The question of upgrading to 3D Secure 2.0 authorization will become easier for European e-commerce merchants if it proves to be a path to compliance with a provision of PSD2, the revised Payment Services Directive.
For U.S. merchants, federal mandates haven't provided that extra nudge. Instead, they have to strictly see the benefits of the upgrade and obliterate the bad memories of 3D Secure 1.0, which was known for introducing friction to the checkout process.
And many U.S. merchants are willing to make this leap of faith.
"We were shocked by the numbers, with 90% of U.S. merchants saying they had an interest in implementing 3D Secure 2.0 within the next two years," Julie Conroy, research director and fraud expert with Boston-based Aite Group, said of the consulting firm's recent research monitoring e-commerce fraud and authentication methods.
"We are seeing increased interest in the U.S., but the caveat would be that when asked how much volume they plan to send across it, very few plan to send all transactions," Conroy said.
That revelation falls in line with how U.S. merchants have viewed the EMVCo protocols of 3D Secure 2.0 — that it is an effective customer authentication tool for high-risk transactions or in verticals like airline ticketing, jewelry or electronics that demand extra security steps. Otherwise, it may not be worth invoking, especially if one still has visions of the tedious process that the 1.0 version created through passwords and pop-up security questions.
"The bad experience of 1.0 is a story that has kind of been around ever since it was adopted, but if you look at the past five years, a lot of that (bad) experience has gone away," said Ian Poole, senior director of global products at Cardinal Commerce, a digital authentication solution provider and a unit of Visa.
The process has been smoother for some time because issuers have turned to more risk-based authentication methods, even in the 1.0 version, to eliminate the pop-ups and opting instead for sending one-time passwords to mobile devices, Poole said.
But the real benefit of
In the past, an issuer would receive the acquirer bank identification number and the consumer account number, and information about the browser being used to complete the transaction. With the 2.0 upgrade, the issuer and the access control server receive data to fit in all models and algorithms for risk evaluation, making it easier to quickly differentiate between an online purchase of something like gift cards or a recurring payment for a prescription — and which of those would be uncommon for certain accounts.
That extra information allows merchants to make the process frictionless for consumers while providing issuers more data with which to make an authorization decision.
"We view 3D Secure 2.0 as another layer of protection, because everyone wants fraud protection," Poole said. "And there are certain EMV tools to do that, as well as complete fraud management systems. It is a powerful combination when you add 3D Secure 2.0 authorization."
3D Secure 2.0 is getting a lot of attention in the coming months because the European Banking Authority has extended the PSD2 deadline for the provision called Strong Customer Authentication, or SCA.
Compliance for SCA, separate from PSD2 open banking requirements, initially called for merchants to have some process in place to better confirm that customers making a transaction are who they claim to be. The card networks informed European merchants that deploying 3D Secure 2.0 would provide that SCA provision compliance for PSD2 regulators, but the EBA clearly wants EMVCo to address the speed of 3D Secure 2.0 authentication, now at roughly 10 seconds, and also possibly add a layer of biometrics to the process.
As such, it was clear many small businesses and acquirers needed more time than the original Sept. 14 deadline for this aspect of PSD2. The SCA provision is the only facet being extended.
"I think it was delayed because there is a fair amount of uncertainty about the regulators' descriptions of what qualifies as compliant and a bunch of industry players said there was no way they could meet that September deadline," Aite's Conroy said.
The card networks have been "heavily focused" on getting the industry upgraded and ready for 3D Secure 2.0 by September, and Visa actually had an April deadline in Europe, Conroy said. As it is now, a new deadline has not been established, she added.
Cardinal Commerce does not make its 3D Secure adoption rates public, but the general consensus is that the authorization method has been adopted far more in Europe than in the U.S.
European merchants in general were using 3D Secure 1.0 at a much higher rate than U.S. merchants, said Abigail Singer, product marketing manager for New York-based security vendor Riskified.
"3D Secure comes at a sensitive point in the payments journey," Singer said. "While we don't have insights into the exact thought process of every merchant, we do know that, as a rule, merchants choose to implement different processes based on preferences and expectations of their customer base."
In that regard, consumers in some regions of the world are more open to verifying their identities than in others, Singer added.
In its role, Riskified seeks to complement other security layers with its fully automated machine-learning fraud-prevention system and a PSD2 Optimization solution designed to reduce friction in banking and payment processes.
Mostly, 3D Secure 2.0 adoption will ride on the merchant perception and, ultimately, solid proof that it can decrease cart abandonment while also clearing authentication that cuts back on chargebacks.
"The fraud prevention landscape is constantly changing," Singer said. "It can be difficult for merchants to keep up, so we recommend developing or investing in technology that provides a holistic solution to the challenges of protecting e-commerce revenue across channels and regions."
3D Secure 2.0 has found a place at that table in Europe. Now, it is just a matter of when U.S. merchants will follow that lead.
