eCommerce popularity has increased constantly over the last ten years. In the past few years, mCommerce growth has been more than 10% in transactions and volume every year. Both mobile and internet shopping are recognized as convenient purchasing methods for cardholders and merchants, considering a wide offer in all market segments, 24/7 availability, delivery tracking, and convenient online card payment. An increase in the number of online transactions also brought a rise in fraudulent use of payment cards. It is estimated that nearly 80% of all e-commerce and m-commerce chargebacks are fraud.
3D Secure is a protocol designed for increased security during online payments using credit and debit cards (the so-called Card-Not-Present transactions). The main purpose of 3D Secure is to authenticate the cardholder during online payment on the internet or mobile purchasing. To make a parallel with in-store payment (the so-called Card-Present transactions), the cardholder is authenticated either with signature or PIN, which are not applicable during online payment.
The concept of 3D Secure is based on the ''Three-Domain'' model, including all participants involved in the financial transaction. All three domains participate in the authentication process, and compliance in all three domains results in a 100% secure transaction. Non-compliance under any of the domains moves the liability shift towards the weaker party. 3D Secure domains:
- Acquirer domain - 3D Secure transactions are initiated from the acquirer domain
- Interoperability domain - 3D Secure transactions are switched between the Acquirer domain and Issuer domain
- Issuer domain - 3D Secure transactions are authenticated in the Issuer domain
3D Secure component most relevant for Issuers is Access Control Server, ACS. Additionally to ACS, and depending on the chosen authentication method, the Issuer should have an authentication solution implemented, integrated with ACS. Upon implementation at the Issuer side, the solution needs to be certified by card schemes.
3D Secure component most relevant for Acquirers is Merchant Plug-In, MPI. This plug-in enables integration with the merchant's website. In 3D Secure 2.0, instead of MPI, 3DS Server is introduced. A segment containing additional SDK components necessary for mobile purchase applications.
3D Secure 2 specifications by EMVCo, but also card scheme 3D Secure 2 programs (MC Identity Check, Verified By Visa, etc.), are aligned with PSD2 requirements, i.e., when deploying 3D Secure 2, Issuers/Acquirers are aligned with PSD2 for Card-Not-Present online payments. Note that it covers only Card-Not-Present online payments, not account-to-account payments and other PSD2 relevant scopes.
Instead of purchasing ACS products to be implemented on bank premises, Issuing banks can use third-party service providers to outsource the 3D Secure process. Card schemes have been certifying and approving service providers who can provide this service to the Issuing bank.
ASEE has been certified as a MasterCard and VerifiedByVisa ACS service provider. By using this service, Issuing institutions minimize time to market, reduce investment and operational costs for 3D Secure compliance, and at the same time, provide their customers with ultimate fraud protection during online payment.
3D Secure 2.0 contains two authentication flows, namely: Frictionless flow and Challenge flow. Frictionless flow enables cardholders to process online payments without demanding any manual input in order to authenticate the transaction. This is possible because of Risk-Based Authentication, a mechanism that assesses the risk level of a particular transaction based on historical data, including transaction history and provided cardholder information. If a transaction is deemed low risk, frictionless flow is applied. This eliminates the need to require additional authentication steps from the cardholder.
3D Secure 2.0 contains two authentication flows, namely: Frictionless flow and Challenge flow. Challenge flow is applied in cases where the Issuer's ACS deems a transaction as risky. In such cases, the cardholders are required to verify their identity using an appropriate authentication method (e.g., OTP, fingerprint, face recognition).
Trides ACS enables Issuers to provide 3D Secure processing with MasterCard, VISA, Amex, JCB, and Mir cards with two-factor strong authentication in compliance with the existing 3D Secure v1.0.2, as well as the new 3D Secure v2.1 protocol.
Trides MPI v1.0.2 and Trides 3DS Server v2.1.0 with Android and iOS SDK are solutions that enable Acquirers and Merchants to integrate web and mobile purchase applications with multiple interoperability domains and initiate online payments within 3D Secure scheme. ASEE also offers 3DS Mobile SDK implementation.
With 3D Secure mobile SDK, the merchants are able to build in all 3D Secure screens into their mobile purchase application to provide a faster and smoother checkout experience. Without it, the cardholders need to switch to the web browser during 3D secure authentication, inarguably disturbing the checkout process.
If you have any additional questions regarding our 3D Secure solutions or hosting services, need advice or support related to 3D Secure online fraud protection for your customers, don't hesitate to contact your ASEE Key Account Manager, Sales Representative or send an email at mailto:trides@asseco-see.hr.