Online merchants reacted to Visa's creation of 3D Secure to protect card-not-present transactions more than a decade ago with a resounding thud. But the software has become a viable option to protect card data online, according to a new report from Aite Group.
Earlier implementations of 3D Secure used passwords, which consumers tend to forget, and relied on pop-ups that often caused consumers to flee the transaction process, the report states. In addition, many merchants did not adopt 3D Secure, so consumers didn't fully understand the process, it says.
The improvements made in 3D Secure are best illustrated through Visa's Consumer Authentication Service, a risk-based technology added to 3D Secure during the 2012 holiday season, says Mark Nelsen, Visa's head of global risk and authentication products.
"Merchants don't like friction [in the online payment process] and much of that with the earlier 3D Secure had to do with the use of a static username [and] password," Nelsen says. When a consumer was checking out and did not have a password, the merchant would request an enrollment that included answering various security questions at that time, he adds.
"You can imagine what that is like at the time of checkout," Nelsen says. "The consumer might abandon the sale, and it was unnecessary friction for the merchants."
After Visa established the 3D Secure technology in 1999, calling it Verified by Visa, other card brands followed. MasterCard established SecureCode in 2002, JCB International released J/Secure in 2004, and American Express offered its merchants SafeKey in 2010, the report states.
Report authors Julie Conroy and Rick Oglesby interviewed Visa, MasterCard and vendors of risk-based authentication services, as well as 12 executives representing acquirers and payment gateways, 10 risk executives working for large issuers, and nine risk executives working for merchants with greater than $1 billion in annual transaction volume.
The current 3D Secure relies more on dynamic data, such as one-time passwords or two-way text messages that change frequently to provide added security. Issuers also implement a risk-factor authentication approach.
Current implementations rely less on pop-ups and give merchants more control over establishing rules for authentication that allow low-risk transactions to proceed more quickly, the report says.
The improvements in 3D Secure came about as a collective industry effort with Visa and MasterCard at the forefront, says Conroy, a senior Aite analyst and fraud expert. "Cardinal [Commerce], as the dominant provider of the merchant plug-in technology that enables merchants to access the service, took the lead in providing the rule logic to give merchants more control," Conroy says in an interview.
A closer look at 3D Secure is especially important for U.S. merchants because of the migration to EMV chip-based smart cards at the point of sale, a change that historically results in fraud attacks shifting to the card-not-present world of e-commerce.
An improved 3D Secure will provide extra defense, but it probably won't deter cyber criminals from directing their attention to card-not-present payments, Conroy says.
"The UK provides a good example of this," Conroy says. "3D Secure is more well-established there, but e-commerce fraud continues to be a big problem."
Nelsen adds that Visa considers 3D Secure to put merchants in a far better position to defend themselves, particularly with the risk attributes monitored behind the scenes.
"We are really using much more data than we ever have in the past," Nelsen says. A significant benefit is that the consumer making a purchase will complete a transaction much quicker, unless the transaction is deemed highly suspicious, he adds.
Merchants currently expanding their use of 3D Secure say the driving factors are the opportunity for reduced liability and interchange rates, combined with the transition of the technology to risk-based authentication, according to the report.
Even though North American payment gateways and acquirers expressed little awareness or interest in 3D Secure, citing minimal demand for the technology from their clients, they indicated that the current improvements will likely lead to an increase in demand, the report notes.
Aite suggests that payment networks need to educate the marketplace about the 3D Secure improvements, while issuers need to put the technology and risk-based authentication into their business plans.
If payment gateways don't have the ability to provide 3D Secure services, they should find a partner who can, Aite says.
"The networks need to take the lead in educating the eco-system about the changes in 3D Secure," Conroy says. "Technology providers such as Cardinal also have a vested interest in improving merchant awareness, because increased merchant uptake will translate to more revenue for these providers."