Security is a vital component of eCommerce, especially since the risk of fraud can be high. Digital shopping relies on card-not-present transactions, meaning the customer's identity is much harder to verify than in-person transactions. To counteract these risks, other methods have been developed to verify that a digital transaction is legitimately being performed by the true cardholder, and not by a fraudster using stolen information.
The EMV 3-D Secure (commonly known as 3-D Secure 2.0) protocol is built to bring increased safety to the online payments ecosystem and reduce digital payment fraud. EMV 3DS is a form of strong customer authentication, which is becoming core to payment processing.
What is Strong Customer Authentication?
Strong customer authentication (SCA) is frequently called two-factor authentication. It consists of cardholder authentication based on criteria that only the legitimate cardholder would know or be able to access, such as a one-time passcode sent to their mobile device, or biometrics like a fingerprint or voice recognition. SCA requires at least two of the following three elements:
- Something only the customer knows (like a passcode)
- Something only the customer has (like a mobile device or token generator)
- Something only the customer is (like a biometric – fingerprint, iris scan, facial scan or voice recognition, to name a few)
SCA is an important step in helping reduce the risks of online fraud, and soon it will be a requirement in the European Economic Area (EEA) under the 2nd Payment Services Directive (PSD2), which is set to go into effect on September 14, 2019. Any business with a strong presence in Europe will need to have SCA implemented before this date in order to meet the PSD2 standards.
EMV 3DS meets the requirements of PSD2 SCA by providing a convenient, secure method for strong customer authentication. Plus, even if your business isn't in Europe, this extra layer of safety can help your business and your customers.
Implementation of EMV 3-D Secure Protocol
EMV 3-D Secure supports using a large amount of data to verify a customer's transaction and identity while keeping checkout as smooth as possible. Fraud prevention is important to online merchants, payment providers, and issuers. EMV 3DS helps the merchant share more data with the issuer, so issuers can make more confident risk decisions, to ultimately help authorize the transaction.
All major payment networks have their own implementations of 3-D Secure, including Visa Secure, Mastercard Identity Check, Discover ProtectBuy, and American Express SafeKey. Each of these branded 3-D Secure solutions works in a slightly different way, but all use the EMV 3DS protocol to verify cardholder identities and provide the related benefits to both consumers and merchants.
3-D Secure is used globally, and in some regions payment networks have taken the step of mandating the use of 3-D Secure for transactions in order to help reduce fraud and protect merchants and customers. The technology can be added to an online store via a provider such as CardinalCommerce, an industry leader in digital authentication.
How Does EMV 3-D Secure Work?
Merchants opt in to the EMV 3-D Secure program by signing up for the solution (such as Visa Secure and Mastercard Identity Check) with an authentication provider (like Cardinal). Then, EMV 3DS uses enhanced data to authenticate most transactions behind the scenes, with minimal consumer impact (unless the transaction is subject to SCA), to help ensure a better consumer experience. EMV 3DS also enables authentication from any device, including laptops, mobile phones, tablets, wearables, personal assistants and IoT devices.
Merchants must add EMV 3DS to their online store to enable the authentication process. Fortunately, this is very easy to do with CardinalCommerce and the proper eCommerce software, and also comes with several side benefits that online retailers won't want to miss.
Benefits of the EMV 3DS Program
The most obvious benefit of the EMV 3DS program is that it helps reduce fraud, but what does that mean, exactly? To start, let's look at the main types of fraud and its victims.
When you think of credit card fraud, the first thing that comes to mind is probably the image of a thief or hacker using a stolen credit card number (or even a stolen physical card). Ultimately, the goal of this type of fraud is pretty obvious: to allow the thief to spend someone else's money.
While cardholders aren't liable for unauthorized charges, the effects of credit card fraud ripple outward to affect the merchant and the issuing bank. A small business can suffer harm in the form of lost inventory and chargeback fees. The banks suffer a loss as well, and while a larger bank might be able to take the hit, smaller regional banks can be affected, resulting in serious losses.
