Credit card fraud has been around as long as credit cards themselves have existed. Criminal elements are always coming up with inventive ways of committing credit card fraud, and the fight against it is waged on multiple fronts.
3D Secure was created as a security protocol to reduce instances of credit card fraud in card-not-present transactions, such as online transactions in e-commerce stores. 3D Secure is essentially a layer of security to authenticate purchasers at checkout as the legitimate owners of the card being used. This protects both cardholders and merchants.
The term 3D stands for Three Domain Secure. This refers to the three areas that are linked by the security protocol:
- The Acquirer Domain – the merchants acquiring bank
- The Issuer Domain – the bank that issued the card to the cardholder
- The Interoperability Domain – the infrastructure that supports the 3D Secure protocol
3D Secure was first implemented in 2001. Now you may recall that at that time cell phones were pretty much just that – phones. They could send and receive text messages, some had basic cameras and simple WAP web browsers, and of course you could always play snake on your Nokia, but the days of smartphones as we know them today were still years away. Online shopping at that time was pretty much exclusively done on desktop or laptop computers. So 3D Secure was designed for web browser based transactions. And it could be a bit finicky – some users were unable to see the 3D Secure authentication pop-up page on their browsers, or did not understand the process. Some users actually thought the authentication process itself was a security threat and would abandon the process of purchasing.
The world and technology changed pretty fast in the following twenty years. Once the Apple iPhone was introduced to the world in 2007 everything changed. Within a decade from that point phones had web browsers, dedicated apps, GPS, multiple cameras and fingerprint sensors. And people wanted to use their phones to make purchases online. 3D Secure 1.0 was not geared for this at all, and so an updated version was needed to enable purchases in this new era.
3D Secure 2.0 was introduced in 2016. It is not so much of an upgrade as a completely new product that caters for web-based transactions, mobile payment systems and even e-wallets.
Where 3D Secure 1.0 essentially authenticates the cardholder by means of a password or PIN, 3D Secure 2.0 collects roughly 10 times more data during the authentication process. This includes data from the merchants site as well as from the customers device. In fact, over 100 key data points are analyzed during the process. All of this information is then compared to existing issuer data, and the risk level of the transaction is then assessed automatically in real-time.
If the transaction is considered low risk, no further action would be required on the part of the purchaser, creating a frictionless flow that allows the transaction to pass unchallenged.
On the other hand, if the transaction is determined to be high risk, the purchaser will be required to verify their identity by some method, such as entering a PIN or even using biometric data such as the fingerprint scanner on the mobile phone.
And of course, the transaction would be declined if it is deemed to be fraudulent.
Let’s imagine that you want to buy your usual bag of dog food from your regular online store. When you checkout, the 3D Secure 2.0 process will look at things like the fact that you’ve purchased dog food from that merchant before, that you want it delivered to the same place and that you are buying from the same device as previous transactions, from a similar location. The transaction would be considered low risk and approved. However, if you suddenly want to buy 20 bags of dog food and have them delivered somewhere else, the transaction may be flagged as suspicious because it does not follow your usual pattern. But you may have a very good reason for this purchase – you may be sending those bags of dog food to a shelter as a donation. The system would then require some additional input from you to approve the transaction. And if your account is suddenly used to buy 50 expensive dog monitoring webcams, for delivery in a country that you do not live in, and the transaction request is being made on a phone that is not yours and that is in Nigeria, well then 3D Secure 2.0 is going to decline the transaction.
Customers like easy payment systems, and merchants love it when customers don’t abandon the checkout process. And everyone wants to feel secure with their online transactions. 3D Secure 2.0 is a much better protocol than its predecessor and allows for a much better customer experience, while substantially lowering the risk of fraudulent transactions and the resulting chargebacks.
As 3D Secure 2.0 is essentially a different system from 3D Secure 1.0, both have been in use since 2016. However, the major card networks want to phase out version 1. Visa, for example, issued a statement in February 2021 stating that it will discontinue support for 3D Secure 1.0 in October 2022. Many places in the world, such as the European Union, started requiring a change from 3D Secure 1.0 to 3D Secure 2.0 in 2021. Ultimately 3D Secure 2.0 will be a requirement for all parties involved in card-not-present transactions.
However, merchants must remember that while 3D Secure does offer valuable protection against true fraud, it is not infallible and does not prevent friendly fraud or cover merchant error. Merchants still need to be vigilant in their processes to reduce these types of fraud.
At Baer’s Crest we know the difficulties small or new businesses face every day, and we know that navigating the complexities and technicalities of accepting credit card payments can be completely overwhelming. That’s why we offer our clients comprehensive and secure payment solutions. Talk to us [link] about the right payment products for your business.