Can EMVCo Rescue 3D Secure?

Remember 3D Secure? You may be forgiven if you don’t.

The password-based technology was all the rage a decade ago as online merchants sought ways to control fraud. But it proved hard to integrate, and merchants complained it interfered too much with customers’ checkout sessions, so it never really caught on.

Now EMVCo, a standards body for the Europay-MasterCard-Visa (EMV) specification, hopes its newly assumed oversight of the 3D Secure authentication standard can help make it ubiquitous in e-commerce.

Operated as Visa Inc.’s Verified by Visa and MasterCard Inc.’s SecureCode, 3D Secure systems try to replicate the point-of-sale experience by prompting cardholders to enter a secret code in a pop-up window when checking out from a retailer’s site. American Express Co., which also uses the technology, calls its 3D Secure service SafeKey.

EMVCo’s aegis may make a difference, but it will have to find a way to overcome consumer resistance to dealing with the extra checkout step, experts say.

“Merchants don’t like it because it has the screen pop-up and increases abandonment rates,” says Eric Grover, principal at Intrepid Ventures, a payments consultancy in Minden, Nev.

Consumers also have not liked using 3D Secure technologies because of the uncertainty they can create, especially if the consumer encounters an enrollment screen during the checkout process, Grover says. “It is somewhat disruptive to both sides and it’s never got any momentum,” he says.

EMVCo, which is owned by Visa, MasterCard, Discover, JCB, American Express, and UnionPay, says it will develop the EMV 3DS 2.0 specification and its certification program over the next year with the intention of making it easier to use.

Details on just how EMVCo will do that should emerge later, but for now it says the updated spec will “offer a more seamless consumer experience and reduce reliance on the cardholder to authenticate themselves via a password prompt, better integrating with a merchant’s offering and brand.”

The updated spec also will incorporate non-payment user identification and verification, while adhering to unique regulatory requirements around the globe, EMVCo says.

Some payments professionals are optimistic. “We are very positive about EMVCo being a body through which [the spec] will be burnished and put back into the market,” says Peter Forbes, executive vice president and head of the National Business Unit at Atlanta-based payment processor Worldpay US Inc.

Making 3D Secure easier to use for merchants and consumers will become paramount, especially if predictions of increased card-not-present fraud following the migration to EMV payments come to fruition, Forbes says. “As the face-to-face environment gets secured, we are bound to see a push of losses into the CNP space,” he says.

His hope is that the updated spec will be less reliant on issuers and less reliant on remembering another complicated password for each transaction and each card.

As an example, Forbes, originally from the United Kingdom, says each of his U.K.-issued payment cards has its own passcode for use on 3D Secure-enabled sites. The technology was mandated for U.K. e-commerce sites, he says, but that was done almost 10 years ago, when the U.K. began its EMV migration, and when e-commerce accounted for fewer retail sales than it does today.

EMVCo’s involvement in the 3D Secure spec also could address a shortcoming in the EMV standard, says Beth Robertson, principal at consultancy Robertson Payments Services LLC, “namely, its vulnerability in supporting online transactions,” she says in an email message. “Integration of 3DS with EMV capabilities could serve to build support for EMV conversion.”

EMVCo says the updated standard should be published in 2016.

—Kevin Woodward