Global eCommerce spending has grown to over $3.5 trillion and has resulted in more ways to pay than ever before—via web browser, mobile app, or connected device. Accompanying this growth has been a significant increase in card-not-present (CNP) fraud, to which merchants and issuers have effectively responded with a variety of fraud screening tools.
Today, there are numerous solutions to mitigate the threats of legitimate fraud, but for many merchants false declines are more troubling than fraud losses. Merchants are working harder than ever to capture and retain customers. A single poor online checkout experience causes many consumers to abandon the cart - and the merchant - permanently. That’s why it is critical to leverage any available tool to improve success rates; false declines one of the most frustrating (and avoidable) causes of transaction failure.
More than half of eCommerce transaction declines are actually legitimate transactions that should have been processed. 3DS2, (sometimes known by other names such as EMV 3-D Secure) is an industry standardized approach to help merchants and issuers identify legitimate fraud and distinguish it from good transactions.
Originally developed by Visa, 3-D Secure has been around for more than 15 years. In 2018, EMVCo developed the next generation standard to improve fraud screening while enhancing the customer experience. 3DS2 is a multi-factor authentication protocol used to confirm digital identity during checkout. In addition to primary account number, you are required to provide something you have, something you know, or something you are in order to confirm that you are the legitimate account holder during a CNP transaction.
To support enhanced risk-based decision making for card issuers, 3DS2 collects 10x more data than version 1. Using device data as preferred means for authentication, a consumer is likely to receive a frictionless transaction flow without even realizing authentication has happened in the background.
When a 3DS2 transaction is initiated from a web browser or mobile app, specific data points are collected, sent to a 3DS Server, and routed to the card issuer Access Control Server (ACS) for approval. To make a decision on the next step, issuers analyze more than 150 data fields, including browser IP address, browser language, delivery timeframe, shipping indicator, merchant category code, among many others. The issuer may respond with a frictionless approval, device fingerprint, challenge, or fallback. The frictionless flow provides immediate approval based on the initial transaction data collected. 95% of transactions should be deemed low risk and qualify as frictionless, requiring no additional consumer verification.
For the remaining 5% of transactions—those deemed “risky”—the issuer will request additional consumer verification by escalating to one or more of the next flows. The device fingerprint flow enables the issuer ACS to communicate directly with the web browser or mobile SDK managing 3DS authentication to collect additional data. The challenge flow enables the issuer ACS to request authentication by displaying an embedded modal or collecting biometrics. The fallback flow notifies the merchant that they must redirect the consumer to a different login page to go through the 3DS1 authentication process.
3DS2 provides support for transactions across a wide variety of devices and reduces friction during the checkout process, leading to an improved customer experience and reduced shopping cart abandonment.
Legacy 3DS1 did not provide a means for transaction authentication to be stepped up based on perceived risk. All transactions requesting 3DS received a challenge requiring a page redirect for entry of account credential information during the consumer checkout flow. The jarring customer experience often led to high cart abandonment and low merchant adoption of 3DS. 95% of 3DS2 transactions are approved without the need for a challenge, and the standard 3DS2 challenge flow does not require a page redirect.
Providing a framework for authentication outside of a web browser, 3DS2 supports transactions in native mobile apps or IoT devices. More than 50% of all eCommerce transactions originate from mobile devices, so a native mobile experience to provide frictionless authentication is no longer considered nice-to-have for most merchants. 3DS2 is designed specifically to support native mobile experiences, including biometric authentication methods depending on issuing banks’ supportability. The forthcoming 3DS version 2.3 is expected to enhance authentication flows for IoT devices, including voice authentication.
Aside from reduced fraud, merchants also benefit from a liability shift on 3DS transactions. By having consumers authenticate with their banks, responsibility for fraud screening is shifted to the issuer. This relieves merchants of the burden of chargebacks. With 3DS1, issuing banks would err on the side of caution rather than take on additional liability, declining numerous legitimate transactions based on the very limited data they received. With 10x the data collected, 3DS2 enables issuers to make better informed approval decisions and reduces the liability exposure to merchants.
Along with the direct benefits in preventing CNP fraud and false declines, improving customer experience, and shifting liability, 3DS2 is a key technical solution to regulatory compliance. The Payment Services Directive (PSD2) requirement for Strong Customer Authentication (SCA) on transactions originating in the European Economic Area (EEA) is driving a revolution in payments. The evolving 3DS2 standards are a direct outcome of the desire to control fraud without exposing consumers to poor eCommerce checkout experiences. All issuers in the EEA are required to support 3DS version 2.1 as of March 2020 and will be required to support version 2.2 by September 2020. It is expected at that time issuers will begin to soft decline risky transactions that are unable to authenticate via 3DS. Though there is currently a great deal of discussion around delaying the PSD2 deadline due to COVID-19, for most European countries the deadline remains December 31, 2020 (Happy New Year!).
In order to achieve PSD2 compliance optimized for 3DS2 frictionless flows, merchants transacting in the EEA should begin implementing 3DS2 today. Spreedly has a 3DS2 solution for most major European gateways today and will continue to expand coverage throughout 2020.
Want even more insight on a real-world implementation of 3DS2? See how Arc'Teryx implemented 3DS2 as part of the 2019 PSD2 Mandate in this video from PAYMENTSfn On-Demand.