What is the best way to approach change when you are a decisionmaker in a financial institution considering the implementation of new technologies such as 3D Secure 2?
We summarized the main dilemmas discovered during our research regarding transitioning to 3D Secure 2 and pinpointed three key concerns:
The revenue streams from eCommerce fees make up 15% of banks' income levels today. This is significant because the online payment process is a key component in the consumers' eCommerce journey. Both merchants and acquiring banks strive to reduce the online shopping cart abandonment rate to maximize their respective revenue streams. 3D Secure 2 is an additional measure in the transaction meant to safeguard both merchants and banks. Although some stakeholders are worried about 3D Secure 2 increasing payment drop-out rates, banks and merchants work on improving the consumers' overall customer experience constantly. Still, they must also continue to ensure that online payment security isn't compromised.
A vast number of banks rely on SMS OTP authentication methods, inherited from 3D Secure 1. This method has various advances: it does not require special enrolment and a mobile application, it is simple to use and can be used on non-smartphones. However, according to EBA's opinion, this method is not categorized as a Strong Customer Authentication method.
The first reason for this is that it doesn't include two out of three authentication methods, SCA (something you are – biometrics, something you have – e.g., HW/SW token, something you know – e.g., password/OTP). Anyone who possesses the buyer's phone will get access to OTP and is able to make an online purchase. Another reason is that OTP is generated at the server-side and relies on a private key. The transaction data are not included – there is no Dynamic Linking as required by the PSD2 directive. That means that ''man in the middle'' attacks are not prevented at all. If an attacker changes a payee account and changes the payment amount, the fraud cannot be identified because the transaction is already authenticated.
When 3D Secure 1 was introduced, the initial adaptation did not cause a rise in eCommerce and online payments as expected but caused an increase in the transaction abandonment rate. Anywhere from 30% - 50% of transactions (depending on the country) were forfeited due to reliance on 3D Secure 1. Later analysis showed that card enrolment, which was a prerequisite to use 3D Secure-enabled cards, caused too much friction for buyers. Also, pop-up windows, which were a part of the 3D Secure authentication process, were associated with ''man in the middle attacks'' by buyers and triggered them to terminate their online purchase process. Hence, the cart abandonment rate surge occurred. The new 3D Secure 2 protocol considers all of this fallback from the previous version and emphasizes smooth User Experience (UX) alongside a fast and frictionless flow.