Patience could be wearing thin for those awaiting action from the card networks' emerging fraud-prevention protocol known as 3-D Secure 2.0. But after many delays, the technology appears to be awakening from hibernation.
Key factors driving renewed interest include U.S. issuers finally moving past the painful EMV migration to focus more attention on resolving card-not-present fraud, plus Europe’s new PSD2 payment regulations taking effect this month, mandating the development of dynamic strong authentication for transactions.
3-D Secure 2.0 leverages risk-based authentication in real time with additional data, including biometrics, and provides a more seamless checkout approach than the original concept. Its timing this time around could be more favorable than the largely password-based 1.0 version, experts say.
“Authentication strategies across Europe are being reviewed in light of PSD2 SCA requirements, and as we finally get more clarity on those, the adoption of 3-D Secure 2.0 should accelerate,” said Zilvinas Bareisis, a senior analyst with Celent.
New categories of merchants are showing real enthusiasm for the new, streamlined version of 3-D Secure 2.0, according to Bob Reany, Mastercard’s executive vice president for identity solutions. These include purveyors of digital goods such as music, gaming, software and other products that are mostly purchased within apps.
“Some of the biggest advocates for 3-D Secure 2.0 are large merchants who deal in digital content, and considering that previously there really was no mechanism for this category of goods within 3-D Secure, their interest in the new version is very promising,” Reany said.
There's much less excitement among mainstream e-commerce merchants—including many in North America—given the experience of the first, clunkier iteration of 3-D Secure that emerged around 2000. That version promised to thwart online fraud by requiring consumers to take an additional step to authenticate transactions directly with the bank — a detour from the merchant checkout page which added friction and hurt sales, according to the stores that used it.
“Many merchants still see 3-DS as a challenge possibly resulting in increased shopping cart abandonment, in exchange for limited gain in fraud control,” said Michael Vaselenak, a consultant at VCS Technologies in Toronto, who said most Canadian merchants didn't find the first version of 3-D Secure to be particularly useful.
Though some merchant segments adopted the protocol under the brand names Verified by Visa, Mastercard SecureCode and American Express SafeKey—and some of those continue to use 3-D Secure with positive results—overall the concept failed to gain wide popularity. In the ensuing years, most merchants gravitated instead toward layering various anti-fraud solutions on to their e-commerce processes, aiming to weed out criminals at the risk of blocking legitimate transactions from an abundance of caution.
But merchants now are fed up with ever-escalating costs around controlling online fraud, and more are interested in collaborating with card networks and issuers to fine-tune the new version of 3-D Secure 2.0 to their needs so they might benefit from fraud-loss liability shifts the networks are promising for participating merchants.
“Online fraud liability is a financial cost the merchants continue to fully absorb, in addition to their significant investments in fraud mitigation tools, resources and processes, which seems like an inequity in the system,” said Laura Townsend of the Merchant Advisory Group (MAG).
Merchants haven't had much direct involvement so far in 3-D Secure 2.0’s development, but MAG is optimistic about prospects for merchants to work more closely with banks and the card networks, she said.
“There are definitely opportunities for improvement and the industry needs to seriously move forward with a collaborative and collective focus on adequate authentication practices and tools. However, the jury is still out on whether 3-DS will be the answer,” Townsend said.
The card networks are committed to 3-D Secure 2.0’s staged rollout beginning this year, after acknowledging a series of delays.
EMVCo., which is coordinating development of standards and testing, finally published the protocol’s specification in the fall of 2017, about one year after the initial draft. The new version reflects many revisions that took more time than expected.
That delay, in turn, pushed back the timeline on testing and certification, now set to begin in the second quarter of this year, according to the card networks.
Visa said its rules for 3-D Secure 2.0 will go into effect in April 2019, giving issuers and merchants time to test, refine and roll out their solutions.
Mastercard is working with issuers and merchants on adoption, saying its rules will go into effect in April 2018 to coincide with EMVCo's timetable.
American Express said it will update its strong authentication protocol to SafeKey 2.0 this spring, supporting biometric authentication methods like fingerprints and facial recognition.
Merchant interest in 3-D Secure 2.0 is stronger outside the U.S., according to Bahram Boutorabi, CEO and chief technology officer at GPayments, a Sydney, Australia-based technology firm that specializes in providing authentication solutions for banks and merchants.
One of the founding committee members for the original version of 3-D Secure, Boutorabi has also contributed to development of the modern standard, which he says has significantly more appeal to merchants than the original version.
“The main incentive for merchants in adopting the new protocol would be serious reduction in customer friction as a result of having a challenge-free flow built in … with most authentication activity invisible to the consumer," he said. "I believe the uptake of 3-DS2 will depend greatly on the involvement of issuers, which are in turn being pushed to adopt the protocol by card brands such as Mastercard who are setting aggressive adoption dates for liability shifts."