Protecting Online Card Payments: Explore PSD2 and 3D Secure
In March 2022, new regulations aimed at combating fraud and protecting online card payments were implemented under the new Europe-wide Payment Services Directive (PSD2), leading to the introduction of Strong Customer Authentication (SCA).
Considered the most significant change in consumer payments since the rollout of Chip & PIN over 16 years ago, these rules have brought about an additional step in the online payment process for merchants or providers of online payment experiences. Barclaycard Payments described the development as a significant milestone.
As part of the Strong Customer Authentication (SCA), all e-commerce transactions in EMEA must apply multi-factor authentication (MFA) to enhance the security of digital payments and ensure a safer payment experience for consumers. One of these MFA methods could be 3D Secure (3DS).
3D Secure (3DS) is not the only protocol under PSD2 Strong Customer Authentication (SCA) but is one of the most common protocols for SCA compliance; PSD2 also allows for other authentication methods. The critical requirement is that the authentication method must meet the SCA standards defined by PSD2.
Under PSD2, SCA requires the use of at least two out of three authentication factors, which are categorised as follows:
- Knowledge: Something the customer knows (e.g., password, PIN).
- Possession: Something the customer possesses (e.g., mobile device, token).
- Inherence: Something inherent to the customer (e.g., fingerprint, facial recognition).
The specific authentication protocols or methods used can vary based on the payment service provider and the technology they implement.
We recently ran a LinkedIn poll to ask people about their 3DS knowledge, and 67% said they were unsure about 3DS. Below we dive deeper into 3D Secure with a Q&A to better understand this SCA protocol.
What is 3D Secure (3DS)?
3DS, or 3D Secure, is a security protocol that is used to help protect online credit and debit card transactions against fraud. This includes e-commerce transactions, online bill payments, and other types of digital payments where the cardholder is not present in person to verify their identity.
Why was 3DS introduced for digital payments?
The 3DS protocol adds an extra layer of security by requiring cardholders to verify their identity through a one-time passcode or biometric identification, such as a fingerprint or facial recognition before the transaction is approved. This helps to ensure that only the authorised cardholder can make the transaction, reducing the risk of fraudulent activity.
Is 3DS a mandatory requirement for all online payments?
3DS (3D Secure) is not mandatory for all online payments by SCA. 3D Secure is becoming increasingly common for merchants to fulfill QA assessments or meet their card network criteria. Some card networks like Visa, Mastercard, and American Express require merchants to implement 3DS, especially for transactions that meet specific criteria. The requirements include but are not limited to transactions in certain countries, transactions above certain amounts, transactions considered high-risk, etc.
Are there any sectors or specific payments where 3DS should always be considered?
3DS is especially important for certain high-value transactions, such as those in the travel and entertainment sectors, where a large amount of money is involved. These transactions are typically considered higher risk and require more stringent security measures to protect against fraud.
It is also commonly used for sectors like gaming, digital goods, Forex, and binary options and generally for high-risk card network transactions.
Is 3DS mandatory for PCI DSS compliance?
3DS (3-D Secure) is not mandatory to comply with Payment Card Industry Data Security Standards (PCI DSS). PCI DSS is a set of security standards created by major card networks to help merchants protect cardholder data and prevent fraud.
But compliance with PCI DSS is mandatory for merchants who accept card payments.
However, PCI DSS requires merchants to implement security controls to protect cardholder data and prevent fraud, and 3DS can be considered a security control that can help merchants in protecting online card payments.
Implementing 3DS is one way to mitigate the risk of fraud and comply with certain PCI DSS requirements. However, merchants should evaluate their risk appetite and use multiple layers of security to protect their transactions from fraud.
3 Benefits of Implementing 3DS
- Reduces fraud: 3DS can help to reduce fraud by making it more difficult for criminals to make unauthorised payments because the customer must provide additional information to complete the payment – such as a one-time code sent to their phone.
- Improves security: 3DS can also help to enhance payment security by making it more difficult for criminals to steal customer data. This is because the one-time code is only valid for a short period and is not stored on a merchant’s website.
