The line between fraud prevention and bad customer experience continues to be a tightrope the payments industry has to walk. While the correct balance hasn’t yet been struck, industry watchers are bracing for another attempt when EMVCo releases 3DSecure 2.0 later this year.
EMVCo, a technical body overseen by its six member organizations – American Express, Discover, JCB, Mastercard, UnionPay, and Visa – is currently collecting industry feedback on a draft version of the revised specification, with the final version expected to be released this year. But will it be an improvement? And what should payment facilitators be watching for?
3DSecure is a protocol used to authenticate consumers to their card issuers when they’re making purchases online. It is intended to prevent the fraudulent use of cards during card-not-present transactions. The original specification, known as 3DS 1.0, was developed by Visa and has been taken to market by the other card networks under their own brands, such as Verified by Visa and Mastercard SecureCode.
The specification is in need of an upgrade because it was created for browser-based online shopping and does not support more recent developments in e-commerce, such as mobile and in-app purchasing.
More to the point, however, 3DS 1.0 has been widely criticized for adding friction to the authentication process and leading to cart abandonment. The new specification is said to support newer technologies and provide more risk-based decisioning rather than the 100% challenge rate of the previous version.
The release of the new specification will be something for payment facilitators to watch. If it proves relatively effective at preventing fraud without throwing up too many roadblocks for consumers and their valid transactions, it will be worth considering as an offering, according to Heather Mark, director of compliance at ProPay.
“You’re creating a barrier for fraudulent transactions and, as long as you’re not preventing legitimate transactions, then I think it’s a good tool,” Mark said.
“It’s really going to hinge on what the implementation looks like and how many of the issues with the first version were addressed in this new iteration. If they could make it seamless and relatively transparent to consumers, I think it would be a really good tool for payment facilitators to use.”
Even if the specification is an improvement over the previous iteration, the real success of the specification will depend on consumer adoption. If consumers are required to complete too many steps, they may not feel the effort will be worth the extra assurance it provides.
“I think it’s going to take an evolution in not just the technology behind 3D Secure, but also on the part of consumer attitudes, and that’s always the hard part to change,” Mark said.
EMVCo, which is developing the 2.0 specification, joined with the PCI Security Standards Council recently to announce that the two bodies would be collaborating on the launch. While EMVCo plans to release the new specification later this year, the PCI council will develop supporting documentation such as testing procedures and assessor training, the companies said.
Jonathan Main, chair of the EMVCo Board of Managers, said: “The EMV 3DS 2.0 Specification provides a functionality ‘tool box’ to parties who wish to develop and implement 3DS 2.0 compliant products and services. This enables all solutions to be globally interoperable and promotes a unified international payments framework. Following the release of the EMV 3DS 2.0 Specification later this year, solutions will be created and their introduction into the marketplace needs to be workable and defined. We recognize that this requires a number of industry stakeholders to work together to establish a secure framework and we are delighted to be collaborating with PCI Security Standards Council to facilitate this process.”