3-D Secure for Mobile: Do You Really Need It?
Any time a discussion about ecommerce security, credit card fraud, and chargebacks goes on long enough, the subject of 3-D Secure is bound to come up. This technology, which was designed to provide better authentication of cardholders, has become mandatory in some countries and markets. So why isn't everyone using it yet?
For merchants who have a choice as to whether or not to use 3-D Secure, the costs of added security must be weighed against the risk of losing sales by placing another obstacle between the consumer and a completed purchase.
Merchants who have already integrated 3-D Secure technology into their desktop websites must also decide whether to use 3-D Secure for mobile web pages.
While it is undeniable that 3-D Secure improves security and reduces fraud, there are drawbacks, some of which will only be exacerbated by mobile interfaces.
To decide whether it’s necessary to install 3-D Secure technology on the mobile version of your ecommerce site, various factors must be weighed:
- Is 3-D Secure technology required by regulations you are subject to, or will it soon be?
- Are you experiencing high rates of fraudulent transactions?
- Are you getting hit with a high volume of chargebacks, such that your chargeback rate is approaching or exceeding 1%?
- How likely is it that your conversion rate will suffer due to 3-D Secure “interrupting” the checkout process?
- Are you able to implement a “frictionless” version of 3-D Secure?
Even if you are able to answer all of those questions, the choice still may not be crystal clear. Let’s take a closer look at how 3-D Secure technology works, and what it actually means for the businesses that use it.
What is 3-D Secure?
3D Secure is a security protocol intended to supplement security measurements for online credit card and debit card transactions.
Originally created by a third-party software company almost two decades ago, 3-D Secure technology was quickly adopted by Visa, which branded it as their “Verified by Visa” service.
Other card networks followed their lead, with Mastercard calling their version “Mastercard SecureCode.” American Express now offers an implementation of 3-D Secure as well.
3-D Secure improves card security with the use of a “three domain” security model. It authorizes cardholder identity with the acquirer, the issuer, and the “interoperability domain,” which refers to the payment infrastructure that enables the transaction: the shared space created by the merchant, the payment processor, the network provider, and other parties.
A 3-D Secure transaction sends messages over secure connections to communicate that the cardholder has been properly authenticated.
With each of the three “domains” satisfied that the cardholder is who they say they are, the transaction is allowed to proceed.
How does 3D Secure Work?
When a cardholder attempts to make a purchase on a website with 3-D Secure protection, a pop-up window will appear during the checkout process, after they enter their card information. This window, which is generated and served by the issuer, requires the cardholder to enter a password to authenticate their identity.
If the user hasn’t previously set up a 3-D Secure password for this card, they will be redirected to the issuer’s website to do so.
Once the user enters their password, the purchase can be completed as usual. Because the password is not stored in the merchant’s computer system and is not printed on the credit card itself, it much more difficult for fraudsters to acquire than normal payment credentials.
Merchants that opt-in to 3-D Secure are generally not liable for chargebacks against transactions that authenticated the purchaser with 3-D Secure.
What are the Pros and Cons of 3D Secure?
Chargeback protection is one of the greatest benefits of 3-D Secure. To be freed from carrying the liability for chargebacks is a huge benefit to merchants, especially those doing business in industries with high rates of fraud and disputes.
Our analytics have shown that merchants who use 3-D Secure can reduce their chargebacks by as much as 70%.
There are two potential drawbacks to 3-D Secure. The first is possibility of setup and maintenance fees from your payment processor. The second, and most problematic concern, is that the added step of authenticating your identity through 3-D Secure tools like Verified by Visa or SecureCode can be a turnoff for consumers.
They don’t like the added hassle, they may be confused by the intrusion of a third-party popup window, and if they haven’t already set up a password for 3-D Secure, they may be required to do so—which is a big disruption to the checkout process.
Online shopping has taught consumers to expect speedy, seamless checkouts. One-click purchasing from Amazon has spoiled us. Taking a few minutes to set up a 3-D Secure password may seem like a minor one-time inconvenience with obvious benefits, but some customers absolutely will bounce right off of a 3-D Secure window, abandon their shopping cart, and never return.
In a mobile environment, all of these issues are exacerbated. A popup window on a desktop monitor can be a distraction, but on a small phone screen it can completely hijack the user experience. Customers who have to leave the site to create a password may have difficulty navigating their way back even if they want to.
It’s also worth noting that 3-D Secure is not foolproof. Customers often create easy-to-remember passwords, which are easy enough for determined cybercriminals to crack.
Ultimately, the choice of whether or not to implement 3-D Secure for mobile may come down to your customers’ shopping habits and your chargeback ratio.
If a large percentage of your customers shop on your mobile site and your chargeback ratio is higher than it should be, that’s a strong argument for adding 3-D Secure. You may lose some sales over it, but the danger of crossing into excessive chargeback territory must be addressed.
If your mobile site isn’t where most of your customers place their orders, you may be fine leaving 3-D Secure out of it, even if you use it on your desktop site.
Whenever possible, you should use Frictionless 3-D Secure 2.0, as this can relieve some customers of the obligation to remember their passwords and can make for a smoother checkout experience with less disruption.
Merchants in some countries have it easy—their governments have decided for them that they do need 3-D Secure! If you’re still free to choose one way or the other, think carefully about how much you need the added protection of 3-D Secure compared to the risk of losing customers.
There’s no obvious right or wrong answer—too much depends on the conditions of your market and your individual circumstances. Just make sure that whichever direction you choose to go, you’ve carefully considered your options and made an educated choice.