With security standards like 3-D Secure (3DS), the more the technology is used, the more effective it is in preventing fraud. In a recent ‘Payments on Fire’ podcast episode, hosted by Glenbrook Partners, Chris Uriarte shared a valid point: Merely having the 3DS rails in place is not enough. In his words: "The highway’s no good if nobody’s actually going to drive their car on it."
The discussion between Glenbrook’s Bryan Derman and Chris Uriarte, Entersekt’s Dewald Nolte, and Amandeep Batra from Stripe, stripped down the realities on both sides of the 3-D Secure rails – merchants and issuers. It illustrated that a happy medium is possible, where 3DS benefits the whole payments ecosystem. For me, the panel’s deep industry knowledge and experience really came to the fore and, I think, are too valuable not to share.
3-D Secure adoption rates in unregulated markets
If we look at markets like the EU and UK, where they have mandated strong customer authentication (SCA) for digital transactions, card-not-present (CNP) fraud is noticeably lower than in regions where the adoption of SCA measures like 3DS is low. If we look at the U.S., an unregulated market, only about 3% of transactions go through the 3DS rails, Dewald revealed.
The reason behind this is that many merchants still have concerns about EMV 3DS, stemming from their poor experiences with 3-D Secure 1.0. Despite vast improvements to later versions of 3DS, they are still wary of high rates of false declines and cart abandonment.
Should issuers take the lead in overcoming 3-D Secure perception biases? Read more in our blog.
But I agree fully with Dewald’s sentiment, it is time to change that outdated narrative. Because when the 3-D Secure rails are used, they work! To boost the efficacy of 3DS, merchants in these markets need to actually send more transactions – and therefore, more data – through 3-D Secure.
More data to train 3DS risk models
A 3DS system needs more data for its risk decisioning to determine good from bad transactions. When only a few high-risk transactions are submitted, it skews the data and can ultimately result in fraud and unnecessary declines.
Luckily, we’ve seen that some of the bigger merchants are realizing that and changing their old habits. They’re sending more data across the 3DS rail, even when it’s not necessarily deemed high risk. And that's great news because it’s enabling issuers to then see what good looks like.
Basically, the issuer gets a more complete picture of these transactions to train the risk engine. With more data, the 3DS system can make well-informed risk decisions by learning the difference between good and bad patterns of behaviors. Ultimately, this leads to reduced friction, increased transaction success rates, and accurate fraud detection.
Another important factor that the podcast highlighted is that the data that is fed into the system needs to be good data. As Chris explained, "[If] you don’t have good data going into these models, then you shouldn’t expect good performance coming back from the issuer."
For merchants, he elaborated, this underscores the need to send more data through an issuer’s 3-D Secure, but specifically high-quality data.
The benefits of a modern 3DS ACS
While working with issuers to modernize their legacy 3-D Secure implementations, we’ve noticed an interesting trend. It’s not just their technology that’s in a legacy stage, it’s often their mindset too.
Let me explain. If you think back to 3DS 1.0, there wasn’t a lot of data sent across those rails. Nor were there any frictionless authentication capabilities supported by that rail at the time. And that’s what many still expect from EMV 3DS.
As a result, issuers are not using 3-D Secure authentication to its full potential. Their thinking is: Hey, I’ll just approve it here and then throw it over to my authorization system where the real authentication will happen.
Essentially, they're shifting the problem from the authentication rail to the authorization rail and then relying on that to effectively solve the problem. But that’s not workable in today’s evolving fraud landscape.
An interesting point I recall Amandeep raising was that there’s a mismatch between the authorization process and the authentication process – the two don’t seem to trust each other.
Aligning those systems ensures that something that was successfully authenticated is then trusted and recognized on the authorization side. Dewald voiced that FIs should create that trust by aligning their processes and using effective authentication technology, then allowing successful authentication to inform the decisioning when it is submitted for authorization.
More data sharing = more value for all payments stakeholders
One of the final points that the panel highlighted is that data sharing is still under-prioritized among payments stakeholders. And I agree – there’s a big opportunity there if all the players work together.
With greater collaboration, issuers and merchants can share intelligence and keep cardholders’ payments secure while pushing up approval rates – a strategy that's mutually beneficial.
Hope to see you on the highway! In the meantime, I highly recommend listening to the full ‘Payments on Fire’ podcast, ‘Two Decades of 3-D Secure: Can Strong Customer Authentication Succeed in the US and Unregulated Markets?’ hosted by Glenbrook Partners: