3D Secure (aka 3DS) is a protocol that allows merchants to authenticate consumers directly with a credit card issuer. 3D Secure is a “three-domain” model (hence the “3D” part). The three domains are the acquirer domain (merchant-side), the issuer domain (the cardholder’s bank), and the interoperability domain (the infrastructure provided by the credit card company (i.e. VISA, American Express, Mastercard, etc). These domains communicate to authenticate a consumer.
The benefit to merchants is significant, as it shifts chargeback liability from the merchant to the issuer. It’s important to note that these chargebacks still count toward your chargeback rate, even if the issuer is ultimately financially responsible for the individual chargeback if it happens. Be careful if you have a high chargeback rate as you don’t want to be put on a chargeback monitoring program with one or more of the card brands (if you’re interested in improving your risk management KPIs, check out my previous article: How to Avoid Chargebacks and Identify Good Customers).
The protocol was first launched in 2001, but has seen limited adoption in the United States due to the friction it creates when consumers are making a purchase online. Essentially, a consumer is presented with a pop-up generated by the issuer asking them to verify their identity (see example below).
Consumers unfamiliar with the protocol may abandon the transaction when presented with a Verified by Visa, American Express SafeKey, or MasterCard Secure pop-up (studies show abandonment is as high as 12%)!*
As merchants want to avoid unnecessary customer friction, risk-based authentication approaches are becoming the norm. Instead of challenging all consumers, you only challenge the riskiest consumers (i.e. consumers that don’t have an established transaction history with a merchant). This is a step in the right direction, but there is still a lot of room for improvement.
In October 2016, EMVCo released a specification to create 3D Secure 2.0 with the ultimate goal to make this method of authentication frictionless. To do this, they increased the amount of data that is communicated during a 3DS request—previously, there were 11 fields passed from merchant to issuer, in 3DS2.0 there are over 100!
Identity data, like name, address, phone number, email address, and IP address are all included in the new specification. Fortunately, we have rich identity data that can help in the authentication process.
At the end of the day, 3D Secure is a very valuable tool to authenticate consumers transacting with merchants. If you implement risk-based authentication and only challenge the riskiest users, you’ll minimize fraud exposure while maximizing revenue. In the future, this authentication will be frictionless which makes it even more attractive.
We recommend using 3D Secure as part of your layered approach to prevent fraud. If you have any questions about fraud management best practices, please reach out to us.