Ringing the changes with 3-D Secure

Lelanie de Roubaix|14 August 2018
Ringing the changes with 3-D Secure

In many ways, the evolution of the card networks’ 3-D Secure protocol is a reflection of how the world of e-commerce has changed. As with any process of change, growing pains are inevitable; in the case of 3-D Secure, they’ve been there right from the start. The imminent introduction of 3-D Secure 2.0 invites us to reflect, not only on the improvements it promises but the challenges that the industry has faced along the way.

An awkward start

The first online shopping transaction took place in 1994. The following year, Amazon launched as an online bookstore, forever changing the e-commerce landscape. Fraudsters were quick to capitalize on the opportunities presented by this rapidly-growing sector, luring consumers to fake websites and harvesting credit card details. The move from magnetic stripe to EMV made card fraud at the point of purchase much harder, serving as another motivation for fraudsters already shifting their attention to the world of card-not-present commerce.

The industry began to recognize the need for stepping up security measures for online shopping. Visa initiated the development of a protocol that would add a security layer for online card transactions, partnering with Arcot Systems to develop a solution. In 2001, Verified by Visa, the first application of the 3-D Secure protocol, was introduced. Mastercard followed with SecureCode in 2002, while JCB and American Express later launched J/Secure and American Express SafeKey respectively.

Protecting against card-not-present fraud was 3-D Secure’s raison d’etre but online shoppers were often too frustrated by the protocol to feel gratitude at its introduction. They found its activation and authentication processes – both their timing and design – especially irksome.

When it comes to online security, consumers are frequently warned to ensure that they only visit TLS-secured websites, especially when they are expected to enter personal information. But the pop-up screens or windows of 3-D Secure show no address bar, making it very hard for consumers to tell where the pop-up window comes from or whether they are (still) using a secure site.

Another piece of advice consumers often hear is to be wary of sites that ask for passwords. In allowing activation during shopping, some issuing banks would ask consumers to choose a 3-D Secure password the first time they shopped online, and then to enter the password when prompted to do so. Apart from the risk of consumers entering sensitive information into a phishing site, these less-than-perfect security measures also encourage unsafe online behaviour. Consumers grow accustomed to entering sensitive information into a website or pop-up screen that they cannot be sure actually is their bank’s 3-D Secure implementation, in essence ignoring online security best practices.

Rubbing users the wrong way

The new 3-D Secure protocol, 3-D Secure 2.0, is designed to address these security issues while going a long way towards solving a closely related problem with most existing implementations: a high degree of user friction.

Friction during the checkout process is one of the main factors contributing to shopping cart abandonment. It’s a huge concern for all stakeholders. PYMNTS.com’s Checkout Conversion Index reports that $200 billion in sales were forgone due to friction in the checkout process in 2017 alone.

The initial 3-D Secure protocol had a number of factors that contributed to shoppers abandoning their carts. For consumers unfamiliar with the 3-D Secure process, pop-up screens demanding sensitive information and passwords could easily be mistaken for a security threat, in which case the safest option would be to quit. The requirement to input a static or one-time password – often forgotten in the case of the former, involving a clumsy juggling of devices in the case of the latter – sounded a distinctly false note at a sensitive point in the payment process. Add to that operational issues such as slow loading speeds for authentication pages, timeouts, device incompatibilities, and delayed one-time passwords, and it’s no wonder that 3-D Secure became almost synonymous with friction.

A whole new world

The 3-D Secure protocol has been reimagined to keep up with changes in the digital commerce landscape, including that all-important factor: evolving consumer behavior. Given that the value of payments made on mobile devices is expected to reach US $1 trillion next year, optimizing 3-D Secure for mobile devices was arguably the most crucial new requirement.

3-D Secure 2.0’s biggest improvements stem, to a large extent, from the standard’s greater reliance on risk-based authentication. Using contextual data, the risk of each transaction is determined, and the cardholder is only required to verify their identity when it is deemed high-risk. Termed “frictionless flow”, this approach promises to enhance the customer experience by allowing over 90% of transactions to be processed without user involvement.

3-D Secure 2.0 also adds a mobile software development kit component, making it easy for merchants to integrate 3-D Secure into their mobile apps. Users of mobile apps can now authenticate their purchases in-app, rather than in browser-based pop-up windows.

Together, these changes to the user experience promise of a significant decline in cart abandonment: Visa estimates that drop-off rates will be reduced by 70%, while the transaction time will decrease by as much as 85%. This is bound to drive adoption even in regions where the payments networks have not mandated the introduction of the protocol.

In today’s financial services industry, survival of the fittest comes down to offering an engaging customer experience designed from the ground up for a digital world, while offering state-of-the-art security. At Entersekt, our approach has been mobile-first from the outset. We’ve seen our technology help wipe out fraud for our clients, while providing their users with the control to seamlessly authenticate sensitive transactions. We’ve helped our clients innovate in a competitive payments market, allowing them to make their customers’ financial lives easier.

Our product Connekt is a next-generation e-commerce and mobile payments enablement platform. It’s easily integrated, highly reliable, and offers a superior user experience at a great price point. It can help you make sense of 3-D Secure, so that you can avoid its challenges even as you capitalize on its benefits.

Infographic: A payments timeline.

Thumbnail A payments timeline

VISIT OUR 3-D SECURE PAGE

About the author

Lelanie de Roubaix

Lelanie de Roubaix

Marketing communications specialist

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.