3DS 2.0 Demands More Attention as Fraud Defense From Issuers and Merchants

Dewald Nolte, chief strategy officer at Entersekt, said 3-D Secure (3DS), the security protocol that was refreshed seven years ago, is an essential tool in fighting fraud.

At a high level, 3DS is designed to act as an equivalent to EMV chips and PIN cards, he told PYMNTS.

“It’s the digital way of enabling a bank to authenticate their cardholders in real time during an eCommerce transaction before the transaction is submitted for authorization or processing,” he said.

The security protocol has been around for over 20 years, and one of the big challenges impacting current adoption has been the fact that the first version of it, as he put it, “did not do anyone any favors.”

The initial interaction was clunky, resulted in friction at the point of interaction for consumers, and cart abandonment was high — sometimes as high as 50%. Merchants, for their part, were hesitant to embrace the protocol and the two-step authentication, as the limited data sharing between the enterprise and issuer didn’t support frictionless authentication and fueled false declines, he said.

The latest go-round, 3DS 2.0, allows for more robust data sharing between the enterprise and issuer, enabling issuers to perform much better risk assessments, he said. Combined with streamlined authentication methods now available, the results are yielding improved customer experience and higher transaction success rates.

Understanding the Consumer

“If the issuer understands more about the consumer [who is] checking out, then they can have a higher degree of confidence that this is actually the cardholder and not decline the transaction,” Nolte told PYMNTS.

Technology advances and the new protocol includes options for more customer-friendly authentication methods, such as biometrics, he said, adding that consumers are increasingly comfortable with these advanced technologies, typically housed with their phones.

“Yet merchants are still not submitting their transactions over the 3DS rail for fear of [transaction] abandonment,” he said.

Part of the challenge lies in the fact that 3DS is mandated in some markets and not in others. In Europe, there’s strong regulation in place that requires customer authentication via 3DS. The United States has no such mandates, but there are some green shoots in place, said Nolte, who noted that some retailers, such as Best Buy, have said that they will route 100% of eCommerce transactions through 3DS. Overall, however, only about 3% of eCommerce transactions in the U.S. go through 3DS.

The urgency is there to boost that percentage, given the new attack vectors that are taking shape within eCommerce, he said. Social engineering is especially popular with fraudsters, and artificial intelligence is a weapon they love to use.

These schemes take advantage of the fact that data is siloed across the payments ecosystem. The fraudsters will find out quickly if static rules are in place — where, for example, transactions below $1,000 will never be challenged — and they’ll seek to fly under the radar, sidestepping the rules and committing fraud, he said.

Data is what’s needed to train the models that determine whether transactions are good or bad — and that ultimately will lead to higher success rates, lower friction and fewer challenges to transactions.

Asked by PYMNTS about the optimal level of friction that can, or should, be introduced during a transaction, Nolte said that friction comes down to preference — differing from one market to the next and even from one user to the next. Some merchants and consumers don’t want any challenge at all, “and then there are people who want to see a challenge each and every time. As more people are touched by fraud, there does seem to be a higher tolerance for authentication of transactions as it makes cardholders feel safe and in control.”

Dynamic models, by way of contrast, take the nuances of commerce into consideration. They use behavioral analytics to establish what “good” behavior looks like and to recognize which trends and transactions look anomalous.

In one example, a $19.99 transaction at a craft store may not ring alarm bells — while a $350 transaction at an online gambling site might be regarded as risky. By capturing the device-level data, and where transactions are coming from (and whether, for example, there have been any chargebacks), issuers and merchants might realize the gambling transaction is actually the less risky, in line with prior cardholder transactions, and the craft store transaction may be riskier if paid with a corporate card historically used exclusively for travel purchases.

The richer data supports them to make better-informed decisions about transactions and consumers.

“Distinguishing between ‘good’ and ‘bad’ transactions is all a matter of context,” said Nolte.