Payment security for online card transactions have come a long way since its early days when the first version of 3D Secure, a security protocol designed to protect online card-not-present (CNP) transactions, was first launched in 2001. Given the limiting factors of the protocol design, such as difficult-to-remember authentication prompts and confusing web redirect experiences that resulted in legitimate customers dropping out of the payment flow,
With rapid progress of mobile technology and the rise of data age, the habits of online shoppers have evolved over the last decade as mobile devices become more prevalent. Customers have expanded platforms to engage in payments, from web browser to mobile apps and even connected devices. When a consumer is making a digital purchase not in a traditional store, verifying the transaction and the identity of the consumer becomes increasingly important and challenging, especially with the growing sophistication of cybercrimes and fraud.
In the wake of these pain points, EMVCo recently released the new EMV® 3D Secure protocol, or 3-D Secure 2.0. It is designed to address a number of key limitations of the previous protocol and cement the technology’s reputation as one of the most resilient solutions in the fight against card-not-present (CNP) online fraud.
The dawn of 3DS 2.0 will introduce several key features for issuers, merchants and consumers:
To combat the ever-increasing threat of fraudulent online transactions, 3DS 2.0 is able to provide more robust security by utilising stronger authentication measures such as biometric and token-based authentication, instead of static passwords.
Infinitium’s IMS 2.0 will offer Strong Customer Authentication (SCA) methods, with biometric (“something you are”) offered as one of the methods for customers to authenticate transactions, on top of the two other existing elements of password (“something you know”) and mobile device (“something you own”).
With the 3DS 2.0 protocol in place, gone are the days of sluggish browser redirection and poorly scaled challenge screens when customers make online purchases – which was a point of friction that contributed to legitimate customers dropping out of the payment flow.
As mobile devices become the mainstay platform for digital commerce, 3DS 2.0 is built to support authentication in mobile apps, in line with the growing trend of m-commerce. This means challenge screens can be presented from within the merchant’s app, while looking and feeling just like a part of the app.
One of the most significant improvements to the 3DS 2.0 is the capability to utilise data and machine learning algorithms for better risk assessment. The new algorithms allow for a seamless data exchange across the three domains, namely merchant/acquirer, issuer, and interoperability, allowing for a more robust risk-based authentication (RBA).
The new 2.0 version of the technology enables a real-time, secure, information-sharing pipeline that merchants can use to send an unprecedented number of transaction attributes that the issuer can use to authenticate customers more accurately without asking for a static password or slowing down commerce.
With 10 times more assessment data points, such as device channel and payment history, issuers and merchants can analyse additional contextual data related to the purchase to verify a cardholder’s identity and more accurately determine a transaction’s risk for greater authentication accuracy.
Frictionless flow aims to make the customer checkout experience as frictionless as possible. The aptly termed “frictionless” payments inherent in the 3DS 2.0 technology will mean less waiting time, fewer steps, and lower strain on the customer.
The risk-based authentication (RBA) process is the enabling factor for frictionless flow, enabling issuers and merchants to determine whether or not a customer should be challenged for further cardholder authentication during the checkout process. As a result, issuers can authenticate the cardholder without them even knowing that an authentication step actually took place. Merchants are also empowered to provide a frictionless checkout experience for the customer, without compromising on the strong security that the 3DS protocol provides.
Based on data analytics behind the scenes between merchant and issuer, if no further cardholder interaction is required, authentication is deemed to have been achieved and the transaction can proceed without requiring additional customer verification. However, if the risk associated with the transaction is not sufficiently low enough, authentication will move onto the challenge flow with prompt for authentication via dynamic password, device recognition, biometric or token-based authentication.
Within each country, selected pilot banks will roll out features of 3DS 2.0 in their respective markets. The first bank to go live with the new protocol is expected to be in end of June 2019.
From a consumer perspective, the integration of 3DS 2.0 will not affect current user interface experience; instead, as the respective issuing banks introduce the platforms and options within the existing banking apps, consumers can seamlessly experience the features and get faster checkout times and better shopping experience.
Good governance is putting security & compliance
at the centre of our core business.