BY RYAN WILK
When it comes to thwarting cybercriminals, EMV chip technology has already proven to be far more effective than its outdated magnetic stripe counterpart. In fact, the success of the chip-equipped cards is such that hackers have been forced to turn their attention to the card not present (CNP) space, where they can make more profit. The CNP arena is such a large target for attackers that Nilson Research predicts its related losses to reach $31 billion by 2020.
With cybercriminals gearing up for the holidays, merchants and credit card issuers are exposed to fraudulent transactions coming from a variety of channels. It is the continuous exposure of data combined with CNP transaction fraud that create a perfect storm with either the merchant or the issuer left holding the bag. This growing threat results in added friction in the name of security and users having to jump through additional authentication hoops to finalize their transactions.
This situation has also led to a significant increase in false declines where real customers have not been able to authenticate themselves and couldn’t get their transaction through. In 2017, the U.S. lost over $300 billion to false declines, according to the Aite Group. To mitigate this problem, credit card networks come together to offer EMV 3DS (commonly known as 3DS 2.0), an overhaul of the old 3-D Secure protocol to authenticate CNP transactions.
3DS 2.0 has been revamped to remove the burdensome barriers that it was known for in the past. This protocol is now spearheading the verification process by gathering more information around each transaction to help issuers make better decisions and increase approvals.
EMV 3DS improvements enable both merchants and issuers to make better authorization decisions. Issuers and merchants can now balance user experience and security to provide easy, user-friendly transactions.
Understanding EMV 3DS
The enhanced 3DS 2.0 protocol will provide a rich data stream between issuers and merchants for better authentication and authorization decisions. Issuers will still be the ones deciding if a transaction should be stepped up for further security. However, Mastercard estimates that 90% of transactions will go through seamlessly as a result of the additional data sets issuers will receive, significantly reducing friction at checkout.
Another significant change is that, if the issuer asks for additional authentication, instead of the cumbersome one-time-passwords, users can verify themselves with physical biometrics such as a fingerprint or facial scan.
With the new protocol, merchants can also choose what transactions they send through the 3DS rails and which ones they send outside of the protocol. The only difference for issuers is that transactions outside of the 3DS path won’t benefit from the liability shift, so the merchant will be the one facing the cost if there is a chargeback.
Moving to a 3DS World
Issuers are already working towards supporting EMV 3DS transactions; some are even engaging key merchants in tests to prove the value of sending the additional 3DS data points. This is a great way to assess the system and share the results with merchants to incentivize their participation as well.
Cost is another factor during implementation. In regulated markets, issuers don’t have that much choice, but financial institutions in non-regulated regions will normally make their decision based on the improvement to the customer experience and fraud prevention. Although the user experience can be harder to quantify, issuers can make their decision based on the value associated to increased transaction volume and customer retention, two key metrics that 3DS is going to impact positively.
EMV 3DS Allowing Better Authorization
This enhanced protocol allows customers to have a seamless experience or, if the issuer requires a step-up, to easily authenticate themselves with something they are familiar with such as a fingerprint scan.
With in-depth information surrounding each transaction, issuers have more context to make the final decision about whether to authorize a transaction or not, giving their customers a better service, increasing transaction volume and customer retention.
Ryan Wilk is Vice President, Customer Success for NuData Security, a Mastercard company. Previously, he was manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various e-commerce roles.