure protocols when appropriate, according to Keresman. But the service goes beyond 3-D Secure in assessing variables about the device used for an e-commerce transaction, as well as data from merchants about their customers and from issuers about their cardholders, says Keresman.
“The prevailing thought is we’ve got to make sure the good guys can buy,” says Keresman.