According to Due, the projection for eCommerce sales was to reach $632 billion by 2020, increasing online fraudsters’ incentives to innovate their tactics.1 As people continue to stay home and transact more on a digital level, we expect the projected numbers will further increase. If more action isn’t taken, it’s projected that CNP Fraud losses by banks and other merchants in the United States could total way more than $12 billion by 2020.2 The numbers mentioned above indicate the need for secure transactions that keep fraudsters at bay. In this article we will learn more about risk-based workflows with or without 3DS.
What is 3DS?
3DS or 3D-Secure is a secure protocol designed to ensure enhanced security and stronger authentication for customers when they use their debit or credit cards for online purchases. Benefits for merchants include reduced fraud risk and a shift in fraud liability from merchant to issuer. Version 1 of the 3DS protocol was developed in 1999 and as technology evolved, shortcomings in the protocol became apparent. 3DS 2.x was developed to address the 1.x shortcomings, and contains developments that includes additional contextualized data (100+ fields) that can be supplied by the merchant to the issuer, consistency in the way authentication screens are presented to the customer, mobile friendly options and the ability for specialist 3rd party device and digital identity intelligence vendors to enrich the risk decision process – better identifying trusted, returning customers while providing enhanced protection against fraudulent activity.
Does 3DS2 satisfy SCA requirements?
PSD2 mandates the principles of strong customer authentication (SCA). PSD2 is not yet enforced for 3DS transactions but it will be at some point in the future and we need to be ready. A combination of a minimum of two of the following authentication factors are required for a successful transaction:
- Something the customer knows: OTP (One Time Password), SMS code, PIN, password, security question, etc.
- Something the customer owns: Mobile device, wearable device, etc.
- Something the customer is: Biometric data like a fingerprint, iris scan, facial or voice recognition.
With that being said, 3DS provides a mechanism for SCA to be performed during an ecommerce payment journey – the authentication itself isn’t through 3DS but its interaction in the payment process enables the authentication actions to take place.
What does a 3DS enabled customer experience look like?
The transaction is assessed for risk by the credit or debit card issuer’s 3D-Secure service provider. 3DS is used to authenticate the online payment event. If the transaction is determined as high-risk, the transaction goes through a challenge or is straight declined. In other words, it prompts the cardholder to verify their identity using one of the three authentication factors chosen by the 3DS provider. If the transaction is deemed as low risk, no further action is required on the cardholder’s end. Once authenticated, the transaction is then submitted for final authorization and approval.
Do merchants have a choice in USA?
Merchants struggle between friction and conversion and because 3DS does create some amount of friction, some merchants do not prefer using the 3DS security protocol. If they do not use 3DS they take the responsibility and control the level of risk they are willing to accept, as part of the merchant’s risk and consumer appetite. If they decide to implement 3DS, there is a fraud liability shift from the merchants to card issuers, but they do incur a cost as a result of pushing the transactions through 3DS. Yes, they pay for this level of security, but they also know that they won’t be taking any fraud loss or incremental operational cost to manage chargebacks. It also means the merchants will be leaving money on the table and will no longer control the level risk of they are willing to take on.
How do merchants ensure an effective balance between fraud, friction and customer authentication?
Whether the merchants implement 3DS or not, it is important for them to evaluate risk-based workflows for these two reasons:
- If the merchant is 3DS enabled, there is a risk assessment undertaken on the online event, and 3DS enables merchants and card issuers to make an informed risk decision
- If the merchant is not 3DS enabled, to reduce the fraud losses and operational cost
What to look for in a 3rd party solution while evaluating the workflows?
The idea behind leveraging a 3rd party solution is to ensure reduction in liability such as fraud losses and operational losses. Merchants should look for the following characteristics in a solution:
Device and digital identity related attributes: Whether applied by the merchant directly as part of their own risk assessment, or through 3DS as part of the card issuer risk assessment, device and digital identity analysis could provide whole new set of data of components.
Decision: Merchants should use deep and rich information to make that risk assessment – whether that is all the information the merchant has (including data such as delivery address, webpage activity etc.), or the extended amount of data shared with the card issuer through 3DS. For additional insights, the merchants can go one more level up and leverage data from their peers by leveraging existing consortiums.
When it comes to decision making, speed and accuracy are most relevant. Leveraging more data as mentioned above can bring accuracy. To ensure speed merchants can use machine learning models, passive authentication capabilities like behavioral biometrics and flagship models.
Ease of deployment: The capability to deploy multiple types of customer journeys based on risk score can create an additional layer of fraud protection. This will also ensure routing the customer down an appropriate path based on this outcome and enabling merchants and or card issuers to strike an effective balance between fraud and friction.
To summarize, risk-based workflows can add value to both a 3DS and non 3DS based authentication. For 3DS authentication, a risk-based approach will help merchants build trust with credit and debit card issuers. If the issuer trusts the workflows implemented by the merchant, they will be less conservative and accept more transactions. For non 3DS based authentications, risk-based workflows become even more important because this can help merchants maximize protection and conversion.