Digital Transactions Authoritative, insightful and timely information for payments professionals
Visa Inc. announced Thursday that credit and debit card issuers in Europe will be the first issuers to adopt Visa’s program for using 3-D Secure 2.0, the impending update to an authentication protocol for online transactions originally introduced more than a decade ago.
Visa said certain rules, such as fraud-chargeback protection on merchant-attempted 3-D Secure 2.0 transactions, won’t be activated until April 2018. An exact date is not available yet, Visa said.
EMVCo, the standards body backed by five global card brands, expects to release the 2.0 version of the 3-D Secure protocol this fall. The big news with 2.0 is that it will work with in-app and digital-wallet payments as well as browser-based transactions. It will also call on merchants to supply a good deal more information to help issuers make an authorization decision.
For example, the current version of the protocol has only 11 data fields. The new data flow may include such items as the e-mail addresses, mobile-phone numbers, and shipping, billing, and IP addresses of consumers. Merchants deploying 3-D Secure can transfer liability for fraudulent online transactions to the issuer and can qualify for an interchange break.
Visa expects the first transactions processed with the new protocol will happen as soon as the first half of 2017, Mark Nelsen, Visa senior vice president of risk and authentication products, tells Digital Transactions News. Visa has not yet set a sunset date for the current version of 3-D Secure, he notes, adding that dates for other Visa regions to adopt the update will be announced later.
3-D Secure is widely used already in Europe, but has found limited adoption in its current form in the United States. Only about 18% of U.S. e-commerce traffic is running through 3-D Secure rails, according to a report by Julie Conroy, research director at the Aite Group, though that percentage has tripled just since 2013.
The integration of 3-D Secure 2.0 will vary among participants. Consumers should notice less friction in the checkout experience, but won’t have to make many changes.
Merchant integration work will vary because many merchants use vendors that provide this technology, but some don’t, Nelsen says. For example, the latest version of an application programming interface from CardinalCommerce Corp. already collects the necessary data, Nelsen says. “If the merchant is using an older API, they’ll need to work with their service provider,” he says.
Issuers will have to do the most work to adopt 2.0, though, again, most use a third-party for the service, Nelsen says. These vendors will need to be able to receive the new data fields and provide issuers with the capability to write rules against that data set, he says, adding this is why Visa put the soonest compliance date 18 months away.
“The issuer has to get visibility into those transactions so they have the confidence to assume the liability of the risk,” Nelsen says.
