3D secure: the evolution to 2.0

Fraud Detection Perspectives From Fraud Forum 2018

3D Secure significantly affected the financial sector when it came on the scene more than a decade ago but, over time, the evolving technologies and the needs of both financial institutions and their customers have created demand for improvements. 

While 3DS was originally intellectual property of Visa, the company has ceded its rights to EMVCo, jointly owned by American Express, Discover, JCB International, Mastercard, China UnionPay, and Visa, so that the protocol could be evolved at an industry level. After a lengthy collaborative process, EMVCo released the 3DS 2.0 specification in October 2016. 

Food for Thought 

3DS 2.0 is set to provide a better user experience, as well as faster authentication and authorization processes, enabled by risk based authentication for a majority of transactions. With its many improvements over 3DS 1.0's capabilities, merchants are expected to adopt it wholeheartedly.

“Since cardholder user experience and expectations are constantly changing and the payment landscape is rapidly evolving, introducing the 3D Secure 2.0 protocol should bring better compatibilities to help our clients grow their e-commerce business, especially in focusing on fraud detection and in reducing false declines. 3D Secure 2.0 enhancements should be recognized by an improved user experience during the authentication process with more data for security purposes. 

On the other hand, from the implementation point of view, changes such as supports for the in-browser and in-app authentication process, possibilities to embed the authentication process in the merchant’s website or mobile application, etc. and the adoption of them, will have a strong impact on the overall successes”, commented Željka Perok, Senior Product Expert from Mercury Processing Services International, at the panel discussion on 3DS 2.0 which concluded Fraud Forum 2018. 

inpay-1.JPG

3DS 2.0 Panel at Fraud Forum 2018

A panel discussion was introduced at this year’s Fraud Forum as a new format. Its theme was 3DS 2.0 and it proved both popular and very useful. 

“In my personal opinion, this is the best way sharing experiences and receiving expectations and hopes from our clients: what issuers expect and is there any difference from what acquirers expect. Also, it was interesting to see totally different areas of interest in 3DS 2.0 between issuers and acquirers. 

MERCURY_EFSG-DAY_02-13.jpg

This format of discussion gives more freedom to all participants and discussion ends up being very fruitful. Considering one of main aims of 3DS 2.0 - frictionless - and when thinking about what this would bring to fraud rates in the upcoming years – well, what I expect is that it will remain challenging for both sides: fraudsters and anti-fraud teams” said Ivica Jurčić, Fraud Team Leader from Mercury Processing Services International, who took part in the panel.

“Our intention was to cover different hot fraud related topics and to introduce a new format. So instead of the usual workshop, we held a discussion panel for which we prepared 4 topics: a general overview of 3DS 2.0, the merchants’ reaction to 3DS 2.0, fraud rates projections after 3DS 2.0 and the possible need for new fraud rules after 3DS 2.0. The discussion was lively and interesting and we are grateful to all participants who shared their thoughts, wishes and hopes with the audience,” said Jelena Kolega, Head of Product Development in Mercury Processing Services International, on behalf of the organizers.

Protection for the Small, Doubt for the Big?

The panel also discussed how 3DS 2.0 will affect fraud prevention, specifically fraud rates. According to card schemes’ announcement, out of all authentications in 3DS 2.0 and based on the outcome of risk assessment, only 5% of authentications will be challenged, as opposed to the previous version’s 100% challenge rate. This, understandably, raises concerns about fraud levels.

3DS authorizations are high security operations and, as such, considered low-risk and often excluded from fraud monitoring rules. Due to the fact that the remaining 95% of authentications will not be challenged, major efforts will be put in the development of ACS 2.0 with an RBA module, ensuring low levels of risk for authenticated requests.

“It is still difficult to predict exactly what will happen with fraud rates after the implementation of 3DS 2.0.  A lot of announcements have been made and the expectations are high. Nobody was happy with the 3DS 1.0 protocol, and its usage rates are quite low. By September of 2019, as per regulations, every online transaction will have to comply with the requirements for SCA. 

As the issuer, we will be able to get more attributes for every transaction, but which details and how many of them will we really get, after GDPR and Data Protection has been taken into account, is still an unknown. Thus, whether there will be enough details to support frictionless authentications remains an open question. For example, if a 3DS 2.0 transaction is approved, the chargeback liability will fall to the issuer - here, again, the question is what details will be available to base a risk-based authentication on? Currently, the biggest number of authorizations we are getting come from the big aggregators which already use the risk-based authentication approach on their end. I do not believe that they will be adopting the 3 DS 2.0 protocol.

Certainly, the smaller merchants will be encouraged to adopt the 3DS 2.0 as it brings them chargeback liability protection.

Because of that, as the acquirer, we are keen for all of our online merchants to use the 3DS 2.0 protocol”, commented Mirjana Kolesarić, Deputy Executive Director from PBZCard at the 3DS2.0 panel discussion Fraud Forum 2018. 

Fraud forum-175.jpg