Friday , November 22, 2024

Securing the Future of 3-D Secure

The first version of the online-authentication protocol has acquired a nasty rep. With a new version on the way, will it go from four-letter word to four-star performer?

It just might be the best-kept secret in payments.

An authentication protocol called 3-D Secure, which issuers, acquirers, and merchants have used for about 15 years to prevent fraudulent e-commerce transactions, is a much less painful experience for consumers and merchants alike these days than it once was.

But you’d never know it based on the general industry reaction to 3-D Secure, which many merchants, and probably some issuers, still view with the horror the protocol’s original version evoked.

“The original version was completely wonky, and it destroyed the user experience,” says Al Pascual, a senior analyst at Javelin Strategy & Research who follows payments security.

But now, experts say, even though the frustrating integrations and distracting pop-up boxes for password entry that merchants loudly complained about are mostly gone, 3-D Secure hasn’t shaken off its bad odor. It remains “akin to a four-letter word” with many merchants and issuers, in the words of a recent report by the Aite Group consultancy.

“We explain how Verified by Visa is different in detailed conversations, one at a time, but it takes a tremendous amount of time for that word to spread,” laments Mark Nelsen, senior vice president of risk products at Visa Inc. Verified by Visa and MasterCard Inc.’s SecureCode are the networks’ brand names for 3-D Secure.

As a result, only about 18% of U.S. e-commerce traffic is running through 3-D Secure rails, according to a report by Julie Conroy, research director at the Aite Group, though that percentage has tripled just since 2013.

‘Long Memories’

That’s a problem for people like Nelsen and MasterCard’s Bob Reany, executive vice president for identity solutions, for two very important reasons. One is that the rash of data breaches in recent years, coupled with the ongoing deployment of EMV chip cards at the point of sale, is expected to fuel an alarming runup in card-not-present fraud—just the sort of thing 3-D Secure was designed to combat.

The other reason is that a much more sophisticated version designed to work in-app as well as in browsers is on its way from EMVCo, the global technical-standards entity controlled by Visa, MasterCard, and four other global networks. Observers fear the negativity surrounding the current version could make it that much harder to sell the new one, known as version 2.0, which should arrive late this year.

“Folks in the fraud space tend to have really long memories,” says Pascual. “It’s going to take some really clever branding to get some folks to go down that road” to version 2.0.

These “long memories” have to do with certain features of 3-D Secure that frustrated merchants and exasperated online consumers. Merchants complained that the technology took customers away from the checkout page just as they were prepared to buy so they could enter a password. Not surprisingly, consumers complained they couldn’t recall their passwords.

And it was all or nothing—either a merchant sent all transactions through 3-D Secure or none. Networks that adapted 3-D Secure required this approach out a concern that consumers must have a consistent experience each time. They also thought the repeated key-entry would help consumers remember their passwords.

For many merchants, these disadvantages were enough to offset a couple of key advantages. Transactions sent through 3-D Secure shift fraud liability to issuers. And they get a reduction in interchange that varies by case but typically ranges from 20 to 22 basis points, according to CardinalCommece Corp., a major vendor of 3-D Secure technology.

Ramped-Up Fraud

Now, very few transactions still require a static password, according to Visa’s Nelsen. Instead, the protocol depends increasingly on a wide range of methods to reduce the number of times a consumer must be directly challenged to authenticate herself.

Device ID is one such method. The system might recognize the laptop the consumer is using, for example, as one she’s used before, and let the transaction pass. “We can approve you without bothering you for a password you’ve forgotten,” says MasterCard’s Reany.

If the device doesn’t match, the issuer might require further authentication, but even this step avoids static passwords. Instead, the consumer might be asked for a piece of information she’d readily know, such as the name of the street she lived on when she was a kid.

Or she might get a call from a call center, or be sent a one-time password to be picked up on her mobile phone. “We’re seeing more and more issuers deploy stepped-up authentication,” says Aite’s Conroy.

