A history of 3-D Secure: Creating workable solutions through collaboration

Payments Compliance Security
Card-not-present (CNP) fraud used to be limited to mail and telephone orders, with the occasional subscription order thrown in. With the advent of digital banking and e-commerce in the early 90s, however, those rates have skyrocketed. Sources indicate that CNP fraud will cause retailers to lose anywhere from $85 to $130 billion annually. Today, card-not-present fraud is about 75-80% more likely to occur than in-store, or card-present fraud.

Creating solutions that protect banking customers from these attacks means continually upgrading fraud prevention technology, including industry protocols like 3-D Secure. In my experience, getting this right requires a thorough understanding of the whole ecosystem — and equally important — collaboration among all its stakeholders: Issuers, merchants, merchants’ banks, payment service providers, customers and regulators.

What I want to share is the history of 3-D Secure, which coincides elegantly with my own payment solutions backstory.

The Secure Electronic Transaction (SET) protocol

I’ll start this payment security journey with a closer look at the Secure Electronic Transaction (SET) protocol, which was published in 1996. This standard was developed to ensure online transactions using credit cards were performed securely. It was also designed primarily to provide strong encryption, non-repudiation and digital proof that a transaction was authenticated.

The problem with SET was that, while an elegant solution, technically, the core focus was on security. As a result, it didn’t take into account some of the emerging requirements for online players.
"In my opinion, SET may have been ahead of its time — some of the technologies it relied on, such as encryption and faster connections, are now more mature than 20 years ago."
What’s more, the protocol required that each party in the ecosystem install SET software, including a SET wallet for cardholders. While most e-commerce and mobile users today are very familiar with mobile wallets, this was a fairly new thing in the mid-90s. Also, given the size of some of the commercial solutions available, downloading with 1990s, pre-broadband internet connections was no easy feat, as you can imagine.

Interoperability was a serious issue, and the adoption of SET suffered.

In my opinion, SET may have been ahead of its time — some of the technologies it relied on, such as encryption and faster connections, are now more mature than 20 years ago.

From SET to 3-D Secure

The next big milestone was the shift from SET to 3-D Secure. We began development of the first version of 3-D Secure at Visa in 1999. The team started with a basic premise: To provide an extra layer of authentication for online payments and verify the cardholder’s identity during the payment process.

The design principles were based on lessons learned from SET. As a result, it was important for us to come up with something that all the different stakeholders and ecosystem could adopt. So, when designing 3-D Secure initially, the thinking was to use open, publicly available standards. Basically, relying on tools the stakeholders were already using. This was the biggest difference between SET and other past industry standards compared with 3DS.

An example of this is 3-D Secure’s use of XML (Extensible Markup Language) instead of ASN1 (Abstract Syntax Notation), a messaging protocol in common use among financial institutions. We asked ourselves: “Is that what companies working on the internet are using?”. We found that XML — which later became JSON — was ubiquitous in the space. Most players developing solutions for this fast-growing industry were already using XML, which made it the logical choice for this new protocol.

Another departure from SET was that the payment industry usually worked with key strategic partners. Visa may work with IBM, another network may work with Microsoft, and then communicate the requirements when they were more or less complete. With 3DS, we did it differently. We started with a small group of solution providers, soliciting comments and feedback.
"We tried to accommodate the different needs of the various players. It was this adjustment, based on the lessons learned from SET, that ensured we had support right off the jump."
Once we had the solution’s framework, we expanded the group, soliciting even more feedback and developing storyboards (what we now refer to as ‘user journeys’). Once we had enough information to develop a 0.1 version of the specification, we then held a number of technical forums, inviting several dozen solution providers to garner support for the solution, to explain the objectives, and to highlight Visa’s plans for the protocol.

We actively pursued and cultivated those relationships with the solution providers, with the whole ecosystem in the value chain represented. We tried to accommodate the different needs of the various players. It was this adjustment, based on the lessons learned from SET, that ensured we had support right off the jump.

Over the following years, the 3DS 1.0 protocol evolved to strengthen its security measures and keep up with changes in the industry. Other major card networks, including Mastercard, JCB, Discover and American Express, also adopted the protocol to create their own 3-D Secure programs.
In 2016, after taking over the 3DS specifications, EMVCo released 3-D Secure 2.0 (also called “EMV 3DS”). The protocols were transferred to EMVCo to support the development of a new version or protocol. Upgrades would be better suited to support mobile transactions and also allow more information to be shared between merchants and issuers, thus improving its ability to support risk-based authentication.

The 3DS protocol, now managed by all EMVCo stakeholders, has another benefit — it ensures that every EMVCo member gets to provide input into what goes into the protocol. From my perspective, that’s certainly a good thing. It’s 100% consistent with our early 3-D Secure vision where you get multiple inputs from different stakeholders and learn from your mistakes.

Entersekt’s shared 3DS vision

In my role as EVP 3-D Secure & Strategic Alliances at Entersekt, I get to see the fruits of collaboration much like our early vision for 3DS 1.0. The combined efficacy of Modirum’s 3DS assets — the ACS, MPI, and DS – with the authentication strengths that Entersekt brings to the table.

This synergy makes it possible for us to provide a cohesive, more holistic, richer set of banking and payment authentication solutions. And the combined company (read: Entersekt acquires Modirum 3-D Secure Payment Solutions to accelerate global expansion) results in better overall products, with a laser-like focus on strong security while reducing friction.

It’s great when things just work out…

Next up: Explore Entersekt's EMV 3-D Secure (3DS) certified solutions for end-to-end transaction authentication across all three domains.