back to insights


January 12, 2021

Transitioning to 3D Secure 2 – Risks & Challenges

One of the significant turn points in the banking industry is switching from 3D Secure 1 to 3D Secure 2. To demystify potential risks and challenges regarding this transition, we in Asseco SEE (ASEE) prepared a short read, listing and explaining possible concerns regarding transitioning to 3D Secure 2.

What is the best way to approach change when you are a decisionmaker in a financial institution considering the implementation of new technologies such as 3D Secure 2?

We summarized the main dilemmas discovered during our research regarding transitioning to 3D Secure 2 and pinpointed three key concerns:

1. An additional step in the online payment process

The revenue streams from eCommerce fees make up 15% of banks' income levels today. This is significant because the online payment process is a key component in the consumers' eCommerce journey. Both merchants and acquiring banks strive to reduce the online shopping cart abandonment rate to maximize their respective revenue streams. 3D Secure 2 is an additional measure in the transaction meant to safeguard both merchants and banks. Although some stakeholders are worried about 3D Secure 2 increasing payment drop-out rates, banks and merchants work on improving the consumers' overall customer experience constantly. Still, they must also continue to ensure that online payment security isn't compromised. 

2. Requirement to change the broadly adopted authentication methods

A vast number of banks rely on SMS OTP authentication methods, inherited from 3D Secure 1. This method has various advances: it does not require special enrolment and a mobile application, it is simple to use and can be used on non-smartphones. However, according to EBA's opinion, this method is not categorized as a Strong Customer Authentication method.

The first reason for this is that it doesn't include two out of three authentication methods, SCA (something you are – biometrics, something you have – e.g., HW/SW token, something you know – e.g., password/OTP). Anyone who possesses the buyer's phone will get access to OTP and is able to make an online purchase. Another reason is that OTP is generated at the server-side and relies on a private key. The transaction data are not included – there is no Dynamic Linking as required by the PSD2 directive. That means that ''man in the middle'' attacks are not prevented at all. If an attacker changes a payee account and changes the payment amount, the fraud cannot be identified because the transaction is already authenticated.

3. Bad experiences with 3D Secure 1 card enrolment

When 3D Secure 1 was introduced, the initial adaptation did not cause a rise in eCommerce and online payments as expected but caused an increase in the transaction abandonment rate. Anywhere from 30% - 50% of transactions (depending on the country) were forfeited due to reliance on 3D Secure 1. Later analysis showed that card enrolment, which was a prerequisite to use 3D Secure-enabled cards, caused too much friction for buyers. Also, pop-up windows, which were a part of the 3D Secure authentication process, were associated with ''man in the middle attacks'' by buyers and triggered them to terminate their online purchase process. Hence, the cart abandonment rate surge occurred. The new 3D Secure 2 protocol considers all of this fallback from the previous version and emphasizes smooth User Experience (UX) alongside a fast and frictionless flow.

If you want to find out more about 3D Secure 2 features and improvements, go ahead and contact our regional expert at [email protected] or download the datasheet.

download datasheet
Request Trial

Interested in TriDES2?

Subscribe to our newsletter
© Asseco South Eastern Europe 2021. All rights reserved
clouddownload linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram