Snippet: Whether they’re house burglars or cyber criminals, crooks tend to go for the easiest target, the proverbial lowest hanging fruit. With card-present fraud a greater challenge since the advent of EMV, fraudsters have retooled and set their sights on the tantalizingly low fruit of the digital world – card-not-present payments in particular.

Whether they’re house burglars or cyber criminals, crooks tend to go for the easiest target, the proverbial lowest hanging fruit. With card-present fraud a greater challenge since the advent of EMV, fraudsters have retooled and set their sights on the tantalizingly low fruit of the digital world – card-not-present payments in particular.

The credit card is the primary form of payment in the online world and, as such, it’s a very attractive target for the cyber criminal. What is more, the only information required to use a credit card online is the card number, expiration date and CVV number, all of which are in plain sight of anyone handling the physical card. Capturing these credentials, the fraudster grasps the keys to the online kingdom. 

With the rapid development of mobile-enabled technology, theft of this sort becomes easier every day. A simple snapshot of the credit card taken with a smartphone is all you need. The developers of some of the latest mobile wallet applications even pride themselves on offering users the convenience of taking a quick snapshot of their credit card, after which it can be used to fund the wallet. 

So, with the rising threat in mind, what measures are being put in place to secure these online card payments, and are they any good? To my mind, of the many solutions on the market, only one seems to address the problem holistically. This is why I believe the 3-D Secure standard, introduced by the large payments networks, deserves closer attention: it has been unfairly dismissed as a big consumer turn-off.

Who’s afraid of 3-D Secure?

It’s hard finding a merchant or consumer out there who has anything good to say about the 3-D Secure implementations they’ve encountered. The true potential of the standard seems woefully misunderstood. To see why, let’s take a closer look at what 3-D Secure actually does.

3-D Secure is an XML-based protocol designed to act as an additional security layer for online credit and debit card transactions. It was developed by Visa under the name Verified by Visa. Services based on the protocol have since been adopted by MasterCard as MasterCard SecureCode, by JCB International as J/Secure and by American Express as American Express SafeKey. The basic idea behind the protocol is to introduce transaction authorization in the online space by means of an online user authentication process, much like a signature or entering a PIN number is meant to do in the real world. In practical terms, 3-D Secure momentarily redirects a cardholder initiating an online transaction to the bank that issued the card to them (the issuing bank). The bank then uses an online authentication process to authorize the transaction by verifying that the cardholder is also the legitimate account holder. 

Crucially, issuing banks do not automatically activate the user’s card for online shopping via 3-D Secure. This means users have to activate their cards for online shopping during the online check-out process. It is during this step that most users decide to abandon the payment process. I recall having to do this myself. Being well informed about 3-D Secure, I imagined the process would be easy enough for me to complete, an assumption that proved false after a struggle of three hours. The issuing bank’s website did not adequately define the process, while the call center agent seemed utterly confused about the whole concept!

In addition to the complex activation process, 3-D Secure does not dictate the user authentication method banks should use. It’s up to the issuers, who have typically employed a username and password-based approach or used one-time passwords that the user has to enter into the browser for the transaction to proceed. This means that, to buy anything on the Internet safely, a user has to remember yet another username and password or has to retype a one-time password texted to them or generated on a hardware token. What a hassle. No wonder merchants have feared an increase in abandonment rates!

From my own experience again, I remember the frustration of having to choose a password including at least one capital letter, a numeral and a special character. How would I ever keep this complex password in my memory for the next time I bought an item online?

The alternative

In summary, there are two points where 3-D Secure implementation guidelines fail the consumer:

  1. The pain of activation during shopping, the main cause of user abandonment 
  2. Not defining a sensible user authentication method

Leaving these processes open to interpretation at issuing banks has led to cumbersome implementations and many very frustrated consumers and merchants. By contrast, mandating a standard activation process prior to shopping and a strong authentication method with a frictionless user experience will undoubtedly unlock 3-D Secure’s true potential.

Imagine a solution that holistically addresses the security requirements of the 3-D Secure protocol, as well as the user experience; one that leverages the capabilities of the mobile phone or tablet for one-touch transaction authentication. Such a solution would help realize the potential of the 3-D Secure infrastructure the payments networks have invested so much in. 

Avoiding activation during online shopping can be as easy as automatically activating your card for online shopping when you shop in person. The latter process is well defined and consumers understand it. Why not explicitly include the option to activate the card for card-not-present shopping at the same time? It will remove one of the largest stumbling blocks to the take-up of 3-D Secure.

Lastly, the user authentication process needs to be streamlined. Our mobile phones are always with us, so they should be the first place to look for a token providing strong out-of-band, two-factor authentication. Tying an industry-standard X.509 digital certificate to the device makes it the strongest possible way to uniquely identify the user, and it allows for digital transaction signing by the account holder in real time.

Entersekt’s card-not-present authentication solution, powered by Transakt, comprehensively addresses the online authentication problem faced by financial institutions and merchants around the world. By pushing details of any online transaction to the cardholder’s mobile phone in real time, the user has simply to choose “Accept” or “Reject” to authorize or stop it. No remembering long, complex usernames and passwords; no retyping of one-time passwords. A simple one-touch response on your mobile phone or tablet is all that is required for secure online transactions.

Entersekt’s solution reinvents the 3-D Secure user experience, enabling a strong and frictionless user authentication implementation that quite literally puts the power of safe online transactions back into the hands of the consumer, in the form of the mobile phone. With Transakt, 3-D Secure is transformed from the foe you know today to your best friend in online transactions.

For more information, download our 3-D Secure solution sheet.

Subscribe to our blog.

3-D Secure
Dewald Nolte

Dewald Nolte

Chief Strategy Officer

Dewald co-founded Entersekt in 2008. He’s responsible for setting and executing our product strategy and positioning in the market. Having been involved in several projects further afield than Entersekt, including the A-Darter missile program for Denel Dynamics, his technical ability is as impressive as his solid business acumen.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.