Objections to 3-D Secure are shortsighted

Register now

Imagine that to cut costs, door makers do not install any locks. A lock, after all, is detrimental to door usability— it adds an additional step to the otherwise smooth process of entering and exiting the premises. Of course, it does increase the security of the homeowner, but on the other hand, people have to carry keys with them any time they want to go through the door, and keys can be lost or broken.

Even though this metaphor is a bit stretched, it resembles the typical argument against an online cardholder authentication method such as 3-D Secure. Indeed, adding another authentication step in addition to typing in the CVV is an obstacle; it creates friction.

If a fixed password is used, it can be forgotten. If a one-time password is texted to the user, they might not have their phone with them, or the cell reception could be too poor, or the number on record may be wrong. There are several factors that could complicate the process.
Initial implementation of the 3-D Secure protocol, under different brand names, was largely voluntary. Merchants weren’t required to use it and some were willing to accept the risk of higher fraud rates instead.

For some merchants, especially during the early days of the protocol, the effort and the cart abandonment (sometimes as high as a double-digit percentage, according to research by Visa) were much costlier than higher levels of fraud-related chargebacks. In instances where two merchants sold similar goods, consumers often preferred the one without an authentication method due to ease of use. This also hindered protocol adoption and 3-D Secure was gradually abandoned.

During the last three years, several things happened. The United States, the biggest and oldest card payment market in the world, began its shift to EMV technology for in-store payments. This shifted card fraud into unprotected card-not-present environments. In parallel, card schemes (via the EMVco body) decided to take another go at 3-D Secure and developed 3-D Secure 2.0. 3-D Secure 2.0 was also a better fit for mobile commerce and it extended possibilities for reducing payment friction with risk-based authentication.

In Europe, regulators moved to combat payment fraud and, as part of the PSD2 directive going into effect Sept. 13, 2019, strong customer authentication is required for each payment, online or card-present. In the online world, card schemes have translated this requirement into practically mandatory use of 3D Secure 2.0 across Europe.

It is certain that, for a while, until the technical issues are resolved and the finer points of the mandate exceptions are worked out, there will be a surge in cart abandonment. This is more a property of any major change in the industry than it is an attribute of the specific technology.

The consumer experience, however, will remain uniform across all European merchants due to uniformity of regulatory requirements. As the old cynical joke goes, if you run away from a bear with your friend, you don’t have to outrun the bear—you just need to outrun the other guy. Therefore, after the initial adjustment period, consumers will be used to an additional authentication step, having encountered it on every website and abandonment rates will subside again.

Of course, blindly forcing any visitor to attempt 3-D Secure authentication is challenging: it will take a long while until U.S. customers and banks roll it out across the board. However, it’s clear that for intra-European commerce, the short-term disruption will be offset by the huge long-term benefit of greatly reduced payment card fraud.

For reprint and licensing requests for this article, click here.
Security risk Payment fraud Payment processing ISO and agent