As we increasingly move more of our lives to online platforms, more of our spending takes place on ecommerce platforms.   While this is good for businesses, allowing them a chance to reach targets which in the past would have been nearly impossible, it does lead to concerns about security.  If you are a customer, you are always conscious about the security of your accounts and the risks that are out there.  As such, those of us with sites requiring online payments need to consider the best way to make consumers feel more secure.

As you cannot physically see the user or apply a chip and pin system online, you need to look at different ways to make sure the person making a purchase is who they say they are.  3D Secure authentication is one way to ensure this and the one that is used by many companies for its ability to meet industry standards and online regulations.

The European Union has passed more legislation around this in the last couple of years, we’ll discuss this later in 3D Secure 2.0, so this is an area that is very much evolving and being taken seriously.

1. What is 3D Secure?

3D Secure is a security protocol that allows you to authenticate a customer and their card without seeing them in person.  It helps to reduce payment fraud when a customer uses their credit or debit card online, shift chargeback liability to the card issuer’s bank, and minimize the risk of these chargebacks happening in the first place.

It is known as 3D Secure as it contacts 3 domain servers in order to validate the card: 

  • The Acquirer Domain - the merchant’s acquiring bank
  • The Issuer Domain - the cardholders’ issuing bank
  • The Interoperability Domain - the infrastructure provided by the card scheme to support this protocol

It is worth noting here that not all card issuers support 3D Secure and it has to be activated by the customer.  It was first marketed by Visa as part of their ‘Visa Secure’ system and has since been adopted and adapted by many other card networks.

2. How does 3D Secure Work?

3D Secure will provide your customer with extra ways to confirm their identity through messages sent to them via email or SMS and asking them to enter passwords or pins in a pop-up on the website.  They also allow the bank to send customers security questions they set when activating 3D Secure or digital banking .

In a bit more detail, the consumer enters their card information into the merchant’s online payment gateway and the system does a quick check to see if the card has 3D Secure enabled and if so provide a redirect or embedded frame that guides the user on confirming their identity.  This confirmation can take many forms like asking them to answer a security question or to use a one-time secure PIN that was sent to their phone or email.  If this is entered correctly then the payment is authorised and the customer is sent back to the merchant website to receive purchase confirmation. This is done using the Secure Sockets Layer (SSL) protocol to send XML messages with digital certificates and client authentication to confirm the payee’s identity.   

3. 3D Secure 2.0

Journalist Rosemary Lee, discusses the move to 3D Secure 2.0 saying, “As technology evolves and security threats change with it, 3D Secure also needs to grow to meet the new needs of the customer.”

The legislation Payment Services Directive 2 (PSD2) was passed by the EU in 2018-2019 to provide stricter guidelines on how to offer safer payments and cut down consumer fraud.  It requires the customer to prove their identity on 2 of 3 fronts both in person and online in order to create Strong Customer Authentication (SCA).  These are:

  • Knowledge – Something only the cardholder knows.  This can be a password, PIN, or one time code sent to the customer via phone or email.  It can even be security questions set by the cardholder when activating digital banking and 3D Secure
  • Possession – Something only the cardholder has.  This could be the physical card or their digital wallet
  • Inheritance – Something completely unique to the cardholder.  This can be biometric information like fingerprints and facial recognition.  It has become easier to obtain this data through mobiles moving towards integrating this software directly into the user experience

This was implemented due to the move towards mobile ecommerce and contactless payment systems, and as such it may not be possible to get all these requirements on an online payment system.  

In 2015 EMVco introduced 3D Secure 2.0 which aimed to deliver a better experience for the consumer.  However, it also meets the more extensive demands of PSD2 by providing a reliable method of Strong Customer Authentication for online payments. When a transaction happens, it collects data points, more than it did in the original 3D Secure protocol, including the IP address and browser language to send to the card issuer for approval.  The issuer then makes a decision which for most customers will be a completely invisible process that has the transaction approved immediately with no need to take further action.

In those situations where there are red flags around the legitimacy of the transaction or where cap limits on payment amounts are met the customer is asked to confirm their transaction and verify their identity.   You see this in the real world when you make contactless payments where after a certain number of transactions you are asked to enter your PIN to prove your identity.   Online, you will be taken to a bank site or embedded page that asks for some additional information like a one-time PIN, login for digital banking, or even a biometric approval via fingerprint or facial recognition on your phone.

This is both more secure for the card issuer and the merchant while providing a much more user friendly experience for the customer.

5. Why Should You Use 3D Secure?

The main reason to use 3D Secure, and in particular 2.0, is to meet EU guidelines if you plan to do any business within Europe.  It also covers you in other countries where people are starting to look more at the security of mobile and online payment.

While its name can change according to the branding by the card issuer, Mastercard calls their solution Secure Code and American Express calls theirs SafeKey, the concept remains the same throughout so it’s easy to include several payment options in one system.  Overall, this, as well as the 3D Secure 2.0 frictionless approval, provides the customer with a very user friendly experience that keeps the security happening invisible to the end user.

If meeting regulation isn’t your concern, then the other big reason to implement this system is in order to protect your business from fraud and excessive chargebacks.   Identity theft and unauthorised card use becomes less likely when you have a multi-channel system for checking the customer’s identity.  In terms of chargebacks, 3D Secure provides a ‘liability shift’ to the card issuer when the cardholder enrolled in 3D Secure submits a fraudulent transaction for a merchant chargeback but the transaction was successfully verified by the issuing bank using 3D Secure.  Or, when a customer enrolled in 3D Secure attempts authentication but there is no response from the issuing bank.  This greatly reduces the risk for merchants as they will only be liable for chargebacks if 3D secure failed but they still authorised the transaction or when there is an error in the process at the merchant-end i.e. a network error.

6. What to Take Away

Overall, 3D Secure protocol is a great way to protect your business while providing customers with a good experience and trust their online payments are secure.  3D Secure 2.0 meets the standards the European Union set out in the legislation Payment Services Directive 2 that was passed in 2018-2019 so is a must if you plan to do business inside the EU. 

Outside of legislation, 3D Secure provides you some protection against the risk of chargeback liability and greatly reduces the chance of fraudulent transactions in your store.  It’s use of modern technology to verify user’s identity mixed with the behind the scenes data sent to card issuers creates a frictionless authentication system that customers are unlikely to even notice.

Issues can arise where customers have forgotten passwords or have an old phone number connected to their account, where the card issuer doesn’t take part in 3D Secure, and finally when the system gives a false decline on a legitimate transaction.  These can lead to costly loses for the merchant. However, the benefits of the system greatly outweigh the limitations, and with a move towards mobile payment more and more card issuers will be adopting this scheme.

So, you absolutely should be ensuring your site has 3D Secure 2.0 on your site for your protection and the protection of the consumer.