M-commerce and IoT need the latest authentication protocols

Register now

Most credit/debit card issuers are relying on an updated version of the original authentication protocols that were developed in the early days of digital commerce.

Called 3-D Secure or 3DS, this set of authentication protocols establishes the standards by which card-issuing banks and merchants communicate to verify that the person conducting the transaction is the cardholder.

Although the underlying, fundamental purpose of 3DS was sound, creating a real-time authentication process online, its implementation resulted in a lot of friction around the checkout process, so merchants have been hesitant to deploy it. In addition, the original protocol lacks provisions for mobile, in-app or IoT transactions and includes limited cardholder information.
But a new authentication protocol, aptly named 3DS 2.0, was recently finalized through EMVCo, the global technical body that facilitates the worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV specifications and related testing processes. EMVCo is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates. The new 3DS 2.0 standard is a giant leap forward for digital commerce.

3DS 2.0 is designed to vastly improve cardholder authentication, and in so doing, improve the digital checkout and payment process.

The old standard created a consumer authentication process where card issuers could interrupt the checkout flow, shifting consumers to the card issuer’s site to enter passwords or answer knowledge-based questions (mother’s maiden name, address, etc.). The new 2.0 protocol allows the merchant to retain control of the transaction even when the card issuer requests more information to approve a transaction.

With 2.0, almost everything happens in the background, creating a smooth, friction-free and safer checkout process for the consumer. If the issuer would like to challenge, the merchant will have the choice and control to decide if they want to proceed with the challenge or bypass authentication. Such challenges must be dynamic; for example, a one-time-password. The result is expected to be fewer false positives, authentication-caused abandoned shopping carts, lost transactions and frustrated consumers.

As important as frictionless transactions are, 3DS 2.0 also provides a secure and effective authentication process for mobile devices and in-app purchases from smartphones, tablets, gaming devices, smart TVs and digital assistants. As with the browser-based transaction, this new 2.0 process helps make mobile transactions fast, easy, safe and friction-free for the consumer, merchant and card issuer. For merchants, implementation of 3DS 2.0 means the elimination of chargebacks. This is particularly important for sellers of high-value items where even a few chargebacks resulting from fraud could be financially devastating.

Finally, 3DS 2.0 will help eliminate a major problem that creates a drag on the growth of digital commerce -- false positives. Each year, around $118 Billion in legitimate transactions are lost because they are declined by merchants or card issuers. These false positives frustrate consumers, and cost merchants and card issuers billions in lost revenue.

3DS 2.0 uses a richer, more useful set of data to authenticate consumers in the background during the transaction process, with the information transfer occurring in milliseconds in a secure channel that speeds the approval process. As a result, legitimate cardholders will be approved quickly, while cyber criminals will fail the challenge or be declined immediately.

To make this a reality, merchants and card issuers need to adopt 3DS 2.0. For merchants, implementing 3DS today will prepare them for 2.0 as card issuers (banks) are onboarded with the new standard over the next few years. For card issuers, upgrading to the 2.0 standard will give them a competitive advantage with merchants and consumers over banks that have not done so.

Change comes slowly to any system as large as the card-not-present payment system, so we can expect to operate for many years in a mixed environment with both the old and new standards. But it is time for the transition process to begin. (We are already seeing some card issuers implementing pilots and proof-of-concept tests of the 2.0 protocol.) Not only will 3DS 2.0 enable a smoother, easier and more secure online authentication, payment and checkout experience for consumers, it will help merchants and card issuers increase revenues, while simultaneously improving customer satisfaction.

For reprint and licensing requests for this article, click here.