Issuers to get a trove of new risk data after 3-D Secure testing milestone
After 20 years of working with a clunky, time-consuming 3-D Secure authorization method for online purchases, the wheels are finally in motion to get the upgraded 2.0 version in place for merchants and banks, granting access to more data for spotting fraud.
Those involved in the process point to EMVCo's testing platform of 3-D Secure for service providers as a step that not only accelerates adoption, but establishes the new digital rail that assures 3-D Secure 2.0 can adapt to a mobile environment, the Internet of Things and purchasing products through gaming devices or connected cars in the future.
EMVCo is the EMV specifications and standards body owned by the major card brands. It has been emphasizing the importance of card-not-present security now that chip cards have a firmer hold at the physical point of sale.
"It's a very critical milestone on the journey to really enhance all of the networks so we can prepare for the digital age, and it is something we have been working on for more than five years at this point," said Bob Reany, executive vice president for identity solutions at Mastercard.
Most important, the 3-D Secure rails represent an open standard, one that will operate the same for everyone and change and advance as technology demands it in the future, Reany added.
Because the original version of 3-D Secure forced consumers to jump through various authorization prompts to complete a transaction, it often led to abandoned shopping carts. Much of the merchants' disdain for 3-D Secure stemmed from the fact that it was a technology licensed only through Visa (Mastercard SecureCode was based on the same protocol but wasn't considered part of 3-D Secure). That meant many felt there wasn't a lot of input on how it could or should operate to best serve merchants and cardholders.
In the years following, 3-D Secure 2.0 came about as an EMVCo open standard in which Visa, Mastercard and others, including Google and Microsoft, had significant input and shared intellectual property.
"We brought in acquirers and issuers, so it was a much bigger play," Reany said. "This standard will now live on, and it's not a take-it-or-leave-it proposition that won't change for 10 years."
Eventually, merchants using 3-D Secure for transaction authorization will benefit from the fact that the cardholder will authorize straight with the bank with fingerprint or facial scans, or other technology, when needed.
As much as anything, it was simply time for a change.
"The 3-D Secure 1.0 has been around for almost 20 years and so much has changed with mobile and digital since then," said Stephanie Ericksen, vice president of identity and risk products at Visa. "Going to 2.0 is going to give us the ability for issuers to get more data in a faster way."
That enables direct authorization between the consumer and the bank, with far less back-and-forth messaging, Ericksen said. "It will carry about 10 times the amount of data in one package, which is far better for the bank for risk-based scoring."
Because of the extra data, It would be a rare case for an issuer to prompt a cardholder for a one-time password or seek a biometric fingerprint or selfie scan, Ericksen added.
"It is all architected better for the mobile and digital world, and it's better for fast transmission of data and payload," she said. "The result will be less risk of cart abandonment, better security, faster checkout and increased sales. But the exciting thing is that we really are just on the cusp of it now, with the EMVCo testing platform being available."
In the past, an issuer would receive the acquirer bank identification number and the consumer account number, and some information about the browser being used to complete the transaction. With the 2.0 upgrade, the issuer and the access control server would receive data to fit in all models and algorithms for risk evaluation, making it easier to quickly differentiate between an online purchase of something like gift cards or a recurring payment for a prescription — and which of those would be uncommon for certain accounts, Ericksen said.
"It will be a little bit of an art and science initially in determining how best to use the enhanced data to make better decisions," Ericksen said. "But it also gives better capability when the issuer wants to do a step-up of the cardholder and seek a biometric or one-time password."
No one, including the card networks, considers this some sort of magic wand that will eliminate all fraud problems. Still, it's a significant step in moving the consumer and authorizing bank closer together at the time of a transaction.
While 3-D Secure 2.0 shows a lot of promise, the industry is still seeing 15% to 20% aggregate decline rates for card-not-present transactions, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"That means a lot of those are false declines," Conroy said. "So, as I talk to merchants, the real excitement is around leveraging these enriched data sets to better inform transactions and reduce false declines."
But no improvement will render passwords immediately obsolete.
"Those of us in the payments and security space know that passwords are a relic, but we actually have multiple bodies of research that show that consumers are still ridiculously comfortable with them," Conroy added. "And, even worse, consumers think passwords are effective, which is part of the reason why it’s taking us so long to move beyond them."
In the meantime, Visa and others say the trend is moving toward consumers embracing new technologies and ultimately ditching static passwords.
"We have research that says at least 30% of people forget a password every week," Visa's Ericksen said of the network's recent assessment of global authentication opportunities. "People have to authenticate themselves almost 100 times a day and come up with new passwords, so moving to a biometric is just an easier process and can be completely invisible to the consumer."
Plus, the advancement of the 3-D Secure 2.0 rails complements other safety measures, including the General Data Protection Regulation in Europe and a similar process in California that puts far more restrictions on what businesses and merchants can do with consumer data, and how long they can store that data.
"The good guys need to invest in new technology," Mastercard's Reany said. "These things are harder to do, but it raises the game with new standards, and we all know how to play and how it works."
That, ultimately, is the best way "we can fight back against hackers" because there will be no end to the fraud challenges that will develop over time, Reany added.