The state of 3D Secure in Latin America

3D Secure in Latin America
3D Secure 1.0 didn’t exactly blow the lights out in Latin America, despite the region migrating early to EMV chip cards and experiencing the predicted jump in card-not-present fraud as a result. Card issuers are approaching the updated specification differently, however. Some challenges remain but there are many reasons to be optimistic about user adoption.

The backdrop: Latin America and online fraud

Propelled by COVID-19 lockdowns and the corresponding digital acceleration, Latin American e-commerce volume soared to over $100 billion in 2020. According to the World Bank, at the start of 2020, fewer than 50% of adults used e-commerce and just 55% owned a bank account, while at the same time, the region has some of the highest social media and digital content consumption rates in the world. While Latin Americans love the Internet, transacting online has been slow to reach its potential.

One contributing factor has been mistrust of banking and technology, and fear of fraud. Such fears are not unfounded: a 2019 Cybersource report finds 20% of e-commerce orders in Latin America and the Caribbean (LAC) are manually reviewed for fraud, and that of these, a whopping 20% are declined (compared to the 3% global average). This burns merchant resources and frustrates honest consumers.

Online fraud rates in LAC are amongst the highest in part due to the secure card-present environment. Most Latin American markets migrated to EMV chip cards in the early 2000s, along with most other regions, essentially eliminating credit card fraud from the physical world. In a physical store, cashiers can also easily authenticate a cardholder’s identity by requesting their ID. This pushed fraudsters decidedly into the online space, where issuers, acquirers, and merchants found themselves underprepared.

Even in the face of such fraud challenges, industry players in LAC have historically resisted adopting measures that would help mitigate them. Among them is 3D Secure, the global authentication standard first developed by Visa in 1999 and later adopted by other card networks.

Mobile QR and Pix payments: Read about Brazil’s wildly popular new instant payments system, which is free to all and as accessible to the unbanked as is to cardholders

Why 3D Secure initially showed low adoption in Latin America

3D Secure 1.0 authentication services (Visa’s Verified by Visa, Mastercard’s SecureCode and American Express’ SafeKey, when rolled out in the 2000s) authenticate an e-commerce purchaser by prompting the buyer to first enroll their card in the 3D Secure service and then enter a passcode for subsequent purchases. Merchants who enable 3D Secure enjoy a liability shift, whereby for authenticated transactions, the responsibility for any fraud lies with the card issuer.

However, this extra authentication step, commonly known as a “challenge” or a “step-up,” earned 3D Secure a poor reputation. In Latin America, as elsewhere, any redirects or unexpected pop-up windows can spook already skeptical buyers. Merchants became frustrated because of high decline rates (often in excess of 30%) and little ability to improve the experience for their customers.

3D Secure 1.0 experienced low adoption rates in Latin America as a whole, with more than 85% of transactions coming from just three markets (Mexico, Brazil, and Costa Rica), as reported by Mastercard.

As a result, 3D Secure 1.0 experienced low adoption rates in Latin America as a whole, with more than 85% of transactions coming from just three markets (Mexico, Brazil, and Costa Rica), as reported by Mastercard. Andres Gonzalez, head of decision and transaction solutions for Latin America at Mastercard explains the reasons for this:

  1. 3D Secure 1.0 protocol was not prescriptive enough in the user experience. The original standard did not include sufficient instructions to issuers on how to prompt cardholders to authenticate themselves, resulting in a disparate user experience from bank to bank.
  2. 3D Secure 1.0 was not designed for the mobile channel. Very few issuers developed interfaces responsive for mobile, resulting in a poor UX for mobile transactions.
  3. Cardholder education was a challenge. Without marketing and communication around 3D Secure and what to do in the case of a challenge, consumers in Latin America were more likely to abandon their purchase than follow through with it.

As such, Latin American e-commerce players have had to climb a steep learning curve in creating an ecosystem that is user-friendly, mobile responsive, and secure.

3D Secure 2.0: the LAC market is now ready for widespread adoption

Over the past 18 months, this situation has changed significantly. In 2018, card networks rolled out a new set of standards, EMV 3D Secure (3D Secure 2.0), designed to improve the user experience and remove the pitfalls of the previous protocol. The major differences between 2.0 and 1.0 are the following:

  1. Enhanced data to support Risk-Based Authentication (RBA). Under 3D Secure 1.0, issuers received just eight data fields from merchants, which they used to make decisions about transactions. Under RBA, issuers now receive more than 80 pieces of data about the cardholder and the transaction (email, billing and shipping address, common buying behaviors, etc.) so they can make a more informed decision. As Andres Gonzalez at Mastercard mentions, “In a mature 3D Secure environment, 80–90% of transactions can be frictionless,” meaning there is no challenge and no disruption to the cardholder. This is a drastic improvement over 3D Secure 1.0, in which a challenge was often required.
  2. Challenges now allow for biometric and other types of authentication. If issuers do need to raise a challenge, a thumbprint captured by the shopper’s mobile device can be used to authenticate the user, which results in a better user experience, one that is optimized for mobile. Out-of-band authentication (OOBA), which requires authentication over a separate channel to the customer, is also a highly secure option.
  3. Challenge methods are more prescriptive. 3D Secure 2.0 has provided issuers with clearer instructions on how to interface with users when needing to authenticate via a handful of preferred methods including one-time passcode, biometrics, and OOBA, and overall, shoppers can expect a more standardized experience.

