3D Secure (3DS) is a protocol designed to be an additional security layer for online credit and debit card transactions. The cardholder is required to identify himself with his issuing bank resulting in a stronger authentication of the buyer when using the card.
3D Secure stands for “Three Domain Secure” with the following three domains: acquiring bank, issuing bank, infrastructure that support the 3D Secure protocol. Credit card companies have branded the protocol differently, e.g. Verified by VISA, MasterCard SecureCode and not all cards are supported.
Fig. 1: Example 3DS Form by Verified by VISA (source)
3D Secure User Experience
3D secure can have some negative effect on conversion rates as the user is requested to complete additional steps to proof her identity.
The identification process happens through the web view. We don’t have control over what is happening inside the web view, so the only thing we can do before opening it is to explain to the user what to expect:
-
Tap on the place order button first will check if a credit or debit card should go through the 3D secure system:
-
If yes open the layover with the explanation and button Continue
-
Tap on Continue will open the web view where the verifying process will take place
-
Show explanatory overlay only once per user. Next time the user tries to place the order with this or any other CC we will not show him this overlay. Instead, we will open the web view directly.
-
-
If not just continue with the direct payment flow
-
3D Secure 1.0 with password
Click to zoom (opens new tab)
3D Secure 2.0 frictionless flow
Click to zoom (opens new tab)
3D Secure 2.0 One time password
Click to zoom (opens new tab)
3D Secure 2.0 Bank App
Click to zoom (opens new tab)
Force liability shift
Because of growing credit card fraud, credit card companies started to make merchants accountable for fraudulent transactions if they are not enforcing the most rigorous security mechanisms.
The way merchants are held responsible is through chargebacks. where the transaction amount is automatically redrawn from a merchant account. These chargebacks are increasing 20% per year and become a real financial problem to the merchants.
One of the oldest and most robust technologies used the defend against card-not-present online fraud is the 3D Secure protocol (3DS). With 3DS, cardholders need to identify themselves to their card-issuing bank when making a payment.
Although the core purpose of the protocol is to protect the consumer with stronger authentication at the time of the transaction, it also offers protection for merchants against fraudulent chargebacks.
This protection comes in the form of a potential liability shift from the merchant to the card issuing bank. The protection is only provided for fraudulent chargebacks and does not apply to any non-fraudulent consumer claims.
If a cardholder has disputed a 3D Secure transaction, the liability for the transaction will depend on the outcome of 3DS.
Merchants who attempt 3DS authentication may receive liability shift. This applies even if the issuing bank does not support 3DS, or if the cardholder is not enrolled in the protocol.
The newer 3DS Secure 2 protocol provides a frictionless flow which is a risk-based authentication based on a scoring. This means that for transactions considered low risk by the issuing bank, the 3DS validation is not requested, resulting in a better user experience and higher conversion rate. If the fraud risk is considered high, the challenged flow applies which forces the cardholder to authenticate via 3DS.
In both cases, the usage of 3DS results in a liability shift from the merchant to the issuing bank. In case of fraud, the chargeback is completely carried by the issuer. The card holder will get his money back, but the merchant can keep the charged money.
Comments
0 comments
Please sign in to leave a comment.