Digital Transactions Authoritative, insightful and timely information for payments professionals
Card-not-present fraud is the bane of any merchant that operates an e-commerce site, and EMVCo, a standards body for the Europay-MasterCard-Visa (EMV) specification, hopes its newly assumed oversight of the 3D Secure authentication standard can help them.
Operated as Visa Inc.’s Verified by Visa and MasterCard Inc.’s SecureCode, 3D Secure systems try to replicate the point-of-sale experience by prompting cardholders to enter a secret code in a pop-up window when checking out from a retailer’s site. The measure is meant to reduce fraudulent online transactions. American Express Co. calls its 3D Secure service SafeKey.
While it may do that, it also had the unintended consequence of reducing sales for some e-retailers because consumers balked at the request for additional information.
“Merchants don’t like it because it has the screen pop-up and increases abandonment rates,” says Eric Grover, principal at Intrepid Ventures, a payments consultancy in Minden, Nev. Consumers generally have not liked using 3D Secure technologies because of the uncertainty they can create, especially if the consumer encounters an enrollment screen during the checkout process, Grover says. “It is somewhat disruptive to both sides and it’s never got any momentum,” he says.
EMVCo, which is owned by Visa, MasterCard, Discover, JCB, American Express, and UnionPay, says it will develop the EMV 3DS 2.0 specification and its certification program over the next year with the intention of making it easier to use.
EMVCo says the updated spec will “offer a more seamless consumer experience and reduce reliance on the cardholder to authenticate themselves via a password prompt, better integrating with a merchant’s offering and brand.”
The updated spec also will incorporate non-payment user identification and verification, while adhering to unique regulatory requirements around the globe, EMVCo says.
“We are very positive about EMVCo being a body through which [the spec] will be burnished and put back into the market,” Peter Forbes, executive vice president and head of the National Business Unit at Atlanta-based payment processor Worldpay, tells Digital Transactions News.
“3D Secure is poorly adopted here in the U.S.,” Forbes says. Part of the reason for that is that U.S. e-commerce merchants use many other tools to mitigate card-not-present fraud, he says.
Making 3D Secure easier to use for merchants and consumers will become paramount, especially if predictions of increased CNP fraud following the migration to EMV payments come to fruition, he says. “As the face-to-face environment gets secured, we are bound to see a push of losses into the CNP space,” Forbes says.
His hope is that the updated spec will be less reliant on issuers and less reliant on remembering another complicated password for each transaction and each card. As an example, Forbes, originally from the United Kingdom, says each of his U.K.-issued payment cards has its own passcode for use on 3D Secure-enabled sites. The technology was mandated for U.K. e-commerce sites, he says, but that was done almost 10 years ago, when the U.K. began its EMV migration, and when e-commerce accounted for smaller retail sales than it does today.
EMVCo’s involvement in the 3D Secure spec also could address a shortcoming in the EMV standard, says Beth Robertson, principal at consultancy Robertson Payments Services LLC, “namely, its vulnerability in supporting online transactions,” she says in an email message. “Integration of 3DS with EMV capabilities could serve to build support for EMV conversion.”
EMVCo says the updated standard should be published in 2016.
