One of the significant turn points in the banking industry is switching from 3D Secure 1 to 3D Secure 2. To demystify potential risks and challenges regarding this transition, we in ASEE prepared a short read; listing and explaining possible concerns regarding transitioning to 3D Secure 2.
What is the best way to approach change when you are a decisionmaker in a financial institution considering the implementation of new technologies such as 3D Secure 2?
We summarized the main dilemmas discovered during our research regarding transitioning to 3D Secure 2 and pinpointed three key concerns:
The revenue streams from eCommerce fees make up 15% of banks' income levels today. This is significant because the online payment process is a key component in the consumers' eCommerce journey. Both merchants and acquiring banks strive to reduce the online shopping cart abandonment rate to maximize their respective revenue streams. 3D Secure 2 is an additional measure in the transaction for safeguarding both merchants and banks. Although some stakeholders worry about 3D Secure 2 increasing payment drop-out rates; banks and merchants work on improving the consumers' overall customer experience constantly. Still, they must also continue to ensure that online payment security isn't in question.
A vast number of banks rely on SMS OTP authentication methods, inherited from 3D Secure 1. This method has various advances; it does not require special enrolment and a mobile application, it is simple to use and applies to non-smartphones. However, according to EBA's opinion, this method is not a Strong Customer Authentication method.
The first reason for this is that it doesn't include two out of three authentication methods, SCA (something you are – biometrics, something you have – e.g., HW/SW token, something you know – e.g., password/OTP). Anyone who possesses the buyer's phone will get access to OTP and is able to make an online purchase. Another reason is that OTP generates at the server-side and relies on a private key. The transaction data are not included – there is no Dynamic Linking as required by the PSD2 directive. That means that ''man in the middle'' attacks are a possibility. If an attacker changes a payee account and changes the payment amount,there is no way to identify fraud because of the transaction authentication.
When 3D Secure 1 was introduced, the initial adaptation did not cause a rise in eCommerce and online payments as expected but caused an increase in the transaction abandonment rate. Anywhere from 30% - 50% of transactions (depending on the country) were forfeited due to reliance on 3D Secure 1. Later analysis showed that card enrolment, which was a prerequisite to use 3D Secure-enabled cards, caused too much friction for buyers. Also, pop-up windows, which are a part of the 3D Secure authentication process, are in connection with ''man in the middle attacks'' by buyers and trigger them to terminate their online purchase process. Hence, the cart abandonment rate surge occurred. The new 3D Secure 2 protocol considers all of this fallback from the previous version and emphasizes smooth User Experience (UX) alongside a fast and frictionless flow.