“In a mature 3D Secure environment, 80–90% of transactions can be frictionless.”
— Andres Gonzalez, head of decision and transaction solutions Latin America, Mastercard

The result is that Latin America is immensely better prepared for 3D Secure. Gonzalez explains that under the guidance of Mastercard and as a response to digital acceleration during COVID-19, “2020 was the year in which EMV 3D Secure authentication exploded across Latin America.” Some Mastercard figures
put this into context below.

Visa is also making great strides. According to Renato Rocha, VP of merchant and acquirer solutions at Visa and head of Cybersource for LAC, 50% of the region’s top tier merchants (including retailers, airlines, and digital platforms) are already using or implementing 3D Secure. It has also created sales partnerships, enabling leading Visa acquirers in eight markets to resell Visa 3D Secure solutions, thus expanding its reach.

When comparing individual markets, interviews with industry players reveal that Brazil is the farthest ahead in 3D Secure 2.0 adoption. ABECS, the local card industry association, is working intensively with issuers to collectively align on the user experience. Following Brazil, Peru, Argentina, and Central America have been the fastest adopters. The main laggard is Mexico, where 3D Secure 1.0 has high penetration and banks are in general slow to make technology upgrades.

Of course, there is still work to do be done to fully secure Latin America’s online environment, full of both challenges and opportunities.

3D Secure and the road ahead

The chicken and egg

Like anything in payments, 3D Secure has a network effect: the more players involved, the greater the benefit to the entire ecosystem. This has its drawbacks: merchants are reticent to go this route if issuers are not ready and vice versa. For this reason, Renato Rocha at Visa stresses the importance of looking at “incremental improvements.” As he explains:

“Often, just a 1- or 2-percentage point improvement in transaction authorization rates can determine whether a merchant is profitable or not in some industries. Every day, as more players implement 3D Secure, we are seeing these incremental improvements. Industry players must recognize that we are building an ecosystem that improves over time.”

Getting to 100% authorization rates thus takes patience and willingness from all industry players.

The missing link: Educating cardholders

While issuers, acquirers, and merchants have busied themselves with understanding 3D Secure, they have forgotten about the end user. Issuers must educate cardholders on what to do when prompted to authenticate themselves. A paltry few issuers are doing this already, with Brazilian digital bank Nubank being one of the exceptions.

For industry players: How do I do it?

The big question that remains for many issuers is how do I become 3D Secure ready? Large issuers may opt to build an authentication platform themselves. This provides the most control and flexibility but also requires a massive infrastructure investment and technical know-how. More often, issuers outsource this capability by hiring an access control server certified by the card networks of the cards they issue. These are technology and data security companies dedicated to providing such services.

For merchants, it is critical that they find an e-commerce payments processor who can act as a long-term infrastructure partner, offering not only authentication services but also tokenization, and overall fraud management. As the digital space becomes increasingly relevant, merchants must be able to scale rapidly in a secure fashion, or else risk losing transactions. This means reducing the need for manual reviews, increasing frictionless payments and being fully mobile responsive. As Rocha points out, “For merchants, payments have become part of the strategic decision-making process.” Electronic payment acceptance is no longer a nice-to-have; it is a core strategy element.

Demonstrating the value

Finally, it behooves all industry players to remember that, at the end of the day, customers respond to value. While 3D Secure implementation requires an investment, it delivers in results. Visa reports that in LAC in Q3 2020, overall authorization rates increased by five to 15 percentage points for authenticated transactions through 3D Secure 2.0, when compared to non-3D Secure transactions. Highlighting the impact of 3D Secure on a merchant or issuer’s bottom line will help convert them into believers.

During the Covid-19 pandemic, consumers and merchants embraced e-commerce vigorously. A recent Mastercard study finds that 83% of Latin Americans shopped online in 2020, and e-commerce share of retail increased to 7%.

The journey of 3D Secure has taken place over the course of more than 20 years and, in 2021, we expect these massive industry investments to reach fruition. The day couldn’t come sooner. During the Covid-19 pandemic, consumers and merchants embraced e-commerce vigorously. A recent Mastercard study finds that 83% of Latin Americans shopped online in 2020, and e-commerce share of retail increased to 7%, while the share of physical shopping declined.

In this context, the industry must work together to create a safe and frictionless environment. When 3D Secure is evenly and deeply implemented, industry practitioners speculate that authorization rates will approach 100% of legitimate transactions, similar to what we find today in the physical world. This means more revenue and happier customers for all.

Entersekt has a deep understanding of the 3D Secure protocol and its evolution. Our 3D Secure solution is certified by American Express, Mastercard and Visa, amongst others. Get in touch with us to request more information.