That, in turn, is finally starting to draw interest from some merchants still smarting from the cart abandonment they suffered through. And new merchants are paying attention, as well. “Newer merchants don’t have this fear about adopting the technology,” says Nelsen.

Both merchant categories are sweating a rising tide of online fraud. Much of this is coming from criminals who until recently plied their trade in physical stores with stolen or counterfeit cards. They’re watching as more and more of these stores lock down their point of sale with chip card readers.

But the really scary phenomenon, says Conroy, is the sheer volume of personal information stolen in recent data breaches and readily available online. Since 2013, nearly 4 billion records have been lost to cyber break-ins, according to the online database Breach Level Index.

“We’re already seeing card-not-present fraud ramping up,” says Conroy. “There’s so much data in the hands of criminals and they’re having fun with it.”

How much factors like a smoother user experience and fear of fraud are re-kindling merchant interest in 3-D Secure is a matter of perspective.

Alasdair Rambaud, senior vice president for merchant services at CardinalCommerce, says 42 of the 50 largest U.S. online merchants will be using 3-D Secure through Cardinal by the end of the year. “It might even be 45 if we get lucky,” he says. The number two-and-a-half years ago? Zero. Cardinal enables 3-D Secure for both merchants and issuers.

Pascual’s estimate is more reserved, but he allows that more merchants will come around. “It’s not out of line to say in the next three to five years you’ll have a quarter of the large U.S. merchants using it,” he says. “We have a while to go.”

‘A Lot of Data’

It’s easy to forget that 3-D Secure is a global protocol. In fact, in some countries it’s mandated by government decree. And while the user experience may have improved in places like the U.S., in other countries it’s still less than optimal. “There’s Latin America, for example, where the user experience is quite poor,” says Reany.

Most U.S. merchants either sell online overseas or want to. They’re likely to want one technology for authentication that works smoothly everywhere.

MasterCard is on that case. In February, it scored scads of publicity by introducing what the general press delighted in calling “Selfie Pay.” In reality, this is a technology MasterCard calls Identity Check that captures biometric data—which can include facial images—and folds it into the background data 3-D Secure feeds to issuers.

“‘Selfie Pay’ wasn’t our choice” of name, Reany says, but it helped draw attention to a technology that takes MasterCard well beyond SecureCode. “I’m bullish on where 3-D Secure appears to be headed, using MasterCard’s Identity Check as an example, says Javelin’s Pascual.

What most players are waiting for, though, is EMVCo’s version 2.0. The standards body began working on the spec early last year and recently released a preliminary draft for comment.

The big news with 2.0 is that it will work with in-app and digital-wallet payments as well as browser-based transactions. It will also call on merchants to supply a good deal more information to help issuers make an authorization decision. “Merchants will pass about 20 fields of data,” says Pascual. “And it’s nothing I know of that they share now. That’s a lot of data.”

This new flow may include such items as the e-mail addresses, mobile-phone numbers, and shipping, billing, and IP addresses of consumers.

While it seems likely many merchants would balk at this, Visa’s Nelsen says they may respond if it can be shown version 2.0 will increase sales.

“Merchants have stated they are willing to supply that information if it means better authorization rates,” he says. “In general, the growth in decline rates by issuers has been growing faster than the growth in sales and the growth in fraud. That has been more alarming to merchants.”

‘People on the Edges’

This is a difficult proposition to test, as online merchants are typically tightlipped about such matters. But they’re not without a voice as EMVCo irons out the final spec. The standards body has been relying on an advisory group that includes processors, solutions vendors, and online retailers.

Getting feedback from a broader group than just banks and networks has been crucial, says Reany, who is working with EMVCo on the spec.

“The people on the edges, the payment-service providers, the merchants, really know what they’re doing,” he says. “We didn’t think we had a chance for more than one go at this, so we wanted to work toward getting it right.”

After the experience with 1.0, getting it right will be more critical than ever.

Check Also

Click to Cancel Effective Jan. 14 and other Digital Transactions News briefs from 11/21/24

The Federal Trade Commission said its Negative Option rule, also known as click to cancel, goes into effect …

Leave a Reply

Digital Transactions