DT, December 2016
December 1, 2016
It’s Round 2 for the online-authentication technology known as 3-D Secure, and security experts say it stands a good chance of being more popular than the original version.
EMVCo, the chip card standards body owned by the world’s six leading payment card networks, released 3-D Secure 2.0 in late October. Visa Inc. originally developed the 3-D Secure technology for protecting e-commerce transactions about 15 years ago and branded it “Verified by Visa.”
The company offered the underlying technology to other networks, which put their own brands on it. But many merchants refused to use 3-D Secure because of the “friction” it generated by having a buyer leave the merchant’s Web site to complete authentication steps on a pop-up window, leading to abandoned transactions.
Over the years, card issuers and processors worked out protocols that reduced the friction, but merchants didn’t shake their fears about lost sales. That prompted the networks to take 3-D Secure into EMVCo’s shop for a reboot (“Securing the Future of 3-D Secure,” July).
Boston-based research firm Aite Group LLC estimates that only 18% of U.S. e-commerce transactions used 3-D Secure in 2015—not many, though far better than the 6% in 2013.
Transaction abandonment should be much less of an issue with version 2.0, says Mike Keresman, founder and chief executive of CardinalCommerce Corp., a Mentor, Ohio-based e-commerce-services firm. The new specification puts the complexities of online authentication behind the scenes, he says.
“It will address quite a few of the issues, and yes, merchants will adopt, because they’re going to get higher authorization rates,” says Keresman. “It is designed to be smoother, a friction-free environment for the consumers.”
“I do think we’ll see an uptick in use of 3DS 2.0,” Julie Conroy, research director at Aite, says by email.
The new spec is more than 200 pages long, but Conroy says “there were no big surprises in it. The networks have been talking about the direction this is going in for quite some time.”
The specification addresses security for technologies that have bloomed since 3-D Secure first appeared, including app-based purchases on smart phones and other mobile devices, as well as traditional browser-based e-commerce channels. It also addresses so-called step-up authentication systems such as one-time passcodes and biometrics.
“Besides security, the consumer experience is central to EMVCo’s work,” Jonathan Main, chairman of the EMVCo Board of Managers, said in a news release. “In addition to engaging with industry experts, we conducted user testing in multiple markets to understand consumer preferences for verifying their identity online. Feedback has been incorporated into the new global specification to also accommodate country-specific preferences and regulatory requirements.”
While one-time passcodes, which could be sent by text message to the buyer and entered into the checkout page to confirm the transaction, are seen by many in the payments industry as more secure than static passwords, they aren’t invulnerable, according to Conroy.
“We are seeing criminals have success in compromising that in a number of countries,” she says. “This highlights the importance of looking to other capabilities, such as biometrics, as the stepped-up form factor.”
CardinalCommerce developed the online security service called Cardinal Consumer Authentication, which uses 3-D Secure protocols when appropriate, according to Keresman. But the service goes beyond 3-D Secure in assessing variables about the device used for an e-commerce transaction, as well as data from merchants about their customers and from issuers about their cardholders, says Keresman.
“The prevailing thought is we’ve got to make sure the good guys can buy,” says Keresman.
SPECIAL FEATURERead Digital Transactions Online