Part 1 of this series covered using risk-based authentication for account holders while Part 2 dove into behavioral analytics to reduce fraud chargebacks. In this post we will look at the strategic use of 3D Secure.
3D Secure is a protocol developed by Visa, MasterCard and Europay and designed to reduce fraud in the online channel. The protocol requires a cardholder to enter a PIN when checking out at an online retailer that participates in 3D Secure using a credit card whose issuer participates in 3D Secure. The benefits are clear – cybercriminals won’t have the PIN and fraudulent transactions will be denied. Furthermore, merchants are not liable for fraudulent transactions that have been routed through 3D Secure.
This liability shift would make participation seem like a no-brainer for any online merchant. However traditional 3D Secure impacts customer experience by forcing the use of a PIN for each and every transaction, which increases the possibility that the shopping cart is abandoned prior to completion of the transaction. Although merchants welcome the liability shift to issuers that 3D Secure offers, for some losses due to cart abandonment could eclipse losses from fraud.
Fortunately traditional 3D Secure has been improved upon and a risk-based approach is now generally accepted. With a risk-based 3D Secure solution, consumers are only asked to authenticate with a PIN or other data when the transaction poses some level of risk (e.g., the card holder is attempting to use the card from a geo location halfway around the world, the device is unrecognized). Although merchants are still somewhat at the mercy of the choices being made by the card issuer, there is a pretty good chance that a risk-based 3D Secure solution is in place, especially given that both MasterCard and Visa have embraced it.
This is where merchants can get strategic. Participation in 3D Secure need not be an all or nothing proposition – merchants can implement controls that route only transactions that meet certain criteria through 3DS. Note that if a merchant routes a transaction through 3D Secure and if the cardholder is not enrolled, the merchant is still generally afforded liability protection. The same holds true if the card issuer is not a 3D Secure participant. (Please note that these policies are implemented based on calls and responses related to cardholder and issuer participation – please ensure that you have a clear understanding of these different combinations before you start selectively routing transactions.)
So for example, if a merchant is aware that a particular issuer uses risk-based 3D Secure (or doesn’t participate at all, which depending on your mindset could have ethical implications), they can route those transactions for authentication. This way they are assured that the great majority of customers will proceed through the checkout process without being asked for additional information and risking cart abandonment. Then the merchant can selectively route remaining transactions through 3D Secure based on risk tolerance (e.g., only transactions above a certain dollar amount or initiated by a customer whose geo location doesn’t match billing zip) should be challenged.
In this way merchants can reap the benefits of 3D Secure to reduce fraud chargebacks without potentially compromising customer experience and increasing cart abandonment.
Interested in learning more about how a risk-based approach can reduce fraud chargebacks? Please join us at online 11 am EST on August 25 for an educational webinar. Register here.
Learn more about RSA’s risk-based 3D Secure solution, Adaptive Authentication for eCommerce Card issuers can also learn how much they can reduce their fraud losses by with our online calculator.
The post Securing eCommerce Transactions without Losing Customers Part 3 – 3D Secure appeared first on Speaking of Security - The RSA Blog and Podcast.