Back to insights

News 20.11.18.

Protection of online payments – the 3D Secure standard ICT business portal

Below you can find an article about contactless payments, written for ICT Business by Zdravko Barec, Sales Solution Specialist at Payten.

In 2017, retail sales reached $ 2.3 billion, an increase of 24.8% over the previous year. A surge in mobile purchases is a major factor in such a large growth, and it is estimated that around 58.9% of Internet purchases were made through mobile devices.

Global retail sales in 2017 amounted to $ 22.64 billion, from which it follows that e-retail sales accounted for over 10% of all retail sales worldwide.

Card payment fraud risk grows proportionally with an increase in online sales volumes. Specifically, during online card transactions merchants are not able to check the client's identity, while in a brick-and-mortar shop they can do it through PIN or signature verification. In other words, whoever has the PAN (Primary Account Number, i.e. payment card ID number), the card expiration date and the control number from the back of the card can make online payments with the card instead of the
genuine cardholder. This data is printed on the payment card, and is exposed to anyone who sees you take the card out of your wallet and pay with it. When card payment fraud happens, both the issuer and the merchant are in for a painstaking process of recovering their funds, at the end of which at least one of the said parties suffers a loss.

Today there are many solutions to this problem, the most effective one being the 3D Secure standard. This standard requires additional authentication from the client at the time of online payment confirmation. Depending on the implementation efforts on the issuer's side, the client uses one of the three possible options to authenticate – a one-time password generated on their token device (an appropriate app installed on their smartphone), a one-time password received in a text message on their phone or the static password known only to the cardholder. It is however important to note that the last option is being gradually phased out by the big card schemes, since it has not been proven secure.

The current 3D Secure standard dates back to year 2001, when it was first introduced. The standard was created under the assumptions in place at that time – the e-commerce share in the global retail sales turnover was insignificant, the Internet was used only on personal computers, while smartphones and other smart devices we use today, such as smart watches, did not exist at all. This standard was good enough for the needs back then, it provided high security for online payments
and a precisely defined accountability policy in case of fraud, and for that reason it was adopted by all major card schemes (VISA, MasterCard, American Express, Diners, Discover, etc.). Nevertheless, the standard itself was intended for e-commerce conducted from the desktop of personal computers, but it has not been optimised for mobile devices and mobile apps used by many merchants today, and, considering the current circumstances, the authentication process is rather slow and complicated, while, depending on the implementation, it can require memorising additional passwords which are not always available to us, in particular when we make our purchases using a mobile device in public places.

Issuers are to decide whether they want to use this standard or take responsibility for potential fraud. The same goes for merchants. 40 percent of merchants across the globe use 3D Secure today, and it is most commonly accepted in Europe.

The payment card industry has become aware of the fact that the existing standard meets too much consumer resistance, and, among other things, it causes a high shopping cart abandonment rate.

Furthermore, all abovementioned challenges burden 3D Secure heavily, especially if we take into consideration the fact that the share of online payments made via mobile devices will soon soar above 60 percent of the total online payments. With that in mind, EMVco, the organisation which defines payment card standards, has prepared a new version of the 3D Secure standard, with the objective to offer a better customer experience to clients, i.e. cardholders.

The new standard offers the possibility of authenticating the cardholder without his involvement, through advanced risk assessment systems, which, based on the client's past purchasing habits, can confirm for certain whether the purchase is being made by the cardholder. Other significant advantages of the new standard include its optimisation for mobile phone use, compatibility with merchants' mobile apps, and the use of biometrical authentication, such as fingerprint or face recognition.

In the coming year VISA and MasterCard will make the use of the new standard compulsory for all merchants and issuers in the EU that handle these card organisations’ payment cards on a daily basis, while other card schemes are expected to enforce similar regulations soon.

If your bank has implemented the 3D Secure online payments, it is absolutely certain that the bank uses either the initial or the upcoming new version of the standard, but you, as the client, will experience a remarkable ease of use, if the bank has already begun to use the new version of the standard.