One would think that any security measures which combat online fraud and give both merchants and consumer additional protection would be welcomed. So why is there even a debate about merchants opting for the use of 3D Secure technology? Like all things, there are pros and cons and even with a system which ultimately promises enormous benefits, the “cons” can sometimes be seen to outweigh the “pros”.
3D Secure is a protocol designed as an additional security layer for online credit and debit card payments. It was first deployed by Visa with the intention of improving the security of Internet payments and is offered to customers under the name “Verified by Visa”. Other credit card companies have also adopted the protocol: MasterCard has “MasterCard SecureCode”; JCB International has “J/Secure” and American Express has “American Express SafeKey” in select markets.
The basic concept is to tie the payment authorization process to an additional online authentication step based on a three-domain model – hence “3D”:
- The Acquirer Domain – the merchant and bank to which money is being paid
- The Issuer Domain – the bank that issued the card being used
- The Interoperability Domain – the infrastructure provided by the card scheme, credit, debit, prepaid or other type of finance card. This includes the Internet, MPI, ACS and other software providers.
A transaction using “Verified by Visa” or “MasterCard SecureCode” will initiate a redirection to the website of the bank issuing the card to authorize the transaction. This is typically password-based, meaning buying on the Internet requires using a password tied to the card.
The intention of the system is to ensure that cardholders have a decreased risk of other people being able to use their payment cards fraudulently on the Internet. The customer is prompted for a password known only to the bank and the customer. Since the merchant does not know this password and does not capture it, the issuing bank is assured that the purchaser is indeed their cardholder. This helps decrease risk in two ways:
- Copying card details will not enable purchasing over the Internet because the additional password is not stored nor written on the card.
- Since the merchant does not capture the password, there is a reduced risk of security incidents at online merchants; while hackers may obtain other card details, there is no way for them to get the associated password.
The main advantage for merchants is the reduction of "unauthorized transaction" chargebacks. But perhaps the biggest disadvantage for merchants is that many cardholders are understandably unwilling to make the extra effort. Customers simply loose interest or cannot be bothered with the additional steps that need to be taken, even if they are ultimately to their own benefit. Each additional step at the checkout results in a substantial increase in transaction abandonment and lost revenue. Research has shown that 3D merchant accounts can experience up to 30% loss of sales.
To put the entire debate in context, check the following pros and cons, and then decide whether this is a good option for your business.
Liability shift – Normally, the merchant is at risk of losing out when a transaction is disputed by a cardholder. With 3D Secure, the liability shifts from the merchant to the issuing bank, which verifies the password and transaction. This single point usually makes an implementation of 3D Secure worthwhile for businesses.
Chargeback protection – 3D Secure ensures no chargebacks on merchant accounts. This can help prevent "friendly fraud" when a cardholder makes a purchase and files a chargeback, thinking the bank will side with them.
Interchange benefits – These include lower discount rates, and in some cases longer payment terms with the acquiring bank.
Increased online shopping – Many customers may hold back from online shopping due to fear of online fraud. 3D Secure technology can actually increase online shopping as consumers will be more willing to purchase through a site that gives them more confidence and security.
Some customers don't like it. They just don’t have the patience required to go through the additional steps of contacting their bank to get a password and then actually use it. They find the process annoying and complex. They lose interest, and then abandon the site.
Customers don't understand it. In markets where it's not mandated, cardholders are not always sure what to do. When they see an extra step in the checkout process some will just give up and seek out a web shop that doesn't use it.
Merchants have to weigh up the benefits against the very real security risks and make a decision to use 3D Secure technology or not. In some countries, due to a higher risk business type, this decision may be made for them as the bank may impose a mandatory use of 3D Secure.
Since February, 2014, it has been mandatory for ecommerce sites to implement 3D Secure in South Africa, but in the rest of the continent, it is still not commonplace. As many consumers throughout Sub-Saharan Africa do not have bank accounts or credit cards, it is not relevant for merchants targeting this region to integrate 3D Secure into their payment system.
If the merchant has a major problem with fraud, then 3D Secure is definitely a good option for preventing chargebacks. For everyone else, however, a regular high-risk merchant account may be seen to be the better choice. Ultimately, it is up to the merchant to weigh the pros and cons, and consider the target market to make the best decision for the business.