3-D Secure and intelligent risk management

Increased revenue through higher approval rates

Cardholders are becoming increasingly demanding – especially when it comes to e-commerce payments that should be convenient and frictionless. At the same time, they place great importance to a high level of security. If banks succeed in meeting these demands, they can ultimately generate higher revenues in the card business as a result. The key to success lies in using the latest version of 3-D Secure (EMV® 3DS) in conjunction with intelligent risk management. Lauren Bayley, Head of Security and Authentication Solutions in the Asia/Pacific region at Visa, Biljana Kuzeska, Product Manager at Netcetera, and Steven Chuang, Founder and CEO of Cherri Technologies, provide the basics.

As we all know, the Corona pandemic is causing a massive digitalization push in all areas of life. This also affects digital payments. Visa has seen card sales drop 20 percent in Card Present sales from March to May 2020, while Card Not Present (CNP) has increased 20 percent. During the same period in 2021, Card Present sales recovered slightly and increased by 4 percent, while CNP sales increased very strongly by 30 percent. Because most of the abuse occurs in the CNP space, the continued development of 3-D Secure is a particularly high priority for Visa.

More data for more security

Lauren Bayley says: "The goal has to be to approve all legitimate transactions and prevent all fraudulent transactions." To do this, fast and secure authentication is key. To that end, the amount of data exchanged between parties has been expanded by about tenfold in the latest version of 3-D Secure. To move forward with the migration to EMV 3DS, Visa has decided to end support for 3-D Secure 1.0 on 15 October 2022. Transactions will no longer be able to be processed via the old version from then on.

The success of the new 3-D Secure version can be proven with numbers: In the past twelve months, use of the current version has increased by 15 percent. As a result, the misuse rate has fallen by 15 percent.

Visa sees the greatest opportunities for further success in risk management in the development towards risk-based authentication (RBA). According to Lauren Bayley, "The foundation for risk-based authentication is three things: data, models and rules."

For example, the data that an online merchant can send with the authorization request as part of EMV 3DS includes billing and shipping information, customer account and purchase history information, and the end device used by the customer. A terminal device can be identified by its IP address, device ID and installed browser. Lauren Bayley says: "Many retailers are already testing the new optional data elements at EMV 3DS."

The models and rules are about determining what data is linked, how it is linked, and how it is evaluated.

Central role of the Access Control Server (ACS).

An Access Control Server (ACS) is typically used to handle 3-D Secure transactions. Biljana Kuzeska says: "The ACS plays a central role in preventing misuse in e-commerce. Abusive transactions can affect any party. They can damage the image of a merchant as well as that of the card-issuing bank. They also cause immense costs. The ACS helps issuers to avoid misuse as far as possible and thus reduce the associated costs. Issuers can increase trust in the system and thus improve overall revenues from this segment."

Netcetera's ACS solution is appropriately designed for risk-based authentication. Steven Chuang: "In e-commerce, too much check-out time results in fewer transactions being successfully completed. So the idea is to use risk analytics to process as many transactions as possible without interruption. This works best when using the latest version of 3-D Secure in combination with Risk Based Authentication. The collaboration between Netcetera and Cherri makes this easier for issuers."

Biljana Kuzeska adds: "This benefits all parties involved. Issuers and merchants can increase their revenues and consumers benefit from a convenient and fast check-out process."

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

More stories

On this topic