To meet PSD2 needs, Marqeta built its own take on 3D Secure
For Marqeta, the advancement of 3D Secure 2.0 in Europe presented an opportunity to design its own version of the online security protocol in order to claim ownership of the standard and provide more flexibility for its use with customers.
In that regard, the Oakland, Calif.-based global payment platform provider took a far different path than most other companies that would generally turn to a third-party provider to use Visa and Mastercard's security protocols.
"On the issuer side of things, I am definitely seeing most of them preferring to go with a third-party solution provider," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "The specs have been out there for a long time, but when you have folks that have already built out a robust risk engine — and in some cases, with a consortium component to it — there are a lot of compelling factors that would lead you to want to go with something like that, rather than build it yourself."
Marqeta needed to not only build to the specification in-house but had to be ready to roll it out in time for bank clients and merchants to meet the requirements of Strong Customer Authentication under the PSD2 mandate in Europe.
"We spent some time looking at the options we had on whether we wanted to invest in research and development for our own 3D Secure in order to deliver this service, or do it through a third party," said Kevin Doerr, chief product officer at Marqeta. "It is complex, but we decided to give our customers the flexibility they need to create their own experience. We simply doubled down on the next version of 3DS and built it all ourselves."
In choosing to create its own 3D Secure for card-not-present transactions, Marqeta worked off the Visa specifications and integrated various options to provide that customer flexibility and become one of the first card-issuing platforms to have its version certified by Visa.
"We were already on the 3DS train for a long time, being one of the first to use the initial version, and we felt it was a good idea to get ahead of the curve on this and have it available for our customers when they needed it," Doerr added. "In order for security to be a core competency for us, we felt we needed to own our version of 3D Secure."
As a white-label provider of card issuing and processing services, Marqeta is going through the final testing stages of its 3D Secure with Twisto, a digital banking provider in Eastern Europe. Twisto is leveraging Marqeta's open APIs to design its authentication experience with biometrics and 3D Secure within its mobile banking app to eliminate the use of static passwords.
Twisto says it sees the need to have a flexible security standard in place for its customers.
“Our customers expect a seamless check-out experience with our mobile app, and we knew we needed to find a solution that would allow us to reduce fraud while also providing us full control over the cardholder experience," Twisto founder and CEO Michal Smida said in a press release.
Initially, the European customer base was the primary impetus for development, Doerr said. But the company intends to roll out an option in the U.S. in the future. As soon as the Twisto testing is done, Marqeta intends to make its 3D Secure available to all clients and prospects.
Marqeta began moving to digital card issuing technology about six years ago, though its business model continues to call for plastic card issuing as well. But with COVID-19 resulting in more customers purchasing products and services online it has raised the stakes for e-commerce security for banks and merchants alike.
"COVID has created a huge uptick in digital wallets, as consumers are looking for that contactless experience," Doerr said. "But plastic cards are still a big part of our business, especially in the issuing-on-demand area, because consumers still like the plastic card in their wallet to support digital products."
Issuers using Marqeta 3D Secure will essentially own and customize the authentication experience for their cardholders; authenticate and authorize transactions on one unified platform to minimize integration and cost; and enhance data sharing between parties to better identify cardholders and reduce friction.
Marqeta views this technology as an opportunity for its banking customers, but also those in the financial lending industry and other sectors to firm up online security. "We will correlate the 3DS requirements into our own spec, broaden it and let the customer make determinations on when and where a transaction should be challenged," Doerr said.
3D Secure has to be in place by January of 2021 to meet authentication requirements of PSD2, and the card networks are expected to enforce liability shifts on issuers or merchants not applying the standard.
"It's a public EMVCo specification," Aite's Conroy said. "If you code it up and get certified, you can run your own rules on it."