The earliest implementations of the 3D Secure e-commerce system amounted to a password for consumers' payment cards and a link between consumer and card issuer an idea that is growing stale in a world where consumers are able to authenticate payments with more sophisticated tech.
To bring 3D Secure into the modern age, EMV standards body EMVCo will develop the next generation of online authentication protocols with the goal of supporting emerging mobile payment technologies. EMVCo hopes to have a new standard in place for market deployment in 2016.
This aligns with the goals of 3D Secure's proponents, Visa and MasterCard. In November of 2014, the card brands announced that they were working to develop a security method to replace passwords. EMVCo will take the draft framework they developed and move it forward with the new 3D Secure standard.
American Express, Discover, JCB, MasterCard, UnionPay and Visa collectively own EMVCo.
Visa recently declared it would donate its code base to EMVCo, setting the stage for a "truly collaborative, non-competitive environment" as it relates to 3D Secure, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"It really highlights the importance that all of the networks see in the security of card-not-present transactions," Conroy said. "EMVCo will have multiple voices that will have a say in how this will evolve, and this will help the industry move the protocol forward."
The timing of this initiative is in line with the U.S. shift to EMV-chip cards, which improve security at the point of sale but have the unintended consequence of driving fraudsters to card-not-present channels.
The enhanced 3D Secure specification will make data available during a transaction to make more intelligent risk-based decisions, EMVCo said in a Jan. 8 press release. It will also support non-payment user identification and verification, as well as country-specific and regulatory requirements for cardholder authentication in the card-not-present environment.
3DS 2.0 will provide an infrastructure that allows cardholders, issuers and merchants to establish a secure link to authenticate each party, Tac Watanabe, EMVCo executive committee chair, stated in the release.
"Increased security, however, should not cause product abandonment or make online shopping inconvenient," he added.
Separately, the Faster IDentity Online Alliance, an organization of more than 150 payments and technology businesses, released standards last month for multi-factor e-commerce authentication that would eliminate reliance on passwords.
The password may still remain in some form even after these initiatives take effect, Conroy said.
"I think one-time dynamic passwords will still remain in the mix, but I do see the endgame for 3D Secure as eliminating static passwords because they just don't work anymore," she added.
Visa and Arcot Systems first developed 3D Secure, the technology behind Verified by Visa and MasterCard's SecureCode, in 1999. Merchants that used this early version grew frustrated because the various passwords, security questions, pop-ups and enrollment forms added enough friction to e-commerce that consumers would abandon their shopping carts.
But by April of 2013, industry researchers were singing the praises of improvements to 3D Secure that reduced many of the pop-ups, extended security questions and enrollment forms.
Visa also added 3D Secure technology to the risk-based Consumer Authentication Service it initially introduced in late 2012.
Visa will maintain sole ownership of the 3D Secure version 1.0 specifications, while EMVCo will operate the new 2.0 specification. EMVCo says Visa plans to phase out version 1.0 as the 2.0 standard reaches maturity.
EMVCo has also been developing the technical framework for payment tokenization, which will strengthen security by replacing sensitive payment data with a secure value called a token. The technical framework will help merchants, acquirers, card issuers or new payment companies develop tokenization software.