The global rollout of EMVCo’s Three-Domain Secure protocol (3DS) continues in earnest as the card networks impose geographic deadlines for the implementation of 3DS2 (3DS 2.0, as it is also known) by 2019 and 2020.
In the meantime, the card networks will take the stick to straggler merchants and issuers in the form of higher fees for non-3DS compliance. These fees are designed to promote adoption of the protocol and its overriding aim of reducing card not present (CNP) fraud.
From version 1.0 to 2.0
Since 3DS was first conceived in 2001, the market has changed considerably, giving rise to the second iteration, 3DS2. Most notably, to reflect the technological changes that increased mobile usage has brought about, and to respect consumer demand for a frictionless payment experience. 3DS2 now includes specifications for biometrics (fingerprint) and one-time-passcodes.
Perhaps most crucially though, the data-rich protocol allows for a greater exchange of information, with up to 100 unique variables including IP address, MCC, delivery details and account age.
By evaluating this additional information, issuers can decide whether to prompt further authentication challenges, using risk-based analysis, advanced analytics, and more and more frequently machine learning, to assess the risk profile of the payee and payment. The ultimate goal is to safely apply SCA exemption for a faster, frictionless checkout experience.
If the technology has shifted since 2001, so too has criminal focus. With the adoption of EMV chips which, according to Visa, has reduced fraud by as much as 82% in card present situations at US merchants having migrated to EMV compliant POS equipment, fraudsters have moved online to the more lucrative field of eCommerce, largely due to a wider availability of credit card details following huge data breaches at retailers and corporations or suppliers in other industries.
As illustrated above, there has been a steady increase year on year in CNP credit fraud losses as criminals identify easier methods of replicating credit card details. In the US, the figure for CNP fraud losses stood at $3.3bn in 2016, according to the Aite Group report. Likewise, according to European Central Bank’s fifth report on card fraud, CNP fraud accounted for €1.32bn in the SEPA zone in 2016, recording an increase of 2.1%.
Merchant / Acquirer appetite for 3DS2
Of particular interest to merchants, and perhaps even more damaging than fraud losses, are falsely declined transactions and the subsequent loss of revenue due to the negative impact on the customer experience.
Likewise, the number of cart abandonments is also a heavy incentive to minimise consumer-led and long checkout verification; a recent Episerver study found this to be responsible for 17% of cart abandonments.
The merchant / acquirer benefits of 3DS2 adoption include a reduction in interchange fees, higher authorisation rates – with approval rates some 10 to 11% higher in regulated markets where 3DS is used than for non-3DS transactions – and a shift of fraud liability from merchant to issuer. Source: Aite Group report.
Issuer appetite for 3DS2
For the issuer, the benefits are largely aligned with those of the merchant. Through 3DS2 compliance, issuers are able to allow seamless, background authentication for a greater number of transactions thanks to a richer data exchange to run through the bank’s risk analysis and fraud prevention engines, thereby reducing the false decline rate.
There is also a strong regulatory imperative for issuers to adopt 3DS2. PSD2’s Strong Customer Authentication (SCA) - enforced September 2019 and specified in the EBA’s RTS - will push European issuers towards 3DS2 adoption as a way to get around this requirement and qualify for SCA exemption to allow frictionless payments. This practice is likely to be adopted by issuers well outside the confines of Europe over the next few years as it becomes best practice globally.
Likewise, the fraud liability shift between merchants and issuers remains, regardless of whether the issuer is 3DS compliant or not – with the issuer being responsible for SCA under PSD2 regulations. Issuers should therefore welcome the new 3DS protocol as it helps keep fraud risk low while increasing conversions.
At the end of the day, merchants, acquirers and issuers should all strive to adopt 3DS2, not just to avoid these fees or to be compliant, but to build up an authentication eco-system that is more reliable, more secure, more intelligent and that delivers the holy grail in digital payments: speed and ease. The ultimate virtuous cycle.
To learn more about benefits, the costs of non-compliance and deadlines, get in touch.