Mobile commerce is rapidly on the rise. Out of all global eCommerce sales, mobile commerce has grown from 40.2% in terms of transaction value in 2015, to 58.9% just two years later in 2017 (source: eMarketer). This is all happening while eCommerce itself is a growing market. Further, in certain countries where mobile device adoption rates are high, a large number of eCommerce transactions are placed from mobile devices. This rate can be as high as 49% in the case of Japan (source: Statista).
However, along with the rapid growth of online and mobile shopping, credit card fraud has also been on the rise. Worldwide credit card fraud has grown every year from $7.60 billion USD in 2010, to $24.71 billion USD in 2016, and is even projected to grow further to $32.82 billion USD in 2019 (source: The Nilson Report). So, how does the payment industry guard against fraudulent use of credit cards?
3D Secure is a security protocol designed to reduce card-not-present fraud (CNP fraud). It was initially released by Visa in 2001, and later adopted by other major card brands. It is now administered under “EMVCo”, a consortium equally owned by major card brands American Express, Discover, JCB, Mastercard, UnionPay, and Visa, and is the only official fraud prevention protocol implemented by major card brands.
The protocol has worked well over the years for its designed purpose: to prevent fraudsters from illegitimately using others’ credit cards. However, as technology advanced into the age of personal connected devices, it became clear that it had one major flaw. 3D Secure 1 is not compatible with small mobile device screens, nor the eCommerce applications that people make purchases through.
When authenticating a customer’s identity, the 3D Secure protocol would redirect the customer to a website, to enter their 3D Secure password. Examples of these websites can be seen above. However, these websites would often be incompatible with smaller mobile device screens, and appear as a small text box in the middle of the screen. Even worse, some people would use a merchant’s mobile app to start the checkout process, but the interface would jump to a browser app to perform authentication. This abrupt and unexpected action by the system often generated doubt about the legitimacy of the checkout process.
As a result, when an odd-looking website like the above appears, the cardholder may not know this is for authentication purposes, and think “What is this for?”, “Why do I have to do this?”. More ironically, cardholders might find the website suspicious, mistaking it for a phishing website, which is exactly what 3D Secure is trying to prevent. But perhaps the worst-case scenario is where the cardholder thinks the extra authentication step is too much of a hassle, and simply quits the whole purchase altogether. This action is referred to as “cart abandonment”, and is a very needless way to lose sales for any merchant. All in all, it is clear that 3D Secure 1 was hard to use on mobile devices for cardholders, and negatively impacted on merchants.
To revise the outdated 3D Secure protocol, in late 2017, EMVCo released the specifications of a major upgrade, fittingly named “3D Secure 2”. In this latest version, many issues of the old protocol were improved or overhauled, with new functionality added to support newer technologies. One of the main issues addressed was the lack of support for mobile devices and their applications.
In 3D Secure 2, the authentication interface on mobile devices has improved dramatically. It now scales better on smaller screens on mobile devices, and even adds a new “mobile SDK” component to the protocol. Using the new “mobile SDK”, merchants are now able to natively integrate authentication capability into their own apps. This means authentication can be performed within the merchant app; no more jumping to a browser. Also, merchants can now display the 3D Secure authentication interface using the same font, color scheme, and overall UI design language as other parts of their app. Gone is the awkward small text box that always looked out of place.
The new protocol even takes things one step further and adds support for biometric authentication. For example, fingerprint scanners on smartphones and tablets that are usually used to unlock the device can now also be used to authenticate cardholder identity during checkout. Facial recognition and voice recognition technologies that are built into many mobile devices these days can also be used in the same way. As a result, cardholders no longer have to remember (or worse, reuse) passwords for 3D Secure. With biometrics, biological features of you become your passwords, which brings about a much faster and intuitive user experience for mobile eCommerce.
In fact, authentication can be even faster than placing your thumb on the fingerprint scanner. A new authentication flow “frictionless flow” is added to the 3D Secure 2 protocol, which eliminates the need to manually authenticate yourself. How it works is, if the issuing bank deems the fraud risk of a transaction to be below a predetermined threshold, then “frictionless flow” will be applied. Thereon, authentication can be completed instantly without the cardholder having to perform any actions; the checkout screen will jump straight from payment details into checkout complete. All the data messaging and analysis by the issuer happens in the background, so as far as cardholders know, they won’t even realise authentication occurred at all. As a result, authentication can be literally completed in less than 3 seconds.
Frictionless flow is a major benefit of 3D Secure 2, and deserves it’s own article. To learn more about frictionless flow, 3DSecure2.com is a good source of information. This whitepaper by GPayments also explains frictionless flow in a detailed but easy to understand manner.
With the advent of 3D Secure 2, cardholders can be assured that their credit card is only used by the cardholder themselves. And when they do shop online using mobile devices, their overall shopping and checkout experience is greatly improved. For more content surrounding 3D Secure 2, have a read of GPayments’ other articles and whitepapers. Or if you have any questions about the new protocol, feel free to contact GPayments at firstname.lastname@example.org.
 eMarketer (January 29, 2018) “Mobile Is Driving Retail Ecommerce Sales Worldwide” https://retail.emarketer.com/article/global-ecommerce-topped-23-trillion-2017-emarketer-estimates/5a6f89f5ebd40008bc791221
 Criteo (December 11, 2014) “Asians Are the Most Avid Mobile Shoppers” URL: https://www.statista.com/chart/3057/mobile-share-of-e-commerce-transactions/
 HSN Consultants, Inc (October 2016) “The Nilson Report – Issue 1096” https://nilsonreport.com/upload/content_promo/The_Nilson_Report_10-17-2016.pdf