3D Secure and PSD2 – The Age of Consumer Consent

3D Secure 1.0.2

When Visa developed 3DSecure 1.0.2 back in 1999, the online payments industry was still in its nascent phase. In hindsight, the tremendous foresight showed by the Visa technologist was very impressive. Here was a Global System of Identification which perfectly solved the problem of online fraud, allowing Merchants, Acquirers, Issuers and Cardholders to collaborate safely and reliably with phenomenal speed across time zones, different currencies and languages all the while preserving confidentiality and protecting data even before these concepts were on anyone’s minds.

It would not be until 2002 that other card schemes saw the benefit of being part of a single compatible system rather than promote competing systems. Thus was born MasterCard SecureCode, Verified by Visa and eventually Amex SafeKey, JCB J/Secure and Discovery Protect Buy to mention the main schemes. That 3DSecure protocol was flexible enough to allow this collaboration further testifies to the sheer brilliance of the engineers behind the protocol.

What now remained for the adoption of 3DS as a truly global system of identification was for Acquirers and Issuers to adopt the system. It would take many more years before enough banks adopted the system for 3DS to become effective.

3DS today is a well-established global program. It has been very successful particularly in Europe where Visa reports that 75% of Verified by Visa transactions take place. Visa defines Europe as 30 countries including all the 28 European Union block as well as Norway and Switzerland. The success of 3DS in Europe is no surprise; while Europe draws closers as an economic area, transactions within the block still remain essentially cross border. Europe is also a technically advanced region allowing for technology such as 3DS to be implemented quickly and reliably. Many other countries around the world, including Turkey, South and North African countries and Australia are all fully 3DS.

The early adoption of Chip and Pin, which has been hugely successful in suppressing fraud in these countries, has also eased the adoption of 3DS.

3D Secure 2.0

1999 was a very different world. Mobile phones were still essentially devices for making phone calls with very limited data capabilities. It was not until January 2007 that Steve Jobs would usher in the smart phone era with the unveiling of the iPhone.

3DS 1.0.2 was designed for the browser age; the only concession made for mobile phones was to support browser-based WAP and shorter messages to cater for the limited and expensive bandwidth of the time.

17 years later, Payments originating from mobile devices now account for 40% of all card not present payments. This move away from desktop environment, started with smart phones and tablets continues to accelerate; the internet of things is bringing a myriad of new devices and with them new payment channels. Today’s 6 billion connected devices are projected to jump to 20 billion over the next 3 years. Alexia also shows that the way we interact with technology is changing in new and exciting ways.

3DS is therefore evolving to support today’s multi-channel and multi-interface environment, making use of new technologies to become the Secure Authentication Platform for the next decade and beyond. This new protocol is 3DS 2.0.

Backward Compatibility

3DSecure 2.0 continues to build on 1.0.2 but the changes are significant and while the two protocols will run in parallel, they are not compatible. 3DSecure MPI providers will be responsible for sending the right version of messages to an Issuer depending on the capabilities of that issuer.

Enrolment and OTP

Many of the changes expected for 2.0 have actually already been mandated for 1.0.2. The elimination of static passwords is one such example. Use of OTP delivered in any number of ways is now mandatory and will continue to be so for 2.0.

Enrolment during shopping has now been explicitly prohibited; this was the source of a number of botched launches of 3DS by banks in particular in North America.

Enrolling cardholders for 3DSecure is a one-time process and very different from making regular 3DS payments; this has not prevented many interested parties from blowing these problems out of proportion and misquoting the issues with enrolment at every opportunity.

The main challenge with enrolment was establishing the secret between the issuer and the cardholder. Setting up a static password made creating this secret particularly challenging. Mandating use of OTP not only set the stage for easier authentication but created a mechanism for seamless enrolment which has successfully used around the world for 1.0.2.

Every effort is being made to learn from past mistakes: SMS, Internet Banking and Banking Apps will all play a role in the smooth future enrolment of card holders to the next generation 3DS.

