Secure Payments, Generation 2.0

We use 2.0 as shorthand to describe the latest and greatest in technology, and with 3D Secure 2.0, the question remains: Is newer always better? In a wide-ranging discussion, Karen Webster, CA Technologies VP of Security James Rendell and Mastercard’s Paul Baker, VP and senior business leader of enterprise security solutions, examine how this new authentication protocol heralds a new era of secure card-not-present transactions.


The number and the decimal — 2.0 — has evolved into a rough shorthand for the newest version of something. It’s ubiquitous. It could mean anything. A revamp, a redo, a new and improved model — from technology to your latest spouse.

Enter 3D Secure 2.0.

Late last month, EMVCo published the EMV 3DS 2.0 Specification, a messaging protocol that allows consumers to be authenticated to card issuers during card-not-present transactions. That authentication can also extend to activities that are decidedly non-payment in nature, such as when an individual adds a payment card to his or her digital wallet. The protocol covers app-based purchases done on mobile devices and also browser-based transactions (you know, the older way of doing things).

But as with any new standard, preparation is paramount. The roadmap here extends across a few years and the initial rollout, in Europe anyway, is slated for the second quarter of 2018.

In a webinar with James Rendell, vice president of payment security at CA Technologies, and Paul Baker, vice president/senior business leader of enterprise security solutions at Mastercard, PYMNTS’ Karen Webster delved into just how 3D Secure 2.0 has the potential to change … everything.

The overarching question, as posed by Webster: Is 2.0 really better? After all, the promise to “change everything” is, well, a pretty big promise.

In a word, according to the panelists: Yes. Baker noted, “when we are talking about eCommerce, the transactions, the payments,” the structure that had been in place 16 years ago no longer is supportive of a seamless experience for consumers.

The vision that is in place now, he added, is one where, as aided by 3D Secure 2.0, “we can enable borderless commerce,” where goods and services should be able to be delivered from anywhere in the world. That’s a big deal, Baker said, since merchants know they’ll get their money and consumers know they’ll be protected.

Including, continued Baker, the ultimate of all borderless commerce environments — IoT.


The Smartphone As The Center Of The Payments Universe

“That future is such a powerful idea” posited Baker. The smartphone may become the center of how consumers do payments and authenticate themselves, he said, but it is crucial that the phone or any device be intelligent enough to do commerce in a safe and secure method.

“The consumer is being pulled in so many different directions,” Baker said. “The experience has to be consistent with how consumers want to conduct commerce digitally — and securely.”

Which, Baker continued, forced them to examine the underlying technology to see if it could support the vision of borderless commerce. And, he said, it was no surprise that the 16-year-old technology that’s in place today was “not up to snuff.” That, he said, suggested that the onus was on the industry to build a technology that will endure for the next 10–15 years.

So, Webster asked: How to be take a 16-year-old technology and adapt it to any channel and any device and, above all, a frictionless process tied to authentication?

CA Technologies’ Rendell noted that 3D Secure 2.0 was developed and is owned by EMVCo, and the fact that the standard is available for people to use and adopt freely is one of “the more exciting” things about the emerging standard.

One of the biggest changes wrought by 2.0, explained Rendell, is the enablement of much more data — and richer data — to flow to devices and, in the payments space, between the merchant and the issuer.

This is critical, said Rendell, as, in the card-not-present scenario, 3D Secure 2.0 allows parties to exchange, via messaging, rich data with one another, which also can help protect against fraud.

With so many channels of communication and so many types of devices that can be, and eventually will be, connected to the internet, Webster asked Baker and Rendell how 2.0 is structured so that there would not be the need for future revisions to the standard.


Laying The Tracks For Commerce

Baker stated that building out the internet effectively hinged on building out the network with some degree of malleability. He used an analogy of building a road (stretching back a few hundred years), with an eye on allowing for different modes of transportation as they evolve (from horses to railways to, now, cars, of course) even as, going forward from today, cars themselves might change or, to extend the analogy, the tires on the cars might evolve. After all, noted Webster, cars evolve and now have used technology to evolve toward driverless autos.

“If you try hard enough when you build a standard like this, it’s feasible to build [enough flexibility] so that you obey the rules of the road,” said Baker. That would allow for the eventual embrace of, say, devices that might function in a way not yet dreamed of and yet would not require a massive change to the standard already in place, he continued.

Creating a better consumer experience, said Baker, still must take into account the need for authentication, across any manner of device or transaction, and in one example, he noted that Mastercard has been looking into the biometric space. And, he added, biometrics could be likened to a new car on the road (and perhaps the tires are just touching the asphalt). At the moment, he said, authentication still has its friction points, and it is important for merchants to be able to decide if they need to indeed challenge the consumer on authenticity, and if so, they need to do it in a way that is easy to verify for the consumer, once challenged.

Baker and Rendell noted that the standard does not, in fact, mandate what the consumer experience should be, and the specification is flexible enough to enable authentication that can extend in activities that do not involve payments at all.


Under 3DS 2.0’s Hood

Later in the webinar, Rendell delved into the mechanics of the process. The merchant sends an AREC to the issuing bank, “and they use this messaging to pass all of this rich data to the issuing side.” With this data, the issuer makes the decision as to whether to challenge the transaction or not. “The vision with Secure 2.0,” he said, is “that most transactions would never be challenged.” When there is the need to challenge the transaction, that takes place as the merchant communicates with the access control server.

But one key differentiator, continued Rendell, lies in the fact that the older protocols “borrow” the consumer’s browser for data communication and transmission. The 2.0 version avoids the browser redirection altogether, with everything happening behind the scenes and beyond the cardholder’s notice.

“You’ve still got the option of that older version to make sure you can still get that secure transaction to go through,” chimed in Baker.

To get started in the protocol’s adoption across issuers and other stakeholders, Rendell said 1.0 and 2.0 will coexist to make sure the dual protocols are seamless. “There are some things we’ve done behind the scenes to make sure that that is possible,” he said, mentioning shared data models, as one example. The overarching theme toward adopting, he said, is to “think about the consistency of user experience.” 2.0 gets stakeholders to think about mobile payments and more robust authentication, agreed Baker and Rendell, who added that CA is working with issuers to help them understand and plan for better user interface layouts and cross-channel functionality. And they can also, in fraud prevention efforts, see transactions as they occur over both web 1.0 and 2.0 protocols.

As for merchant uptake, the devil is in the details, and Mastercard will be approaching merchants, PSPs and issuers and helping them steer through an adoption roadmap — with what Baker projected would aim for “a successful conclusion … by the end of 2020.”