What is 3D Secure and how does 3D Secure work?
Fundamentally, 3D Secure authentication is a security protocol which adds a verification process to the payment layer by redirecting customers to a third-party page where they have to enter a SMS code or password to complete their online purchase. Three parties are involved in the process of completing a 3D Secure transaction: the merchant, the acquirer (e.g. Checkout.com) and the card schemes (e.g., VISA, MasterCard, etc.).
Initially deployed by VISA to improve the security of online ‘card-not-present’ transactions, other card schemes have quickly jumped on the bandwagon to develop their own products for 3D Secure transactions:
- Visa: Verified by VISA
- MasterCard: MasterCard SecureCode
- American Express: American Express SafeKey
- Discover: Discover ProtectBuy
- JCB: JCB J/Secure
While this protocol is an effective measure of adding a level of transaction security to the payment process, it is often associated with providing an undesirable customer experience, and consequently, having a negative impact on checkout conversion and revenue.
A merchant’s view
A major benefit of a 3D Secure system for merchants is that it provides an effective method of protecting users from the threat of payment fraud. This is particularly effective as merchants are no longer liable for certain fraudulent chargebacks when a customer denies they made the purchase. This benefit is also known as ‘chargeback liability shift.’
What is chargeback liability shift?
While 3D Secure doesn’t have the power to eradicate 100% of all fraud and chargebacks when a 3D Secure payment online is completed, it does provide an additional authentication step. This helps to reassure the cardholder and reduces the proportion of disputes, retrievals and chargebacks for the merchant. A merchant can typically expect to reduce chargeback and fraud as well as customer complaints by approximately 80%.
With 3D Secure, can a merchant expect to never have a chargeback again?
Unfortunately no. The notion behind the liability shift is a little more complex than this. First, it’s vital that the difference between fraudulent chargebacks and non-fraudulent chargebacks is defined.
A non-fraudulent chargeback typically occurs when a consumer has made a purchase with their card and is not happy with the service or the goods delivered. When this occurs, instead of asking the merchant for a refund or exchange, the customer may call their bank, explain the issue and get their money back.
Fraudulent chargebacks, on the other hand, can be broken down into the following two sub-categories:
- The first one is often referred to as ‘friendly fraud’ or ‘online shoplifting.’ This transpires when consumers aim to get their money back for a good or service they have received and are perfectly happy with. The ultimate aim of this scenario is to obtain the product or service for free by leveraging the existing card scheme rules
- The second situation is related to real fraud where criminals use stolen cards or stolen card numbers online to make a purchase. The legal cardholder will then naturally initiate a chargeback to reverse the fraudulent charge when they realise what has happened
With this in mind, it’s important to note that 3D Secure only protects merchants against fraudulent chargebacks.
So what are the other benefits for merchants?
By using 3D Secure, merchants can increase their profitability in one of the following ways:
- Get cardholders to engage in higher transaction values as their level of confidence is increased
- Target and capture customers associated with a higher risk rating
- Reduce the resources allocated to chargeback: disputes management, chargeback fees and other penalties that are connected to different card scheme rules
Along with 3D Secure, there are some additional recommendations for merchants that can assist them in reducing their exposure to chargebacks:
- Disclose shipping, returns and cancellation policies in a smart way, ensuring that clients have access to these details during purchase and can easily locate these at a later date
- Use a good billing descriptor that allows customers to easily match their purchase to the correct website when they are checking their credit/debit card statement. Failure to set a good descriptor may lead to legal cardholders initiating a chargeback for a transaction they do not recognise on their statement. This is because they are unable to easily link between the transactions that have actually been made
Why don’t all merchants use 3D Secure?
Simply put, the use of 3D Secure represents a compromise between having that additional layer of protection and the risk of a reduction in conversion rates. Taking a deeper look at this, conversion rates via 3D Secure could be influenced by a host of different aspects, not just when the cardholder fails to authenticate.
One of the most common factors here is in relation to the merchant’s target market. Merchants are reminded that the adoption of 3D Secure is not consistent across countries. This is down to the fact that some banks just don’t support this implementation aka a non-participating bank.
That being said, if a merchant makes the decision to process all of its transactions in 3D Secure, there is a chance that a large portion of these transactions will be declined – particularly if they have a large contingent of clients in countries such as the U.S., where 3D Secure is still very much in its infancy. The solution here is to use 3D Secure wisely, only triggering the authentication method in markets where adoption is already high. At the same time, apply other risk mitigation solutions where adoption is low or almost non-existent.
Attempt Non-3D Secure charge
At the processing level, outside of the merchant, acquirer or gateway, when it appears that a 3D Secure transaction cannot be completed, there is an alternative route in place to help push the transaction through. For example, when a card is not 3D Secure enabled or enrolled, or even when there is a system malfunction associated with issuing banks resulting in the 3D Secure system being down.
When this occurs, some processors have the ability to ‘downgrade’ the transaction to Non-3D Secure in an automated fashion so that the merchant doesn’t lose the sale. It’s worth noting that there is a trade-off here. There is no liability shift, thus meaning there is no protection for the merchant in the case of fraudulent chargeback.
A consumer view
While as a customer it’s reassuring to see an additional layer of protection, the 3D Secure stage can at times be incredibly frustrating. This might be because:
- There is an extra step in the checkout process and it’s one that doesn’t always remember the set password
- There are issues with other authentication processes
- The card used to make the payment is not eligible for 3D Secure so the purchase cannot be made
It's also worth remembering that 3D Secure is not always optimized to operate on certain devices.
Rules-based payer authentication
There are certain issuing banks that have developed a risk-based authentication system that allows merchants to benefit from the liability shift that comes with particular transactions. In these cases, the cardholder is not required to present any credentials. This is better known as ‘silent authentication.’ Here the shopping experience is not affected whilst the issuing bank works to ensure there is no risk and the liability shift applies as normal.
As ecommerce continues to grow, 3D Secure will also evolve in order to cope with the flurry of online transactions that occur in a multi-interface environment. Merchants are looking to strike that balance between providing additional layers of security and reassurance while still delivering consumers with a seamless user experience that enables them to complete their transaction with ease. While 3D Secure is not yet the finished security solution, it does go a long way in protecting both merchants and consumers against the increasing threat of payments fraud.