Support for Mobile Devices, Biometrics

3DS 2.0 will work natively on mobile phones and other devices. This means that apps will be able to integrate Authentication directly. A SDK will be provided to enable this functionality. The SDK will interact with the Issuer to ensure the proper rendering of displays.

Mobile Devices will also host apps from Issuers which will enable the Issuer to push authentication to the mobile device. The Issuer App will work natively and support very strong device identification, in ways which are not possible with browsers.

Mobile devices are also ideal for biometrics including fingerprint, face recognition and voice recognition (remember Alexia). With the native support on mobile devices, biometrics will become a mainstream method of authentication.

Issuer Banking Apps will also provide out of band authentication for other payment channels such as browser based payments. Rather than send an SMS, the Issuer Banking App will automatically pop up on the device and a simple press of the OK button or use of biometrics will be sufficient to authenticate.

Merchant and Issuer Interaction

Something truly revolutionary will happen in 3DS 2.0 which has never been possible before. A merchant accepting payments is ultimately at the mercy of the Issuer to accept the payment request. Up to now, there has been no way for the merchant to communicate with the issuer to influence the outcome. This will change with 2.0!

Large merchants have sophisticated methods and rich information allowing them to understand their clients’ habits and segment them if necessary into zones of trust. Issuers likewise know a lot about their clients and their spending habits; the Issuer role is truly that of creating trust or vouching for its cardholders. Bringing these two zones of trust together is a true paradigm shift in processing.

The information passed from the merchant to the Issuer will increase dramatically with 2.0. The merchant will be able to communicate to the issuer information on device identity and capabilities, location, history of payments, existence of registered accounts and a whole lot more besides.

Risk Based Authentication

This large increase in information is what underlies Risked Based Authentication. Issuers will be able to examine this information and only step up a transaction for authentication in about 5% of occasions. This means that if a card holder regularly makes purchases from a merchant using the same device and location, the card holder will not be required to authenticate every single time. But should the card change or the device or location change or it’s a different merchant or maybe the card holder has just reset his password with the merchant, then the Authentication challenge will be presented to the cardholder.

Merchants will still be able to request that a transaction is fully authenticated even if the Issuer would have otherwise passed the transaction without the Step Up. Merchant may have regulatory requirements to request authentication imposed for example by country of origin or may have their own concerns on a transaction.

Frictionless Payments

Merchant-Issuer interaction, native support on mobile devices, risk based authentication, biometrics, out of band authentication and OTP; all these combine to create frictionless payments.

Much has been said about how authentication creates friction and loses business even if these claims are unsubstantiated. Customers will now have the convenience of frictionless payments combined with the security and the peace of mind of authentication.

Considerations on a 3DS 2.0 World

The amount of merchant data which 3DS 2.0 is able to collect is truly large, beyond the capabilities of smaller merchants which may not have the technology and sophistication to collect and present this data.

The end result is that many implementations might opt for a simpler subset of information, forfeiting some of the benefits of 3DS 2.0. Issuers will automatically step up authentication more often for these merchants; these merchants will still benefit from the many frictionless capabilities possible with 2.0.

As with 1.0.2, large merchants will want to control the interaction with cardholders and will therefore integrate directly into the MPI conducting the authentication directly; merchants will then pass on the proof of authentication to their PSP together with their payment request.

3DS 2.0 will put a lot of demands on Issuers. The rise of Fintech over the last decade has been driven by the fact that technology people move and innovate very rapidly, a culture that is incompatible with Banks. Inevitably Fintech companies have transformed themselves directly into Acquirers. It is not unreasonable to see the same evolutionary trends developing on the Issuing side driven by increasingly complex and sophisticated technology and the ability of global brands to reach out directly to consumers in ways which even banks operating locally fail to do. This might well be the lasting legacy 3DS 2.0.

Finally 17 years on – the world is different for one other very important reason and that reason is governments and regulators; regulators will have an ever stronger role in how technology is applied and will play a central role in shaping up the payments industry. The European PSD2 is a prime example of this change and is the topic of the next part of this article.

PSD2 and Regulation – the Consumer Domain

The card industry is not self-regulating but must abide by the laws and regulations of every country where cards payments are accepted; it may be a global payment system but one that abides to national laws.

