Ravelin and the changing payments landscape

Ravelin’s mission is to secure the future of e-commerce by helping merchants and payments providers stay ahead in the battle against fraudsters. Alongside fraud detection there are a number of imminent industry initiatives which warrant careful consideration.

In this short series of guides we will distill the most salient pieces of information for anyone in the industry to build a comprehensive payments and fraud strategy in this new landscape.


What is 3D Secure?

3D Secure (3DS) is a way for Issuing Banks to authenticate consumers who use their cards to pay online.

Online payments which have been authenticated do not carry a risk of fraud for Merchants.

What does 3D Secure mean?

3D Secure is a protocol for secure data exchange between 3 "Domains":

Issuer domain

  • Issuing banks ("Issuers") hold bank accounts for or issue credit to consumers, and issue payment cards.
  • It is the Issuer who Authenticates the consumer in 3D Secure.

Acquirer domain

  • Acquiring Banks ("Acquirers") act on behalf of merchants to 'Acquire' or accept payments from consumers' Issuing banks.

Interoperability domain

Everything else:

  • The APIs etc provided by the card scheme (eg Visa) to support the protocol
  • The Internet
  • The "merchant plug-in"
  • More generally "the merchant"; their apps and websites

Why is 3D Secure used?

Online ‘Card Not Present’ (CNP) transactions are less secure than ‘Card Present’ transactions in the real world because (in most countries) when you pay in-store with a plastic credit card the transaction is ‘secured’ by a PIN code verified by the chip on the card, or by providing a Signature (which is useless). This is Authentication.

On the Internet, nobody knows you’re a dog. Because of this, when a credit card is presented for use online, the Issuer isn’t really sure if it’s the true cardholder behind the screen or a crafty canine looking for his next Pedigree Chum fix.

3D Secure is basically the online equivalent of Chip and Pin - a mechanism for the cardholder to prove their identity to their Issuer by providing a secret known only to the cardholder and the issuer.


Issuer Liability

When a payment is considered ‘Secure’ it essentially means “The Issuer believes that it’s really the cardholder trying to pay”.

In Secure Payments, the Issuer will be more likely to let the payment happen successfully, and if it turns out they were wrong then it’s the Issuing Bank who loses money because of Fraud.

In Insecure Payments, the Issuer is less likely to let the payment happen successfully, and if it turns out they were wrong then it’s the Acquiring Bank (and thus the merchant) who loses money because of Fraud.


Authentication vs Authorisation/Authorization

It’s a pity these two words are so similar; it would be very useful to have an easy shortening.

Authentication

“Please log in to BigBank” Verify your identity, typically using a secret (eg a password) known only to the two parties.

Authorisation/Authorization

“Actor X may perform the requested action” In payments, this typically means the cardholder has enough money in their account and the card hasn’t been lost or stolen.


Problems with 3D Secure 1

3D Secure is an utter disaster for consumers for a few reasons:

  1. The User Interface is awful
    1. Because 3D Secure was conceived and first developed in the dark ages of the early 2000s, way before Responsive Design or Smartphones, the User Interface is not very good. It’s non mobile optimised and janky.
  2. It feels really dodgy
    1. Consumers are pretty good at spotting dodgy websites. They often pop up from background pages, ask for payment details, and look very different from the website you were on. Unfortunately that’s exactly what 3D Secure does, and it doesn’t inspire confidence for consumers who will just walk away.
  3. Cannot Authenticate
    1. Consumers often forget their passwords, don’t receive an SMS because of poor signal or deliverability delays, or aren’t enrolled in the program (which means they haven’t yet set up their password).

The net result of this is that 3D Secure is very poor for conversion. That means that the chance of a consumer giving up on purchasing when a website or app uses 3D Secure can be significant depending on which country and channel you’re using.


Between Scylla and Charybdis

Merchants are therefore faced with one of two unpleasant choices:

  • Do I use 3D Secure for my payments to make sure I have no fraud but accept that many of my customers will give up and walk away from their order?
  • Do I use unsecure payments to maximise conversion but open myself up for Fraud on those payments?

Most right-thinking merchants have opted for the latter because, even in extremis, fraud exposure and the total cost of fraud will net out at much less than the conversion impact of 3D Secure, even with the fees and penalties that come with it.


Contemporary use of 3D Secure

Thankfully it’s not really an either/or decision; merchants can decide for themselves which transactions they’d like to authenticate before seeking an authorisation.

So - merchants really need only send the riskiest transactions to 3D Secure. This technique is usually known as “Dynamic 3D Secure”.

When combined with a higher level decision about if the merchant wants to seek an authorisation at all (eg because it’s a known fraudster trying to use the card), this becomes an optimisation exercise to maximise payment acceptance whilst minimising fraud exposure.

Given the complexity of the possible inputs and end states, statistical approaches to this optimisation problem are proven to deliver compelling results.


Improvements to 3D Secure

Risk-Based Authentication

Some Issuers, particularly in the UK, have recently been using “Risk-Based Authentication” to improve the cardholder experience online.

This tends to work by tracking the cardholder’s device and, if the Issuer recognises that they’ve seen this device before, the explicit Authentication step is skipped and the payment process proceeds.

Issues:

Does not consistently work for payments in mobile apps due to the challenge of native device identification on iOS and Android.

Second Factor Authentication

Some Issuers have recently started sending “One Time Passwords” (OTPs) to cardholders over SMS using the phone number registered to their account. This OTP is then entered into the 3D Secure Authentication page rather than typing a password.

Issues:

Deliverability and poor signal can result in these OTPs either never being received or being received 15 minutes later when the consumer has lost interest and walked away from the purchase.

Out of Band Authentication

Challenger Banks such as Monzo and Starling care a lot about User Experience and account security - plus they have excellent apps.

Instead of buying a 3rd party 3D Secure “Access Control Server” like most Issers, challenger banks have tended to implement their own using ‘Out of Band’ or ‘Push’ Authentication, where the user is prompted to open their App and approve the payment using their thumb print.

Issues:

Abandonment still possible when cardholders do not have their mobile device to hand when paying online (eg it has run out of battery or has no signal).

Issuer Aware Dynamic 3D Secure

By measuring the rates of drop-off and pass-through, merchants can further complicate turbocharge their acceptance optimisation logic. For example, if a particular Issuing Bank is known to pass-through Authentication attempts on more transactions than other issuers typically do, the merchant might choose to enable 3D Secure for more of this issuer’s transactions than the normal baseload.

Conversely, if a particular Issuing Bank is known to not support 3D Secure at all, the merchant should choose to send only low risk transactions for Authorisation and otherwise decline the transaction.

Issues: 

Requires data gathering infrastructure to automatically measure conversion and pass-through rates per issuer, and the technology to use these in the decision making process for if/when to enable 3D Secure on a given payment.


3D Secure Gotchas

  • Some countries, such as India, mandate the use of 3D Secure on all card not present transactions.
  • Chargebacks can still occur on 3D Secure transactions. Authenticated transactions do not fully guarantee a liability shift; it’s ultimately at the discretion of the acquiring and issuing banks.