Unpopular E-Pay Security Improves Usability, but Merchants Remain Wary
U.S. merchants are still reluctant to embrace 3D Secure technology to protect card-not-present transactions, even though it has vastly improved from the initial tedious version that irritated consumers more than a decade ago.
Even more improvements are expected in a 3D Secure 2.0 specification from the EMVCo standards body this year. If merchants and issuers like what they see, the amount of 3D Secure-enabled transactions globally is likely to continue a trend in which 18% of all e-commerce transactions moved along 3D Secure rails in 2015, up from only 6% in 2013, according to new research from Aite Group.
Still, many merchants can't get the friction-laden process of the first version of 3D Secure out of their minds and don't know about the improvements, said Julie Conroy, research director and fraud expert with Boston-based Aite Group. For the most part, U.S. merchants equate 3D Secure, a technology introduced by the card brands to fight online fraud, to lost sales more so than as a fraud protection, said Conroy, who authored Aite's update on 3D Secure released this week.
Aite Group interviewed 31 executives from global merchants, issuers, payment networks and processors, and 3D vendors in November and December of 2015 in compiling findings.
A negative view from merchants is understandable, considering when 3D Secure made its debut in 1999 it relied on static passwords and other authentication steps for every transaction, in addition to popup boxes that seemed to appear randomly and confused consumers who never had much training with the technology.
Developers have smoothed out a lot of that friction, mostly through establishing risk-based authentication and getting rid of pop-up boxes, Conroy said.
"It is not asking for a password every time, thus phasing out the passwords so the consumer is doing something they can actually input and get right, like a one-time password, rather than a static password you can forget," Conroy added.
In addition, the new 3D Secure does not require card enrollment, a facet that fraudsters took advantage of in the past simply by enrolling stolen cards and assuring that any transactions using those cards would be authorized, Conroy said. In its latest versions, 3D Secure lives up to its name "as really pretty solid and secure," Conroy added.
Aite issued a similar report nearly three years ago, touting 3D Secure's improvements, but the message remains relatively muted in the U.S.The report did not cite specific adoption numbers in the U.S., but use of 3D Secure is far more common in European and Asian countries that have experienced the spike in card-not-present fraud that U.S. merchants are expecting to see soon in the aftermath of the 2015 EMV liability shift and the first post-holiday transaction statements.Australia, with less than a 3% adoption rate, should see an increase in the coming year as regulators mandate use of 3D Secure for e-commerce transactions, Conroy said.
CardinalCommerce is the only security vendor currently enabling merchants in the U.S. to use 3D Secure, Conroy said.
And there are signals that U.S. merchants are warming up to 3D Secure as a method to thwart card-not-present fraud. CardinalCommerce says four of the five largest transacting merchants in the U.S. are using 3D Secure for some portion of their volume, or plan to start this quarter, Conroy said. "That's a sea change from two years ago."
In turn, some merchants globally remain cautious about sending transaction volume into markets where consumers are not educated about 3D Secure for fear of losing sales, the report said. One merchant had 3D Secure enabled in the U.S., but decided to turn it off because of a social media backlash over the user experience.
The use of 3D Secure will be gradual in the U.S. as merchants measure the fraud risks versus the attrition rate as they test the technology, Conroy said.
"The U.S. will continue to be slow to embrace 3D Secure because we have a population of consumers not tolerant to friction," Conroy added. As the newest version of 3D Secure becomes available, the card brands are likely to put more effort behind an education campaign for use of the fraud protection, Conroy said.
Plus, e-commerce merchants have much to gain if card-not-present fraud skyrockets because use of 3D Secure represents their version of the EMV liability shift. A merchant with 3D Secure passes the fraud liability back to the issuers.
In the meantime, some merchants have figured out how to create a win-win scenario for themselves when sending 3D Secure transactions to an issuer.
In using the BIN lookup tables supplied by CardinalCommerce, a merchant can determine whether an issuer supports 3D Secure and in what fashion, Conroy said.
"Based on whether it is password or risk-based support, the merchant can decide on whether to send transactions to that issuer or not," she added.
But some are sending transactions to issuers they know do not support 3D Secure on their side, thus shifting the fraud liability to the issuer and also not risking any consumer friction on the transaction, Conroy said.
"One merchant said by sending 20% of its U.S. card-not-present volume to issuers that can't support 3D Secure, they have saved a few million dollars a year," Conroy added.
Merchants will continue to have concerns about transaction latency, fearing some may take as long as 10 seconds, as well as fees associated with using 3D Secure as the technology advances, the report said.
The technology is called SafeKey for American Express, 3D Secure for China UnionPay, ProtectBuy for Discover, J/Secure for JCB International, SecureCode for MasterCard and Verified by Visa for Visa.
Merchants operate the technology through a plug-in, while issuers enable the software through an Access Control Server to communicate with the consumer and provide a risk-based analysis and stepped-up authentication on the card credentials.