Page 5 - index
P. 5
The New 3D Secure – Too Little, Too Late?
By Nish Modi, SVP of Product & Innovation, SecureNet
When 3D Secure was first announced by Visa, it promised to add an additional, much-needed layer
of security to debit and credit transactions. Financial authorization is paired with online
authentication through a series of three domains: the acquirer (the merchant), the issuer (the bank)
and interoperability (the infrastructure used to support 3D Secure). The protocol was, however,
quickly condemned for increasing phishing scams. Now, EMVCo has announced it will take over the
development of the next version of this technology – but is it too little, too late?
Weak Spots
The current 3D Secure solution is clunky at best, and the consumer experience is less than ideal.
Users are still required to authenticate themselves via their issuer using a PIN or passcode before
they can complete the purchase.
For merchants, 3D Secure is expensive to deploy. Considering the low issuer participation, the cost
does not justify the consumers that will be validated through this solution. Moreover, not all issuers
in the U.S. – like Citibank and Chase – participate in 3D Secure, so for many merchants the
benefits do not justify the cost. This is just one of the many reasons why 3D Secure never really
gained any traction in the U.S. Even in other parts of the world where 3D Secure has been
implemented, such as the European Union, 3D Secure was deployed because of government
mandates. Perhaps most importantly, in this day and age of mobile and in-app payments, the
current 3D Secure does not adequately factor in and address changing consumer shopping
behavior.
Potential Pitfalls
So will the new 3D Secure be any better? EMVCo promises a more intuitive consumer experience
coupled with intelligence-based risk monitoring and decision making services that place less of a
burden on the cardholder to verify the transaction. It also promises to streamline country-specific
regulatory requirements that currently put global merchants processing international payments with
3D Secure at a significant disadvantage.
Though these improvements sound promising, there are several critical weak spots in the current
solution that the new solution does not address. There are still major financial institutions,
specifically in North America, that have not and likely will not participate in 3D Secure. What’s more,
by the time the new technology is developed and deployed, there are other payments security
solutions that will have become far more advanced and widespread.
Alternative Technologies
Continued improvements upon and progress in various payments solutions will soon make both the
new and old 3D Secure irrelevant. Changes in encryption technology, for example, are
guaranteeing zero exposure of plain text, non-encrypted information on the part of the merchant.
Specifically, tokenizing pre-authorized transactions allows users to register their payment methods
with the processor’s secure vault. Customers’ sensitive card data therefore never touches the
5 Cyber Warnings E-Magazine – February 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
