3D Secure — commonly implemented as a prompt for an extra password during an e-commerce checkout — was too clunky to appeal to consumers in its original form. But a nearing upgrade could turn 3D secure into a staple of e-commerce by tying it into mobile wallets.
The end result could make mobile wallets the far easier and safer way for merchants to conduct business online. Much like Apple Pay and Android Pay can be used for in-app purchases on smartphones, in an upgrade to 3D Secure they would be woven into e-commerce as a way to bypass the prompt for card account numbers and passwords.
"When you look at how Apple Pay works for in-app payments, it runs on the 3D Secure rails already, and they have laid the groundwork for this," said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research. "So this is an inevitability."
Two major payments industry standards bodies operating through the card networks —EMVCo and the Payment Card Industry Security Standards Council — have collaborated on the development of 3D Secure 2.0 and are preparing for its launch by the end of this year.
The card networks and merchants use the 3D Secure messaging protocol to enable consumers to authenticate themselves with card issuers when making online purchases through a PC Web browser. In its original form, it essentially operated on a 100% challenge rate, or viewing each transaction as potential fraud and making loyal customers dig up a password to get through the Verified by Visa or Mastercard SecureCode prompt.
Even though this system shifts fraud liability to the issuer, merchants found it too disruptive to the checkout process and today most e-commerce sites ignore it.
The 2.0 version instead favors a risk-based screening method, as opposed to a constant barrage of passwords, security questions and pop-up forms that drove customers away.
The updated 3D Secure comes at an opportune time. Increasingly, consumers are able to make mobile wallet payments through Chrome for Android Pay and Safari for Apple Pay, and merchants will take notice.
It's also probably no coincidence that JPMorgan Chase has been aggressive in landing merchant clients for its Chase Pay mobile wallet, which consumers can use for in-app and online payments, with a target launch date that would shortly follow 3D Secure 2.0's implementation.
"I think intrinsically tying mobile wallets to 3D Secure in the way the networks did, it is a very clever Trojan Horse play and it is not just in-app," Pascual said. "If merchants want a piece of that pie, they are going to have to support those forms of payments."
In that regard, it is "a bit of a back-door for 3D Secure," he added.
In addition, the advancement of 3D Secure for mobile commerce will make mobile wallet developers take pause, Pascual said.
"It increases the pressure on the mobile wallet side, for whether those developers want to go at it alone," he added. "That's not to say it is a monopoly, but more that it will allow them to work with the card brands and not fight. Any time they work against each other, they all end up with a little less."
The major card brands have been tweaking their approach to 3D Secure to improve user experience in anticipation of the updated version, with Visa revealing late last month its intention to do away with passwords for certain transactions in the Verified by Visa process.Mastercard, in turn, developed Identity Check — commonly known as "Selfie Pay" — as another way to modernize the 3D Secure process.
"I'm optimistic that 3D Secure 2.0 is going to break through the roadblock that has existed for some time — if they do it right — and it should take care of the problem of abandoned shopping carts and improve on those abandonment rates," said Tim Sloane, director of emerging technologies advisory services for Boston-based Mercator Advisory Group.
As the new version is deployed into browsers and mobile apps, those options will become far more secure, Sloane said. Merchants may look at Apple and Google as offering more secure methods currently, but the new 3D Secure "ultimately represents a solution for all networks," Sloane added.
"My expectation is that we will see everyone gravitate to this new version of 3D Secure, and it has a goal to get mobile payments more widespread," Sloane said.
In its preliminary stages, 3D Secure 2.0 will be available to EMVCo members and other organizations, and it will ultimately carry "a much more nuanced ability for data to be shared with the issuers so good decisions can be made to lower abandonment rates across all networks," he added.
3D Secure operates under different brand names. It is called SafeKey for American Express, 3D Secure for China UnionPay, ProtectBuy for Discover, J/Secure for JCB International, SecureCode for Mastercard and Verified by Visa for Visa.
EMVCo, collectively owned by those card brands, has been working on the 3D Secure 2.0 protocol since early 2015. The card networks are hoping 2.0 and its tie-in to mobile will garner fresh support from merchants, who are aware of its need in light of fraud moving to e-commerce with the advancement of EMV chip cards at the physical point of sale.
Despite some concerns among merchants that the card networks essentially make all of the rules under the EMVCo and PCI frameworks, they have generally supported efforts to improve the protocol. Plus, it is difficult to imagine any other entity on the payments or security landscape taking on the task of developing scalable and workable e-commerce protection.
"It's reflective of the fact that effective security is a complex fabric," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "To the extent that these specification and standards bodies have uniform oversight, it makes sense for them to collaborate to ensure that the deployment of new technology does not inadvertently create new gaps or opportunities for criminals to compromise the new infrastructure."
Too often, the bad guys are the first to discover and exploit accidental back doors, Conroy added. "In-app security will be a huge consideration here; one of the stated goals of 3DS 2.0 is to make 3DS more workable in the mobile environment."
Ultimately, 3D Secure is being built into a yellow brick road that can guide the industry to mobile technology.
"All roads lead to mobile wallets," Javelin's Pascual said. "In a world where consumers gradually move their lives to the mobile device, this is a synergy that is all working toward that end."
The networks have seen this unfolding for some time, Pascual added. "This is why they decided to play ball and get integrated with mobile wallet providers, rather than working against them."