3DS – frictionless silver bullet or dangerous liability shift?
3D Secure 2.0 (3DS2) is a globally recognized payments industry standard that was created to instill confidence in online buyers and to reduce merchant and issuers fraud losses. It provides issuers with the option to authenticate cardholders prior to authorization. By shifting liability to the issuer, it can help reduce fraud loss and resource costs.
Typically, when a cardholder enters their payment information in the 3DS flow, the merchant passes the information over to the issuer / bank and a popup asks the user to reconfirm their identity. Since users are not always able to easily identify the authenticity of the popup window, this can often result in cart abandonment. In fact, 35% of online transactions are dropped because of a required registration prompt1.
3D Secure 2 is the updated version of 3D Secure 1. The main difference of 3DS2 to its predecessor is the introduction of more frictionless authentication and a better user experience across devices.
The introduction of 3DS2.3 using FIDO
3DS2.3 allows users to authenticate directly to the bank, using secure payment confirmation (via Fast ID Online – FIDO). That payment information can be a defined subset that goes from one entity to another.
3DS2.3 introduces enhancements to increase flexibility for optimising EMV 3DS implementation across multiple channels and devices, helps issuers identify fraudulent transactions more quickly and accurately, and streamlines the authentication process for consumers to improve the overall payment experience.2
The customer is able to authenticate anywhere just using their fingerprint – without having to prove their identity or deal with irritating SMS or email confirmations. For merchants, it’s a way to reduce friction and make the process as seamless as possible.
FIDO acts as multi-factor, single-step authentication that replaces password-only logins with secure and fast login experiences across websites and apps. FIDO can be offered as an opt-in service.
The downsides of a frictionless experience
From an issuer’s perspective, adoption will come down to individual cardholder’s appetite for risk. Some will not appreciate the extra steps, while others appreciate the additional security measures. Individual issuers must be on board with FIDO for it to work properly. No issuer wants to be the early adopter or to manage the subsequent challenges. For example, an older demographic might not be on board with using a thumbprint or their face for authentication.
A dangerous liability shift
3Dsecure is not a silver bullet – nothing is. Mainland Europe has a lot of alternative payment methods, and many retailers use 3D secure as a liability shift.
One unnamed electronics retailer didn’t do any checks on their system and within about six months they were losing approximately £30k or £40k a month in fraudulent sales.3 Fraudsters used a fraudulent card to make one payment, it would go through, and they’d buy five more laptops before the merchant picked it up. The fraudsters had probed the system and realized that the sixth transaction would be blocked so they’d found the point at which there was a release, waited 24 hours and, successfully, tried again.
This is where a good robust fraud engine alongside 3DSecure works well. It’s still advisable to adopt a robust risk management system as well as a system of risk minimization controls.
Accertify’s fraud detection service supplements 3DS with fully integrated risk management for all payment brands and data types.
- Truelist 29/12/21 Shopping Cart Abandonment Statistics – https://truelist.co/blog/shopping-cart-abandonment-stats/
- EMVco 12/11/21 What is New with EMV® 3DS v2.3? – https://www.emvco.com/emv_insights_post/what-is-new-with-emv-3ds-v2-3/
- Accertify data