In 2015, according to The Nelson Report, for every $100 in card sales volume, 6.97¢ was fraudulent, up from 6.21¢ per $100 in 2014. So no wonder that Visa and MasterCard + the other card schemes via EMVco* are developing new intelligent tools to distinguish between good and bad transactions, all while minimizing disruption to consumers at checkout, and overcome some of the concerns with the existing authentication procedures.

3-D Secure 1.0 Protocol concerns

The EMV Specifications are based on contact chip, contactless chip, common payment application (CPA), card personalisation, and tokenisation. 3D Secure 1.0 was designed to secure the merchant, the card issuer and the financial transaction. It was later adopted by MasterCard, JCB International, and American Express into the own branded services. But there were and are concerns about the Version 1.0. NUDataSecurity web-site reports that:

• “many merchants snub the service, feeling that the loss in conversion rates too great a price for only slightly less fraud. Merchants also pay monthly and transaction fees and 3D Secure can’t be integrated into the website for a seamless experience
• 3D Secure requires users to create additional logins with tough to remember passwords in a suspicious pop-up window that savvy Internet surfers avoid out of safe browsing habits. Customers either begrudgingly setup new passwords or abandoned the purchase. 
• most countries show conversion rates on websites that use 3D Secure decreased by just under 10% to more than 50%, particularly high in the United States, China and Brazil
• security experts argue that the system is still vulnerable by being next to impossible for users to distinguish between a legitimate 3D Secure pop-up from a phishing scam, and attempts to address the issue have only worsened.”

3-D Secure 2.0 Protocol concerns

The new specification, referred to as 3-D Secure 2.0, includes updates and enhancements to address the need for a more seamless online payment experience for consumers, while accommodating new devices and ways to pay. According to Visa they are planning to move to activate 2.0 in Europe in April 2018. The program activation dates for other markets will be announced separately.

V2.0 sounds as if it will improve e-commerce authentication, BUT it all depends on how it will be implemented. The NUDataSecurity web-site points out that 1.0 will continue to run in parallel with 2.0. NU DataSecurity would also like to see the following items addressed:

1. “Invisible and tightly integrated – no pop-ups and no extra steps. Shopping card abandonment rates and lost conversions under 1.0 make this clear.
2. Intelligent use of rich card data – it should be used to assess actual risk, not be more information the user needs to manually validate at the time of transaction.
3. Focus on behavioral – measure the things that are really impossible to fake. Biometric is a good start, but behavioral-based authentication is better.”

———

*EMVCo is a six member organisation —American Express, Discover, JCB, MasterCard, UnionPay, and Visa—and is supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates

---

CTMfile take: Authentication at the point of sale needs to be as easy as possible whilst minimising fraud. The new 3-D Secure 2.0 Protocol will improve prevention, but it is clearly not the final solution. No fraud is a dream, merchants have to choose what level is acceptable, see.