This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.
The 3DS version (1.0.2), which is currently most in use, has been suffering from drawbacks, discouraging both consumer use and merchant integration:
Poor mobile integration;
Potential for MITM (man-in-the-middle) attacks;
Being mistaken as a phishing scam by the end-user;
End-users have to enrol in the service with their bank before benefiting;
There are no standardised requirements regarding password strength, leading to passwords that can potentially be broken by brute-force.
These factors have led to increased instances in cart abandonment; however, merchants have felt that in some cases, the potential revenue loss from cart abandonment is greater than the potential loss from fraud.
The industry has reacted to these shortcomings with the development of 3DS 2.0. This new version aims to address many of the weak points seen in the previous version 1.x while also being compatible with the PSD2 requirements.
The body developing the new standard, EMVCo , first announced the availability of 3DS 2.0 in October 2016. It will undoubtedly take some time before merchant uptake of the standard is widespread due to the need of preparation (for instance, there are significant regional differences in how 3DS challenges are implemented).
In European markets, approximately 90% of 3DS enabled payments do not require an authentication challenge. This is because European merchants and issuers use their own risk-based solutions to determine if a challenge should be issued.
In the US, this figure falls dramatically, with many issuers implementing a 100% challenge strategy. This ignores the potential for data points to assess risk and improve the consumer experience.
The new standard focuses on adopting a risk-based strategy, which should render 100% challenge rates obsolete.
3DS1.x vs 2.0
Source: Visa
The introduction of this feature into the standard will impact the issuers working with Visa and Mastercard, meaning that they will incorporate more cardholder data into the model. Among other information, such as the used device, time zone and so on, it will help determine the buyer’s authenticity. Indeed, the ability for merchants to combine their customer data (reputation, behavioural indicators etc.) with issuer data is a paradigm shift compared to how the standard was managed before. This should dramatically improve the service in terms of its risk-based approach.
In many instances, particularly with mid- to high-end mobile devices, biometrics may be used for authentication. However, the aim is to replace static passwords, prevalent in version 1.x, with One Time Passwords.
One of the key factors in determining the spread of 3DS 2.0 will consist of how quickly do issuers respond to the new feature set. Version 2.0, for example, is not compatible with earlier versions, which means that MPI (Merchant Plug-In) providers will have to send the correct messages to the issuer depending on the latter’s capabilities.
Indeed, according to CyberSource, even in a mature ecommerce space such as EMEA, only 80% of issuing banks adopted a risk-based approach in 2014 . This proportion has undoubtedly increased since then, particularly as machine learning solutions have been democratised over the last three years. Nevertheless, other regions will have significantly a lower proportion of issuers able to adopt a risk-based approach.
In effect, this means that adoption in emerging ecommerce markets is likely to be lower. In such markets, the mobile is the primary computing device, so it will be more likely to suffer fraud owing to no, or poor implementation of the old 3DS standard.
Meanwhile, there are several operational changes that must occur at various nodes in the payment channel for 3DS 2.0 to be supported:
Payment technology providers, payment processors and gateways must work with the new specification and accompanying SDK (Software Development Kit). EMVCo has made the specification for browser and mobile app-based authentication available for download, free of charge;
A framework for functional testing and compatibility with the new specification is still under development. The additional work by the PCI (Payment Card Industry) Security Standards Council for data security requirements, testing procedures, assessor training and reporting templates will address the environmental security that is to be completed. EMVCo expects these documents to be released in the course of 2017;
Merchants and issuers will need to update their internal systems to ensure they are ready for the new standard. This will require some work by MPI providers as well as the third party ACS (Access Control Server) providers commonly used by issuers.
In conclusion, it will take some time until the new standard will roll out and become widely used, given that full work on the developer side is unlikely to begin before the end of 2017. Yet, Visa estimates that rules for merchant-attempted 3DS transactions will extend to 3DS 2.0 from April 2019.
PSD2
Juniper believes that PSD2 will have a significant impact on the speed of 3DS 2.0 rollouts within the EU. On account of its static password scheme, the current version of the standard does not comply with PSD2 demands for Strong Customer Authentication. However, through adoption of biometrics, tokenisation and OTPs, the latest version will meet the PSD2 requirements and thus it can be used as part of the Multi-Factor Authentication challenge flow.
About Nitin Bhas
Nitin Bhas is the Head of Research at Juniper Research. He joined the company back in 2010. He leads the analyst team and develops Juniper’s annual and long-term research plan and product strategies. He also leads and participates in ad-hoc research and consultancy projects along with Juniper’s expert team of analysts. He is a regular speaker at industry conferences and is frequently interviewed by the BBC, CNBC and Reuters.
About Juniper Research
Juniper Research is acknowledged as the leading analyst house in the digital commerce and fintech sector, delivering pioneering research into payments, banking and financial services for more than a decade.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now