3-D Secure Demystified: How It Works and Why You Need It
If you are an online merchant, you have probably considered adding 3-D Secure to your payments page as an additional security layer to verify the transaction more precisely and minimize the risk of fraudulent payments via a stolen credit card and associated risk of chargebacks.
Although 3-D Secure (or 3DS for short) is no news to either an average customer or merchant, it might not be obvious how it works or even why online merchants choose it. And what exactly does it secure? Let’s sort this out together.
What Is 3-D Secure
In common understanding, 3-D Secure is about securing payments. Indeed, it provides and implements some security for the online payments, but its initial goal is liability rather than security. And in this respect, 3-D Secure benefits both merchants and their customers.
The benefit for the merchants is that using 3-D Secure shifts the liability to the consumer, which in turn reduces the risk of chargebacks and fraudulent payments.
The benefit for the consumer is that fraudulent purchases via a stolen card are harder to perform with a 3-D Secure system. However, the other side of the medal is that it becomes almost impossible to challenge the fraud transactions that somehow pass through the 3-D Secure layer.
Let’s dive a bit deeper into the mechanism behind 3-D Secure to understand its benefits in more detail and its possible drawbacks as well.
Authorization vs Authentication
First things first, let’s compare these two processes. They are commonly mistaken to be synonymous, but it’s important to remember that there is a major difference between them. Let me try and illustrate it with an example.
Imagine two people in a liquor store: “Hello, I’m John, 28” and “Hello, I’m Jane, 32, and here is my ID”. In this situation, John authorizes himself and Jane authenticates herself by additionally providing her ID card that confirms that Jane is really Jane.
The similar situation happens with your online purchases: for payment authorization it is enough to enter your credit card details. The only proof that it was you who made the purchase is the fact that the card details (16 + 3 + 4 digits) [HINT: card number + CVV + expiration date] are not that easy to remember, and an assumption that one should enter these digits looking right at the credit card. However, there’s also a risk that those digits might have been copied somehow (or even stolen).
That’s where 3-D Secure adds consumer authentication in the process of the purchase.
The Three Domains
The “D” in 3-D Secure stands for “domain”. It might be a little confusing, but the three domains are:
- The bank of the purchaser that had issued the card used for the purchase;
- The bank of the merchant where the funds are collected, and
- the bank.. No. The third domain is actually not a bank, but an entire payment infrastructure.
This way, the 3rd party enters into the deal between consumer and merchant to certify the transaction. Both the consumer and the merchant trust the bank that issued the consumer’s card, the bank authenticates its customer and confirms the payment.
Normally, the liability for fraud payment transactions lies on the merchant. The main reason is that it’s not obvious that the transaction has actually been made by the consumer, and there’s no way to prove it.
However, once a 3-D Secure check is added to the process, the liability is automatically shifted to the consumer, because the consumer confirms the payment and this is verified by the bank.
The 3-D Secure liability shift doesn’t clear you completely from the liability for fraudulent orders though. There are a couple of scenarios where you remain responsible for fraud transactions:
- When the buyer fails 3-D Secure check but you choose to go ahead and process the transaction anyway.
- When the buyer experiences a network error during the transaction on their end.
3-D Secure minimizes the risk of fraud payments using stolen credit cards, but the higher security requires the higher responsibility and liability.
3-D Secure v.2 (and Some History)
The first version of 3-D Secure protocol was developed in the late 1990’s and while it was a true innovation back then, it doesn’t satisfy the modern requirements any longer. With time, it became the target for man-in-the middle and phishing attacks. The second version of the 3-D Secure protocol was designed to be an improvement and was aimed to fix those issues.
In essence, it works in a similar way: the consumer is authenticated by the card-issuing bank. As for the improvements, they’ve been implemented in two major directions: security and simplicity of the authentication process for the end user.
The details of the consumer’s environment are gathered and compared against the ones that can be obtained by the “third party”, which complicates the possibility of falsifying them. It also eliminates the password confirmation step during the purchase. It creates a frictionless, smooth checkout process and improves conversion rates.
The current trend though is to require the consumer to enter their password as an additional “challenge”, because some banks do not allow the authorizations without the password being entered by the consumer.
The most apparent reason to choose 3-D Secure is that it protects both the merchant and the consumer. Another major advantage is that in case of fraud, it shifts the responsibility from the merchant.
However, many merchants decide against 3-D secure for several reasons.
- 3-D Secure doesn’t eradicate the risk of chargeback, but only minimizes it.
- Some legitimate transactions can be declined for some reason by the card issuer, which may cost the merchant a purchase and possibly a client.
- The most popular reason is that adding yet another step to the checkout process is normally considered a threat to your conversion rates due to the longer checkout time and extra effort causing friction.
However, if that additional step is the difference between a heap of fraudulent transactions, which you are liable for and a smaller number of real purchases with the liability for any possible fraud transaction shifted to the card issuer, I say – choose security!