When booking planes, hotels or even buying clothes, many people pay online with their credit cards. Since this involves trans­fer­ring sensitive in­form­a­tion, special pre­cau­tions must be taken to ensure customer safety. In the course of the PSD2 (Payment Services Directive), the EU has now made even stronger demands on payment systems on the internet - and credit card companies have reacted ac­cord­ingly. With the new version of the 3D Secure process, VISA and Mas­ter­card comply with EU reg­u­la­tions and improve customer pro­tec­tion worldwide.

What is 3D Secure?

In 2000, VISA developed a procedure that made using credit cards on the internet safer. The company itself uses the tech­no­logy, under the name “Verified by VISA”. At the same time, other credit card providers have also im­ple­men­ted the security mechanism. For example, 3D Secure is known as “Se­cure­Code” (now “Identity Check”) for Mas­ter­Card, “SafeKey” for American Express and “J/Secure” for JCB.

Pre­vi­ously, paying via credit card on the internet was very simple: you entered your credit card in­form­a­tion, and confirmed pos­ses­sion of the card with the Card Val­id­a­tion Code (CVC), which can be found on the back. However, this method was not par­tic­u­larly secure.

As e-commerce continues to develop and more and more people use online payment methods, the interest in online fraud is also in­creas­ing. Phishing and social en­gin­eer­ing are common ways in which criminals access data. 3D Secure was developed in order to prevent this.

In addition to the in­form­a­tion contained on the card, 3D Secure’s au­then­tic­a­tion procedure requires ad­di­tion­al in­form­a­tion, such as a password, that only the card­hold­er knows. This is known as two-factor-au­then­tic­a­tion: two different steps are required to complete a card trans­ac­tion.

Using static passwords is a security risk: if a third party acquires this in­form­a­tion, security is com­prom­ised. Dynamic methods that adapt to each process are therefore better suited. For example, a text message with a secure code, generated according to cryptic pro­ced­ures, that can only be used for one par­tic­u­lar payment.

Both customers and online retailers were dis­sat­is­fied with the first version of 3D Secure. The website for entering the ad­di­tion­al security factor was poorly designed, and the ap­plic­a­tion and use of the required password were unclear. Fur­ther­more, the process could not be easily in­teg­rated into mobile apps. Customers were frus­trated and cancelled orders, which is never good for business.

The second version of 3D Secure - also known as 3DS2 - addresses these issues and enhances security. The new features also comply with the new EU Payment Services Dir­ect­ives. In addition, the credit card companies are re­spond­ing to technical de­vel­op­ments with the new version. Today, modern devices (e.g. smart­phones) use au­then­tic­a­tion methods with biometric data: by fin­ger­print or by analysing facial features.

3D Secure 2.0 is designed so that online merchants can integrate the procedure into the payment process, resulting in a more pleasant shopping ex­per­i­ence for the customer. In addition, it should be an in­tel­li­gent system. The au­then­tic­a­tion method therefore adapts to the risk, which means that lower security re­quire­ments apply to small amounts than to large amounts. In addition, 3DS2 can also be used for mobile payments and works with bank apps.

Image: 3D Secure Process Flow including new 3D Secure authentication
3D Secure uses modern au­then­tic­a­tion tech­niques to connect consumers, merchants and banks

Pros and cons of 3D Secure in Mas­ter­card and VISA

The 3D Secure process has ad­vant­ages for both retailers and consumers, but also dis­ad­vant­ages.

Pros Cons
More security for customers More effort for customers
Credit card providers bear the costs of fraud despite 3D Secure (liability reversal) Lower con­ver­sion rates
Procedure is free of charge for all 100% security cannot be guar­an­teed

What should customers be prepared for?

For customers, the 3D Secure process should make it easier and better to pay online. Rather than trying the outdated process or abandon­ing the security check al­to­geth­er, they can now benefit from a secure and modern process. Customers should be aware of this:

  • Re­gis­tra­tion: In order to use 3D Secure with your credit card, you have to register with your bank. The bank that issued the credit card is re­spons­ible.
     
  • In­stall­a­tion: It can be assumed that banks will in future use apps to send the 3D Secure code or request biometric data.
     
  • At the ready: When paying, both the credit card and the smart­phone must be available.
Note

Even with 3D Secure, users should pay attention on the internet when paying with their credit card. The data may only be entered if you are sure that you are on the correct website. A valid SSL cer­ti­fic­ate is an in­dic­a­tion that you can trust the site.

Im­plic­a­tions for e-commerce

The EU’s PSD2 stip­u­lates that from 14th September 2019 online payments must meet special security standards. 3D Secure payments meet the new re­quire­ments. In order to be able to use the new procedure, online merchants must contact their payment service provider (PSP). The PSP should offer a technical solution that merchants then only have to implement in their online shop.

  • Contact PSP: First, online merchants must contact their payment service providers. Many vendors have already posted merchant in­form­a­tion on their websites.
     
  • Implement 3DS2: Since the new 3D Secure process no longer takes place on another website but directly in the shop, the tech­no­logy must be in­teg­rated into the online shop.

It is advisable for merchants to offer 3D Secure in their online shop. The new system is much more customer-friendly, takes place entirely on the merchant’s website, and increases consumer con­fid­ence in e-commerce. This in turn leads to more con­ver­sions and therefore more sales.

Go to Main Menu