- Meets regulatory requirements: Some payment processors may require merchants to use 3DS to comply with certain regulatory requirements – specifically PAN.
factors to consider
There are several factors to consider, such as the level of fraud risk that the business faces, the customer experience that the business wants to provide, and the cost of implementing and maintaining 3DS.
- Can be inconvenient for customers: 3DS can add an extra step to the payment process, which can be frustrating for some customers. This is especially true if they are already familiar with the traditional payment process.
- Can lead to abandoned carts: If customers find the 3DS process too inconvenient, they may abandon their carts and not complete the purchase.
- Can be expensive to implement and maintain: 3DS can be expensive to implement for smaller merchants who may need in-house development teams and costly to maintain as regulations change or evolve.
While these cons are true for some, merchants can be overcome by implementing a robust and optimised payment checkout like PCI Pal. Outsourcing eliminates the need for merchants to build and maintain complex payment infrastructure in-house. It can free up significant resources and reduce system development, maintenance, and regulatory compliance costs. And our dedicated teams manage system updates and security upgrades and ensure compliance with the latest standards, allowing you to focus on your core business and strategic growth initiatives.
In an increasingly digital and security-conscious marketplace, partnering with a payment provider like PCI Pal that can offer 3DS integration is a strategic decision that provides cost savings, operational efficiency, and enhanced customer satisfaction.
How 3DS Affects checkout sales
Some merchants have reported seeing an increase in authorisations, resulting in more sales once using 3DSecure. However, an earlier version of the protocol (3DS 1.0) often required customers to enroll and set a static password for authentication, which led to increased cart abandonment rates due to the additional step. This negatively affected merchants, contributing to a lower adoption rate and increasing the risk of fraudulent transactions.
To address this, the newer version, 3D Secure 2.0, was developed to improve the customer experience and security, reduce cart abandonment and shopping time, and enhance the chance of sales conversions.
It has been reported that 3DS 2.0 reduced checkout times by 85% and cart abandonment by 70%, resulting in more opportunities for sales conversions.
However, merchants’ experiences with 3D Secure can vary depending on multiple factors, including market size, the country’s payment methods, and infrastructure. This means that the adoption and success of 3D Secure can vary and it could be a factor behind different acceptance rates of 3D Secure payments.
alternative payment methods
Yes – Some merchants may choose not to use 3DS or other fraud prevention and detection forms. It depends on your risk appetite or needs to comply with a card network’s rules.
Merchants can also use alternative payment methods that don’t require card authentication, such as Pay by Bank, offered by PCI Pal. This account-to-account payment method is built using open banking infrastructure, which is inherently more secure and reduces your PSP processing costs. Below are three reasons to offer open banking for higher-risk payments.
- Increased security: Open banking payments use a different approach to security, considered more secure than 3DS (3-D Secure) for card payments. Instead of relying on a one-time passcode or biometric identification, open banking payments use a combination of strong customer authentication (SCA) methods, such as biometrics, one-time passcodes, and device binding to verify the customer’s identity.
- Greater flexibility: Open banking payments allow customers to connect their bank accounts to a merchant’s platform and make payments directly from their account. This gives customers greater flexibility in making payments, as they are not limited to using a credit or debit card.
- Better user experience: Open banking payments can provide a better user experience than 3DS because they don’t require customers to go through an additional step during checkout. The process of sending payment is streamlined, making it faster and more convenient for customers.
Protecting online card payments
We’re at the forefront of emerging 3DS payment technology. Implementing 3DS into your digital payment flow can be a complex task, potentially increasing the timeline and cost of your project. However, at PCI Pal, we are actively streamlining this process. As we continue to handle 3DS implementations in compliance with card network requirements, our speed and proficiency only increase.
Our team is gaining valuable experience and insights with each implementation, ensuring we deliver effective and efficient solutions. We understand you may have questions about integrating 3DS into your payment flow. That’s why our pre-sales and web integration specialists are available to assist in protecting your online card payments. Choose us for our growing expertise, commitment to compliance, and unparalleled customer service in handling your 3DS payment implementations.
It’s important to note that 3DS is one of many solutions available to merchants to prevent fraud. Merchants should evaluate their risk appetite and compliance needs and use multiple layers of security to protect their transactions.