Beating payments fraud in 2020
Updated April 2020
Poor security negatively impacts your business and customers, so keeping customers secure when they’re paying online is a must. With many new ways to pay and new regulations coming to light such as PSD2, it’s time to get to know customer authentication beyond the regulatory standards.
If you’ve shopped online in the last decade then chances are you’ve experienced 3DS1 It’s that moment you get sent to an often clunky page from your bank to confirm who you are. In completing this step, issuing banks, not the business you’re buying from, become liable to fraudulent chargebacks. It’s a consistent security step, but not great for your customers.
It’s this point of friction, combined with confusing web redirect experiences which made 3DS1 fail customers and businesses. Not only did 3DS1 lack native in-app and web flows, but it also introduced confusing and difficult-to-remember authentication prompts. This resulted in legitimate customers dropping out of the payment flow.
International businesses also faced many challenges with 3DS1. This is mainly due to the way payments are processed in different markets. Every region has different security requirements and legislation, and adoption of the 3DS1 protocol in general was inconsistent from bank to bank and country to country.
To handle these problems, we released tools like Dynamic 3D Secure to use 3D Secure where it made sense and avoid when it didn’t. This helped businesses use 3DS1 where it could be trusted. But it didn’t address the underlying issues of the protocol itself.
That’s enough about the problems though, let’s explore the opportunity now that the next generation of 3D Secure is here - version 2. Well to be precise - version 2.2.
3DS2 is a new standard introduced by EMVCo and the major credit card schemes. It brings a new approach to authentication through a wider range of data, biometric authentication and an improved online experience, especially for mobile. This new protocol addresses many of 1's issues, while bringing benefits across a wider set of use cases for businesses all over the world.
3DS2 is much more than a redirect. The combination of certified SDKs in the checkout flow, paired with data sharing APIs, means that 3DS2 can be used as a tool to share rich data between businesses and banks. Over 100 potential data points are shared with issuing banks, meaning that the information you and card issuers know about your mutual customers can be used to make better risk decisions. The more information you have to support authentication cases, the higher the chances of authorizations.
With 3DS2 it is possible to share data between banks and merchants silently in the background. Authorization rates can be increased with no perceivable change to the checkout flow by customers. Our Dynamic 3DS service helps businesses decide when to send additional data to banks, automatically targeting transactions that are likely to see an uplift if data is shared.
This is interesting for businesses that don’t need to use 3DS2 for fraud prevention. A business which has low fraud rates, but wants to achieve the authorization uplift benefits of 3DS2can implement data sharing. This is without changing the seamless checkout flow their customers currently enjoy.
In many cases device information is enough to authenticate without an extra step for the customer. However, some transactions that have higher risk or regulations such as PSD2 require active approval. Our 3D Secure SDKs help you build these flows and there are three primary types to consider:
Passive - The SDK and servers exchange all necessary information in the background. The customer sees nothing.
Two-Factor - The user is asked to provide a two-factor authentication code sent via email or SMS.
Biometric - An app-switch to an issuing-bank app is facilitated by the SDK. The user can use their fingerprint or face in the issuing bank app.
By offering more authentication flows, customers will be able to choose their authentication method of choice. And this means increasing security while reducing drop-off rates seen in older solutions that were based on static passwords. What's more, our 3DS2 SDK will help you easily build these authentication flows natively into your apps and websites.
The different authentication flows with 3DS2 offer more flexibility so banks can continue to innovate in the future, continuing to make authentication simple and more secure. This is good news for businesses who are more vulnerable to fraud, and who already use 3D Secure. It's also a plus for businesses operating in regions that are introducing authentication requirements, an example of this being PSD2 in Europe.
We’ll be the first to admit that the EU PSD2 SCA regulatory frameworks can be confusing, and global enterprise businesses will be looking for solutions to identify which transactions require authentication and which don’t. In 2019 it became even more complex with shifting timelines and delivery roadmap from different EU countires.
3D Secure 2 is the main way that businesses can prepare for PSD2. Most regions that already have authentication mandates are expected to adopt it, the question is more when.
Businesses will need tools to know where and when authentication is required, where it isn’t required but can increase authorization rates, or where it isn’t required and may harm performance if used.
That's where our 3D Secure solution can play a key role in managing PSD2 compliance on your behalf. We will take care of triggering the PSD2 and SCA exceptions automatically when applicable so you can focus on your core business. These compliance rules will work in tandem with other Dynamic 3DS rules targeting fraud-prevention and performance optimization to ensure that you are always using 3DS when it makes sense and avoiding it when it doesn’t. Below is the flow:
Integration with our 3DS2 authentication works with any partner that follows the 3DS2 specifications. This way, businesses can have their authentication solution in one place, while keeping the flexibility and freedom around which partners they choose.
Read on for the technical and implementation information of our 3DS2 solution.
When setting up 3DS2, there are two core components of the integration to consider: The front-end libraries and the 3D Secure server.
The job of the libraries is to securely collect and transmit device information, as well as to display authentication flows. As a result there is a strict certification process on these libraries with EMVCo and the Schemes, which Adyen takes care of. Libraries were not a component of 3DS1 so businesses migrating from 1 to 2 will need to introduce them into their frontend payment flows.
The biggest driver for business and issuing banks to implement 3DS2 is the upcoming enforcement of Strong customer authentication (SCA) requirements under PSD2. Many EU national regulators have indicated that they expect to be live by 31 December 2020. For us, we continue to build and release to the latest 3DS2 versions (currently at 2.2) so you get the best performance and innovations.
By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.