One common form of fraud is friendly fraud, in which the customer, or someone who has access to their payment card, buys something online and then falsely initiates a chargeback. The motivations for this can vary — for example, sometimes the customer doesn't want to bother with the retailer's return policy, or someone with access to the card shops without the cardholder’s knowledge. In this case, the victims are the merchant or the issuer, and the customer is not a victim, but a perpetrator.
Using EMV 3DS can help solve friendly fraud, by verifying who made the purchase – the issuer can tell that the purchase was made on the same mobile device or from the same IP address used by the consumer for mobile banking, for example.
How EMV 3-D Secure Helps Reduce Credit Card Fraud
The 3-D Secure protocol aims to address fraud via authentication. A thief using a stolen credit card number can show deviations from the cardholder's established behavior — shopping from a different location, using a different device, and possibly spending unusual amounts on products not consistent with the cardholder's purchase history — and the transaction can be flagged as high-risk. The thief will then be confronted with a request for additional information as part of the authentication process (if the online store involved uses EMV 3DS). When an issuer assesses a transaction and it falls outside the cardholder’s typical activity, the risky transaction can be challenged. This means that during 3DS, the issuer asks the consumer to provide a one-time passcode (sent to the cardholder’s mobile phone or email account) or a biometric, and if the fraudster does not have control of those sources, the fraudulent transaction fails authentication.
How EMV 3-D Secure Helps Businesses
Using EMV 3DS, merchants can experience a direct reduction in cost from chargebacks, including penalties and potential lost inventory. According to a 2018 report by CardinalCommerce, fraudulent transactions, including friendly fraud, declined by 30 basis points in the luxury goods industry when strong customer authentication was enabled1.
A less obvious benefit is that by reducing chargebacks, businesses can also reduce the overhead needed to fight the chargebacks through representment — as well as the time and effort needed to review potential fraud manually. 3-D Secure is fully automated, compared to some fraud tools which simply flag suspicious transactions for review. These tools can also carry a per-transaction cost that can be expensive with a larger sales volume.
Businesses can also see an increase in sales due to a higher authorization rate of transactions. Since EMV 3DS is designed to enable authentication before authorization, issuers are more likely to approve transactions that have been authenticated. And with EMV 3DS, the authentication code can be communicated to the issuer during the authorization request, to give the issuer more confidence in approving the transaction.
This also can mean a reduction in declined transactions, which can boost sales and improve the consumer experience. In 2018, the luxury goods industry saw a 5% lift in authorization among retailers using 3-D Secure, according to a study by CardinalCommerce1. False declines have become a major problem stemming from less-efficient fraud reduction methods, to the point that declines are rising faster than sales. A January 2019 report from Visa shows a global rise of 25% in card-not-present declined transactions, and only a 23% global rise in approved sales2. Retailers can benefit from the increase in authorizations that 3-D Secure can provide.
How to Use EMV 3-D Secure in Your Online Store
A smart business owner should be interested in reducing fraud and protecting both their business and their customers, and EMV 3DS is a fantastic tool for doing just that. Fortunately, it's also quite easy to implement on your own website — as long as you use an eCommerce platform that supports it.
3dcart is an all-in-one eCommerce website platform that provides all the tools you need to build and grow your business online, including a fast and convenient way to add strong customer authentication to your website through EMV 3-D Secure. Thanks to our integration with CardinalCommerce, adding the authentication system to your site is as simple as installing a plugin. CardinalCommerce will help you get started and walk you through the process of connecting your website and activating the authentication procedure.
Whether or not your store is going to be subject to the new PSD2 SCA requirements in September, you should take a serious look at two-factor authentication as provided by EMV 3-D Secure and CardinalCommerce. EMV 3DS can help you increase sales, reduce chargebacks and other expenses, and increase your customers’ trust.
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC
1 3-D Secure Industry Performance: Luxury Goods Industry, CardinalCommerce, December 2018
2 VisaNet data, eCommerce purchases for FY18. YoY growth based on FY18 vs FY17.