"What unites Verified by Visa, Mastercard SecureCode, and American Express SafeKey?
They all stand as integral fraud protection mechanisms, founded on a technology known as 3-D Secure (commonly abbreviated to 3DS).
Constructed to shield consumers - and indeed you, as a merchant - from the threats of online payment card fraud, 3-D Secure has a singular aim: to ensure that card transactions conducted online originate from the authentic cardholder.
Over the past two decades, 3DS technology has served as a crucial bulwark against fraudulent chargebacks. Yet, despite its proven effectiveness in countering eCommerce fraud, many merchants have hesitated to implement this technology. Their primary concern lies in the potential for decreased conversion rates and increased shopping cart abandonment.
In this article, we will delve into an understanding of 3-D Secure - its operational principles, its evolution since inception, the advantages and disadvantages of this technology, and whether concerns surrounding 3DS impacting conversion rates are truly justified."
What Is 3-D Secure?
3-D Secure
3-D Secure functions as a digital PIN code for online transactions, aiming to authenticate purchasers as the legitimate cardholders. This enhanced layer of scrutiny not only fortifies the security of cardholders but also shields merchants from fraudulent transactions.
Envisioned as a customer authentication protocol specifically for eCommerce, 3-D Secure validates buyers at checkout, thereby adding an extra tier of protection to online transactions. Card networks strongly advise both issuing banks and merchants to endorse this protocol.
What is 3DS 2.0?
While 3-D Secure has been established as a method to enhance shopping security, its initial version (3-D Secure 1.0, or 3DS1) had certain drawbacks. The protocol introduced additional complexity to the checkout process and was limited to browser-based transactions. This led to a sub-optimal customer experience and a decrease in conversion rates for many merchants.
However, the subsequent upgrade, 3-D Secure 2.0, along with its following iterations, operates more fluidly and introduces several new features. Currently, this version of 3-D Secure is mandated for accepting credit cards in Europe, although it remains optional in other regions.
This article will discuss 3-D secure broadly without always making a distinction between 1.0 and 2.0. For more information specifically about the newer 2.0 protocol, including an analysis of the differences between the first and second versions, we recommend reading the below article:
How Does 3-D Secure Work?
3DS1 authenticates cardholder details using a fixed password or PIN. The consumer generally encounters a pop-up window prompting them to input a previously set code. Although the concept was straightforward, the practical application left much to be desired.
The modernized 3-D Secure authentication, on the other hand, achieves the same objective through a more sophisticated approach. It transmits approximately 150 data points related to the transaction to the issuing bank, both automatically and in real-time. This encompasses information such as the IP address, merchant category code, shipping address, and more.
The issuer juxtaposes the transaction data with established customer information, such as purchasing history or the payment card's registered address. Through the utilization of artificial intelligence and machine learning, the potential fraud risk is evaluated, and the merchant receives one of five predefined transaction labels:
Transaction Label | Description | Eligible for liability shift? |
Cardholder authenticated | Proceed with purchase. | Yes |
Authentication offered but not used | e.g Issuer cannot support 3DS | Yes |
Authentication failed | The buyer is not the cardholder. | No |
Authentication unavailable | For some reason, the customer identity could not be confirmed or denied. | No |
Error | Something went wrong in the authentication process. | No |
The primary advantage of 3DS 2.0 is that a staggering 95% of all transactions are eligible for immediate approval, requiring no direct additional input from the customer. This 'frictionless flow' allows consumers to be approved often without even being aware that an authentication check took place.
A small percentage of transactions, however, might be flagged as riskier. In such scenarios, the buyer will be prompted to provide supplementary cardholder information. This could involve a one-time password, or potentially a biometric identifier like fingerprint or voice recognition (features not supported in 3DS1).
In exceptional cases, the consumer may be required to undergo the older verification process.