EMV 3-D Secure pushes the cost of fraud back onto the fraudster

Steve Bledsoe|23 July 2019
EMV 3-D Secure pushes the cost of fraud back onto the fraudster

In the US market, the consumer is always right, and in the never-ending quest for higher profits and brand loyalty, a merchant will do almost anything to earn a consumer’s repeat business. The same is true for issuing banks, who work hard to ensure their cards remain top of their customers’ wallets. It is unsurprising then that no issuer nor merchant would want to burden its customers with the bill when fraud occurs. Someone else then must shoulder the cost: the bank or the merchant.

What if there were a third option? What if we could throw the cost of fraud back to the fraudster? With the emergence of EMV 3-D Secure, that possibility is becoming more of a reality. EMV 3-D Secure is a messaging protocol developed by EMVCo to enable consumers to authenticate themselves with their payment network, such as Visa, Mastercard or American Express, when making card-not-present (CNP) purchases. The concept isn’t new, but the original version of 3-D Secure – usually referred to as 3-D Secure 1 – so negatively affected consumers’ digital purchasing experiences that merchants opted to absorb the fraud costs themselves rather than risk cart abandonment. However, when the new version of 3-D Secure is properly implemented, online shoppers barely notice it, and the costs incurred by the fraudster of carrying out CNP attacks could be greater than the rewards they reap.

This provides a significant opportunity to reduce CNP fraud to an all-time low, while at the same time greatly improving the consumer’s e-commerce experience to reduce the 10–15% cart abandonment rates seen with the legacy 3-D Secure. The key, of course, is that merchants must opt-in to the program. While it may seem daunting at first, after the initial setup the merchant stands to benefit the most; in the unlikely event that there is CNP fraud, the card issuer accepts the liability if the merchant has implemented 3-D Secure.  

Keeping the consumer in control

The CNP payment space has come a long way since the days of telephone orders. In the past few years, the market has seen an explosion in mobile app-based payments, which offer consumers unprecedented levels of convenience as order-ahead and pickup services continue to develop. From grocery pick-up at big-box retailers to quick service restaurant (QSR) chains, the prevalence of app-based payments has never been greater.

This introduces several new layers of complexity for the merchant, spanning a spectrum from high-touch, high-value transactions (for example, retail) at one end to low-touch, low-value transactions (for example, QSR) at the other. It’s essential that the user experience at both ends of the spectrum is fluid and easy to navigate. For example, in the QSR industry, there are myriad competitors for consumers to choose from if they are presented with too much friction at the checkout. This heavily incentivizes the merchant to take on the risk of a fraudulent card rather than lose a customer.

This is where EMV 3-D Secure comes to the rescue; it allows a merchant to bake a seamless authentication experience directly into its mobile app. Unlike legacy 3-D Secure, there are no web page pop-ups or clunky switching between windows – the security for the payment transaction happens invisibly behind the scenes. With the new risk-based authentication (RBA) engines, the likelihood that a transaction will have to be stepped up for further authentication is very low – typically less than 5% of transactions, according to Visa.

Of course, when a transaction is stepped-up, it’s important that the authentication experience isn’t a complete surprise to the cardholder. The first time I came across a 3-D Secure authentication screen, I had no idea whether the authentication information being requested came from a legitimate source; why would I enter my personal details into a hitherto unknown system? Luckily, with EMV 3-D Secure, the step-up authentication occurs through channels the customer is already acquainted with – such as one-time passcodes via email/SMS and push-based authentication through mobile or software tokens – making the process less of a hurdle. Two-factor authentication, through mobile biometrics or one-time passcodes, provides intuitive mechanisms that users are already familiar with.

Fraudsters graze where the grass is greener

While EMV 3-D Secure will make huge inroads into eliminating CNP fraud, the same cannot be said for account takeover and peer-to-peer fraud. Fraudsters quickly migrated to CNP fraud after the introduction of the EMV chip virtually eliminated fraud at the point of sale. They will now, no doubt, be looking for the next vulnerable channel to exploit.

The good news on this score is that the authentication framework provided by EMV 3-D Secure can be applied outside of e-commerce transactions, as almost all the authentication and step-up techniques can be leveraged for login and high-value/high-risk transactions. Savvy financial institutions will understand the importance of unifying their online experiences to incorporate secure technologies, such as EMV 3-D Secure, across all digital channels. The banks that perfect the unified secure authentication experience will lead the pack in customer satisfaction, while at the same time reducing fraud and increasing revenues.

The evolution of the card networks’ 3-D Secure protocol is a reflection of how the world of e-commerce has changed. For more, read our blog post Ringing in the changes with 3-D Secure.  Read more about Entersekt’s unified 3-D Secure solution.

About the author

Steve Bledsoe

Steve Bledsoe

Pre-sales solutions consultant

A self-described security ninja for over 13 years, and with a strong focus on sales, payments and authentication, Steve leads the technical sales arm of Entersekt North America. Prior to Entersekt, Steve was a solution architect and sales engineer at VMware working extensively on security and data loss prevention products. He is an active member of the US Payments Forum and KinderGuardin, a non-profit Internet safety organization providing online security education for children and young adults.

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.