Governments across the world also recognise the importance of e‑commerce to their national economies and will take steps to protect and grow e-commerce. Also a fundamental function of any government is to prevent crime; no government can allow organized crime to threaten economic activity or to allow criminal organisations to grow rich from online fraud, use the internet to mask illegal activities, launder money or evade tax.

There is no doubt that the pace of technological development has outstripped the abilities of law enforcement and governments to regulate and police the internet, but inevitably the authorities have learned and adapted; regulations are being put in place and cyber security is now top priority. Drugs, types of pornography, weapons, unregulated gambling, tax evasion as well as plain old theft are all part of this challenge.

The payments industry spends so much time pushing against regulators and barriers to trade that it’s sometimes easy to forget the benefits regulation bring to the industry. Outside the efforts of the industry itself, ultimately its regulators and law enforcement which ensure that card payments remains a viable and safe payment option. There are also many large ecommerce merchants operating in regulated industries; the same regulatory environment which has allowed these industries to grow and thrive.

This brings us to consumers. It is consumers who day in, day out decide if they will use VISA, MasterCard or some other payment method. Consumers are the most important part of the payment eco system – yet they are also the least represented.

Again, this is a fundamental function of governments to protect rights of citizens and ultimately consumers. Europe takes consumer rights very seriously and it’s not surprising that Europe is leading in regulation to protect consumers online and setting standards emulated around the world. Data protection, privacy and confidentiality, the right to be forgotten, right to cancel and return your online order within 14 days – these are all covered by active legislations within the EU.

There are many other areas where consumers need protection. Today consumers are left without their funds for months in the case of a chargeback and the process is stressful and unfair to consumers. It is also all too easy for merchants to surcharge their clients or to take money without the knowledge and consent of the cardholder.

Enters PSD2 (the Revised Payment Service Directive). PSD2 became effective on 12 January 2016. 2017 is now a period of consultation and negotiations between the affected parties – exemptions and thresholds in particular are being negotiated during this year. 13 January 2018 is the deadline for national governments to transpose PSD2 into local legislation, thereby activating the provisions of PSD2 for consumers, merchants and the payments industry.

PSD2 will change banking as we know it. PSD2 will open up the industry and remove barriers for Fintech companies to greatly expand their ability to compete with banks. For consumers it promises next day refunds, immediate release of funds, limits to surcharging and the RIGHT TO CONSENT. PSD2 also mandates Two Factor Authentication (TFA).

TFA solves a lot of problems in one stroke; it creates an effective method for consumers to convey their consent and to be refunded immediately if their consent is absent. TFA protects both consumers from fraudsters and dishonest merchants and protects merchants from theft. TFA respects data protection and does not rely on tracking or spying on consumers which underlies today’s fraud detection technologies.

The solution for TFA with card payments is also already in place and is 3DSecure. Verified by Visa, MasterCard Secure Code, Amex SafeKey, JCB J/Secure and Discovery Protect Buy; all these constitute a technology that is installed and proven to work.

What will happen to Debit Cards? Debit Cards has been a sore issue in Europe for a long time, acting as a barrier to SEPA and blocking competition and innovation within Europe. Some cards will take the easy option and co brand their cards with established brands. Using 3DSecure for national card schemes is quite possible. Without TFA authentication, quite simply it will be illegal to use Debit Cards for online payments inside Europe, restricting use of Debit card to domestic point of sale only.

Some exemptions for the TFA requirement will apply: recurring payments for rent and utilities for example have been accepted as exemptions with the introduction of the ability to whitelist trusted beneficiaries. Unattended terminals in road transport such as toll roads are another exemption. Moto transactions will be limited to under EUR 30 and not exceed a total of EUR 100 or 5 transactions without authentication.

PSD2 does not require 3DS 2.0. 3DS 1.0.2 satisfies the requirements of PSD2 already. However, 3DS 2.0 will make the experience a lot easier, eliminating friction and allowing the provisions of PSD2, and the prevention of fraud to be achieved effortlessly by consumers, merchants and Banks.

We are witness to the birth of a new era.