How 3D Secure Works to Protect Consumers and Merchants

3D Secure (3DS) is an extra layer of protection for consumers when paying by credit card online. The “3D” stands for “3 domains”, because this extra step involves adding a third participant in the process: to the merchant bank and the acquiring bank is added an intermediary layer. In simple terms, when a transaction is sent to 3DS, the consumer must interact with an extra step to confirm their identity - usually a special password entered into an interstitial page - even though they may have correctly entered all their information into the initial purchase form.

What is the purpose of 3-D Secure?

By its nature, e-commerce is more vulnerable to fraud than brick-and-mortar retail, because there is no human present to confirm that the customer actually has possession of the card whose number is being offered. This is why PCI-DSS, the industry standard of data protection, was introduced into the space, and is also at the heart of why online payments are, as often not, considered to be de facto high risk.

3DS was intended to prevent criminals from using stolen credit card numbers that they had either lifted from cards that they had then slipped back to the consumer (meaning that the real owner did not know yet that their details had been compromised), or from cards that the owner hadn’t realized had been stolen. By injecting another step into the process, which in principle only the real cardholder would know how to fill out, the idea is to create a barrier to criminals successfully transacting deals.

What are the Benefits of 3DS?

The primary upside of 3DS, when it works as planned, is that criminals are unable to use credit card details that are not theirs: while they can successfully complete an order form, potentially with literally every piece of data correct (perhaps by stealing a new card as it arrives in the mail), the secret that must be shared in the 3DS process would never be stored with the card, whether it be a login password or even access to a phone number to receive a one-time confirmation code.

This is great for consumers, who don’t need to deal with trying to track down fraudulent charges on their cards. In principle, it is also good for merchants, because charges successfully completed on stolen credit cards are one of the largest sources of chargebacks: because the charge was not made by the account owner, pretty much by definition the reversal process starts with the card network rather than the merchant. Bearing in mind that having a significant chargeback rate can cost a merchant dearly, both in terms of fines and higher fees, reducing a big source of them is a win.

What are the challenges of 3D Secure

While the benefits are easily identified, sadly so are the challenges. For consumers, especially in the early days of the solution, there is the frustration of being brought to an extra step, which they may not even have setup yet. Adding the requirement to create a unique password, say, or to validate a personal phone number to receive text messages, can make the buying process overly long - and when 3DS only pops up from time to time, consumers often find they’ve forgotten the password and either have to go through the Lost Password process, or return to the order form to provide an alternative form of payment.

And, of course, when there is frustration on the part of the consumer, it tends to lead to lower sales conversion rates - study after study has shown that friction in the buying process can be devastating for e-commerce businesses. While the benefits likely outweigh the challenges for most merchants - and certainly for those in higher-risk categories - not all merchants appreciate the trade-off.

What Causes a Transaction to Trigger 3DS?

Generally speaking, 3DS is not a standard step in the checkout process, but is rather triggered by a suspicion of fraud by one of the many payment services involved in the transaction process. The automation of each provider - from acquiring bank to PSP to card network to issuing bank - can spot a trend that raises its suspicions even if none of its partners sees the same thing. For instance, a particular transaction may seem unusually large to the issuing bank, or it may seem to the PSP that the same person has made more purchases than normal over a day, or another PSP might feel that mistyping the CVV once and then re-entering it is a good reason to worry about fraud.

What are Some Criticisms of 3-D Secure?

Because by its very nature 3DS involves adding a third party to the transaction, it has received a fair amount of criticism for being both confusing, and an inspiration - ironically - for other fraud. In many cases, for instance, the 3DS form will appear in an iFrame on a page, which the consumer cannot confirm is properly SSL-encrypted, nor authentic. Worse, there have been documented cases of hackers successfully injecting fake 3DS iFrames into legitimate order forms, allowing them to steal not only the cardholder information, but also the 3DS credentials!

Indeed, the experience within the mobile environment (especially smartphones) can be extremely uncomfortable, given the lack of standard pop-up windows and easily-navigated iFrames. And given that 3DS will normally offer consumers arriving for the first time the opportunity to sign up on the spot (so-called activation-during-shopping, or ADS), it is literally possible for someone who has stolen an unenrolled credit card to take control of the 3DS requirements in place of the rightful card owner.

Coming Up Next: 3D Secure 2.0

Given the issues 3DS has with adding friction to the transaction process, it should come as no surprise that the card networks are working hard to bring a new version into place. 3DS 2.0 takes into account the availability of smartphones, and enables an additional authentication step to happen by verifying the person using biometric methods (generally speaking the touch ID or facial recognition on the smartphone). In this way, not only does 3DS 2.0 make for a much more comfortable experience, it also completely eliminates the possibility that a thief could easily use a stolen credit card - unless they also kidnap its owner!