Let’s face it. 3-D Secure hasn’t exactly won the eCommerce popularity contest over the last several years. Customers got confused when they saw pop-up windows, struggled with remembering passwords and then just said “never mind” at checkout. But 3-D Secure has come a long way. CA Technologies’ Innovation Guru Bob Stock spoke with MPD CEO Karen Webster about how 3-D Secure has moved past its “iffy” reputation to become a useful tool for eTailers to identify risky transactions more accurately and less disruptively.
KW: Let’s talk EMV and the related aspects of security with respect to the EMV migration that the U.S. is now facing. Since online commerce is growing rapidly, what solutions should be added to the retailer’s security portfolio to mitigate the threat of online fraud?
BS: In other markets, specifically in the U.K., because skimming as a method of fraud at the POS has become difficult with EMV cards, the card-not-present fraud has spiked. We anticipate that to happen in the U.S. as it moves to EMV cards.
There are a number of things that can be done on all sides of the transaction. On the merchant side, they have a wide degree of sophistication, especially some of the larger merchants, about fraud detection, scoring, device identification, and more. They’ve put solutions in place to help them recognize suspect transactions, including things like 3D-secure, and that continues to advance.
On the issuer side, it’s a bit of a challenge because when you look at e-commerce transactions, there’s no connection between the issuer and the end-user on a given device. That is, the shopper is checking out at store A or B, but the connection used by the merchant to do device ID and other forensics is not available to the issuer. But issuers can certainly take a look at other fraudulent scoring techniques, and then there is a lot that can be done with 3-D secure.
KW: 3-D secure has kind of gotten a bum rap in the past, at least here in the U.S. I know the experience in Europe has been different because there really wasn’t a choice for merchants. Why the stigma, and is the solution still relevant given the other things merchants are thinking about to prevent fraud?
BS:In the U.S., 3-D secure has been a bit less popular for a few reasons. One is that some of the U.S. e-commerce activities were pretty highly developed early on relative to other markets. For instance, Amazon became a sophisticated online merchant early on, and developed a lot of capabilities to use checkout and identify fraud.
Another reason 3-D secure didn’t really accelerate was that the checkout experience and original intent of 3-D secure protocol was to provide an additional authentication for transactions, but the challenge with that was that, in the initial few years, every transaction and customer was treated the same. Customers would have to enroll, if they weren’t already, and select a password during checkout, etc. This led to more friction and higher shopping cart abandonment. That’s the historical viewpoint.
A number of things, however, have happened to change that in the past few years. One of the key things on the issuer side is that providers have become much more sophisticated about enabling issuers to match the authentication requirement to the level of risk of the transaction. So, because the 3-D secure protocol was designed to open a pop-up window, it’s the only case where an issuer has a direct connect to the end-user’s machine during an online transaction. That gives the issuer the ability to run device forensics, to see if the end-user is going through a proxy, and score all of these factors in real-time combined with the dollar amount of the transaction or the velocity against a machine, card, or merchant. They can use those things to tailor the user experience to the level of risk, even more so with added modeling. They’re seeing 97 percent+ transactions successfully go through without any change in customer experience, yet they still can identify fraud. That’s a big change.
Merchants, too, see increase in e-commerce fraud, and in some cases are likely to run transactions through 3-D secure if there’s risk evident. These instances have provided ways of leveraging the 3-D secure capability and technology in a way that isn’t aligned with its perception historically.
KW: You mentioned modeling is helping to reduce friction. What are some the other things that really rest on the side of the card issuer to get over the hurdle of the misperception of 3-D secure?
BS: I think just being sophisticated about rules and modeling so that you can identify suspect transactions is one thing. The other thing we’re seeing is that technologies are making it easy in the case of authenticating a transaction. Let’s say a sophisticated issuer is able to pass 95 percent of transactions through. For the remaining transactions that show some sort of risk or are out of pattern, the authentication mechanism also has gotten much more advanced. Issuers can use a dynamic password or a one-time password generator as part of a mobile app, and can make it painless so a customer doesn’t have to remember a password.
We’ve also seen instances where, in certain markets that are comfortable with second-factor security, mobile application programs have been used to ask the customer if they are in fact completing a transaction for a specific amount with a specific merchant. But overall, the most important thing that card issuers are doing is recognizing the risk and taking friction away for low-risk transactions.