Mobile 3D Secure

Table of Contents

  1. What is 3-D Secure 2.0?
  2. How does 3D Secure work?
  3. What's the difference between 3-D Secure 2.0 and 1.0?
  4. What are the pros and cons of 3-D Secure?
  5. Should you implement 3-D Secure on mobile?
  6. Is 3-D Secure 2.0 mandatory?
  7. How do I enable 3-D Secure 2.0?

Any time a discussion about eCommerce security, credit card fraud, and chargebacks goes on long enough, the subject of 3-D Secure 2.0 is bound to come up.

3-D Secure 2.0 is a newer security standard that allows merchants to more reliably authenticate customers without adding a lot of friction to the checkout process.

This technology has already become mandatory in some countries and markets, so why isn't everyone using it yet? Let's talk about what 3-D Secure is, how it works, and what benefits it provides for merchants.

What is 3-D Secure 2.0?

3-D Secure 2.0 is a protocol designed to provide additional identity verification information for online transactions by allowing merchants to communicate with the cardholder's bank and, if necessary, the cardholder.

3-D Secure was originally developed New call-to-actionby a third-party company, but was quickly acquired by Visa. While the original version of 3-D Secure could be clunky when additional authentication was required, 3-D Secure 2.0 streamlines the process to ensure the checkout process is as frictionless as possible without sacrificing security. Mastercard and American Express have since created their own protocols with similar functionality to 3-D Secure.

How does 3D Secure work?

When a cardholder makes a purchase from a merchant with 3-D Secure enabled, certain transaction and device information is sent to the cardholder's issuing bank, which either approves the transaction or sends the cardholder a text message with a one-time password to enter.

The information sent by the merchant can include things like billing address, shipping address, device ID, IP address, etc.

According to Visa, more than 100 fields can be shared with the issuing bank. Once the data is received by the issuer, it's run through an automated fraud detection system which categorizes the transaction as either low risk or high risk.

Low-risk transactions are approved automatically, and the customer typically only experiences a delay of 1-5 seconds when processing payment. For high-risk transactions, the cardholder is sent a one-time password via text message, and the app or website pops up a field in which to enter that password. Customers may also be able to authenticate their purchase by opening their banking app and using biometric authentication such as a fingerprint or facial recognition.

What's the difference between 3-D Secure 2.0 and 1.0?

In October 2016, EMVCo published the 3-D Secure 2.0 specification. The 2.0 version was designed to correct some of the limitations of the original 3-D Secure without hampering customer interaction.

There are two key differences between the first and second versions of 3-D Secure:

  • 3-D Secure 2.0 supports mobile devices.
  • 3-D Secure 2.0 addresses several of the security and usability issues present in 1.0. This includes replacing static passwords with one-time passwords and biometric identification. 

The move to 3-D Secure 2.0 matches the consumer movement to mobile devices and handheld shopping, and many merchants are taking advantage of that fact as part of their business strategy.

What are the pros and cons of 3-D Secure?

The main benefit of 3-D Secure is increased protection from chargebacks due to true fraud. The main downsides are the costs of implementation and maintenance and the slight increase in friction during checkout for some customers.

3-D secure essentially adds two-factor authentication to only the purchases that are deemed risky, increasing security while leaving most customers unaffected. Not only does this greatly reduce the risk of fraud, but merchants also aren't typically liable for the costs of any fraud-related chargebacks that occur on transactions where 3-D Secure was used.

Our analytics have shown that merchants who use 3-D Secure can reduce their chargebacks by as much as 70%.

According to Visa, 95% of transactions using 3-D Secure are classified as low risk and don't require additional authentication, which means only 5% of your customers will experience any significant different in the checkout process.

For those 5%, the additional delay in checkout might not be appreciated, but with the spread of two-factor authentication across many eCommerce and financial websites and apps, most customers probably won't be too surprised or annoyed by the extra step in verification.

The main downside of 3-D Secure is that, depending on your implementation of it and your payment processor, there may or may not be additional costs associated with setting up and/or using 3-D Secure. However, these costs may be offset by the protection from chargebacks.

Should you implement 3-D Secure on mobile?

Merchants who have already integrated 3-D Secure technology into their desktop websites must also decide whether to use 3-D Secure for mobile web pages or apps.

While it is undeniable thatfraud Prevention- Proven Strategies to prevent e-commerce fraud 3-D Secure improves security and reduces fraud, the drawback of the additional authentication step can be slightly more significant on mobile, where users might be annoyed by having to switch to another app and back.

Ultimately, the choice of whether or not to implement 3-D Secure for mobile may come down to your customers’ shopping habits and your chargeback ratio.

If a large percentage of your customers shop on your mobile site and your chargeback ratio is higher than it should be, that’s a strong argument for adding 3-D Secure. You may lose some sales over it, but the danger of crossing into excessive chargeback territory must be addressed.

To decide whether you should enable 3-D Secure on the mobile version of your eCommerce site, there are a few factors to consider:

  • Is 3-D Secure technology required by regulations you are subject to, or will it soon be?
  • Are you experiencing high rates of fraudulent transactions?
  • Are you getting hit with a high volume of chargebacks, such that your chargeback rate is approaching or exceeding 1%?
  • How likely is it that your cart abandonment rate will increase due to 3-D Secure “interrupting” the checkout process?

Merchants in some countries have it easy — their governments have decided for them that they need 3-D Secure. If you’re still free to choose one way or the other, think carefully about how your customers might be affected by it. In most cases, this new protocol has far more advantages than disadvantages, but every merchant has their own unique considerations.



Is 3-D Secure 2.0 mandatory?

This depends on the regulations in place in your country. By default, it isn’t. Some compliance frameworks like PSD2 require 3-D Secure 2.0.

How do I enable 3-D Secure 2.0?

Contact your payment processor or card network representative to learn how you can enable your sales platforms with frictionless 3-D Secure 2.0.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to:

Get the guide, Chargebacks 101: Understanding Chargebacks & Their Root Causes

Ready to Start Reducing Chargebacks?