Online payments in webshops and on mobile apps is a greenfield for fraudsters
Security and fraud specialists know that payment fraud is like a balloon. When you squeeze one side, the other will rise. In fact, when speaking about payment fraud, it is continuously on the rise because online traffic is increasing as well.
Back in the past, before chip cards, fraudsters used to skim your data from magstripe cards and produce fraudulent cards for unauthorized payment. Yes, there was a PIN, but you wouldn’t believe how creative a fraudster can get when attempting to obtain your PIN.
After introducing EMV chip cards, fraud ratio has been lowered for in store payment but started to rise in e-commerce and m-commerce payments. It has now reached more than 65% of total fraud. The introduction of the chip card just prevented fraud in in-store payments, but it did nothing for payments when the card is not present. It has only made the situation worse.
Anyone who gets your card data, such as card number and expiration date (which can be read from the face of the card), might make a payment online. The card validation number (CVN), which is on the back of the card, is not really a big security improvement.
The obvious consequences - disputes and chargeback procedures - are a burden for everyone: the buyer who has to prove that he was really a victim (of course, there are fraudsters who use chargeback as a fraud method – as mentioned above, they are very imaginative), the merchant who has to provide relevant information about delivered goods or services, the acquirer who needs to provide transaction details in the dispute management process. In the end, the merchant or acquirer will lose money for this purchase, but in fact all parties are losing money because of the costs of the chargeback process.
Over time, merchants developed different methods to fight fraudsters in the hope of reducing fraud and related costs. For instance, online merchants started to create their own negative list where they put cards or buyers who had committed fraud in the past. This looked like a quite good and simple solution in the beginning, but this negative list needed to be managed, and with the introduction of PCI DSS requirements, the solution became more expensive.
Then merchants started to collect and analyze buyer (cardholder) data, IP geolocation, how often the buyer makes purchases, what is the average transaction amount etc. In the beginning they were doing this manually before dispatching ordered goods or services, but as the number of transactions grew, merchants were forced to deploy SW solutions. One very popular method has been Address validation, where the merchant compares addresses in previous orders, or compares the origin of the cards with the delivery country, compares emails etc.
Nowadays, there are plenty of fraud prevention systems designed for online merchants to help them fight online fraud. Some can even check your device “fingerprinting“ - i.e. details about your device - and detect whether you are purchasing from the same device, compare your data on social networking sites, Google maps lookup, as well as process behavioral analyses of your way of opening and working with an application or site, the way you carry your tablet or mobile phone, the speed at which you enter data etc…
But those solutions cost, and all costs are a burden to the merchant, along with most of the fraud and chargeback costs.
Good news! Merchants are no longer alone in the fight against fraud
Back in the 2001, VISA introduced a new method for preventing fraud in online payments called 3D Secure. This method introduced an additional step in online payments where the buyer needed to authenticate himself using either a static or more advanced One Time Password. The result? This was yet another solution that merchants needed to deploy and it caused friction for buyers, who then started abandoning online purchases when having to undergo 3D Secure validation. Not only fraudsters, but genuine buyers. Merchants started to lose revenues from genuine transactions.
The solution? 3D Secure 2.0!
The logic is the same - before making a payment, the cardholder is authenticated. The key difference is the user experience - more advanced methods are available which do not create friction as OTP and static passwords did. Most mobile devices have a fingerprint sensor, so biometry and fingerprints have become the most frequently used authentication method, not only in 3D Secure 2.0, but also in the other services.
Why is 3D secure 2.0 so beneficial for merchants?
3D secure 2.0:
Prior to requesting the cardholder to authenticate himself (to prove that he is the owner of the card), in the background, 3D secure does what merchants used to manage themselves as their fraud prevention activities.
3D Secure 2.0 has built-in Transaction Risk Analysis. Numerous checks and controls for identifying potential fraudulent transactions which used to be done by merchants are nowadays also done by 3D Secure 2.0. And it is the issuing bank’s responsibility. That means that merchants do not need to deploy any other method than 3D Secure 2.0.
Transaction risk analysis as part of 3D Secure 2.0 will check negative card/buyer lists, payment history, velocity and average transaction amount. It will check your IP geolocation and compare it with the delivery address and locations from previous orders. It will compare your other data available from the merchant, such as your email address, phone number, the country of origin of the card and whether you are using the same device and applications for the purchase.
All those checks and risk assessments will be done by the issuing bank, no need for deploying additional specific solutions. As for the customer experience, if risk analysis indicates low risk, the bank will not require authentication from the cardholder. That means the buyer will not need to enter an OTP or provide a fingerprint. One less step for 80% of transactions! Can you image how such improved user experience will affect the revenue and reduce the abandonment rate?
And IF fraud does happen? In order to motivate merchants to implement 3D Secure 2.0 (note that card schemes lose money due to online fraud as well), card schemes granted a liability shift to merchants who implement 3D secure. In this way the merchant is protected from chargeback – these costs will be the responsibility of the issuing banks.
It is universal - regardless of whether the buyers are paying with PayPass, GooglePay, ApplePay or any other digital wallets when using web shops and mobile purchasing, 3D Secure is applicable for all card schemes, so from the merchant’s perspective, there is no difference in implementation.
What merchants need to do to support 3D Secure 2.0
To be included in the 3D Secure program, merchants need to deploy the 3D Secure Server (3DSS). Despite its name, the 3D Secure server is not a “server”. In fact, it is quite a small application which needs to be installed in addition to the payment gateway. It is also available as software, as a service to avoid installation and maintenance. There is a simple interface with few options that gets integrated either with the web shop or payment gateway. This depends on how the web shop and payment process was initially designed.
Merchants who support mobile applications need to ask their mobile application providers to deploy 3D Secure SDK in the application. No additional development, no additional certification with card schemes.
The whole process is managed by SDK - the 3Dsecure server and the whole network and background infrastructure.
What Asseco can provide:
What are the benefits for merchants who use 3D Secure?