3D Secure: Mastercard and VISA are becoming more secure
When booking planes, hotels or even buying clothes, many people pay online with their credit cards. Since this involves transferring sensitive information, special precautions must be taken to ensure customer safety. In the course of the PSD2 (Payment Services Directive in the European Union), the EU has now made even stronger demands on payment systems on the internet - and credit card companies have reacted accordingly. With the new version of the 3D Secure process, VISA and Mastercard comply with EU regulations and improve customer protection worldwide.
What is 3D Secure?
In 2000, VISA developed a procedure that made using credit cards on the internet safer. The company itself uses the technology, under the name “Verified by VISA”. At the same time, other credit card providers have also implemented the security mechanism. For example, 3D Secure is known as “SecureCode” (now “Identity Check”) for MasterCard, “SafeKey” for American Express and “J/Secure” for JCB.
Previously, paying via credit card on the internet was very simple: you entered your credit card information, and confirmed possession of the card with the Card Validation Code (CVC), which can be found on the back. However, this method was not particularly secure.
As E-Commerce continues to develop and more and more people use online payment methods, the interest in online fraud is also increasing. Phishing and social engineering are common ways in which criminals access data. 3D Secure was developed in order to prevent this.
In addition to the information contained on the card, 3D Secure’s authentication procedure requires additional information, such as a password, that only the cardholder knows. This is known as two-factor-authentication: two different steps are required to complete a card transaction.
Using static passwords is a security risk: if a third party acquires this information, security is compromised. Dynamic methods that adapt to each process are therefore better suited. For example, a text message with a secure code, generated according to cryptic procedures, that can only be used for one particular payment.
Both customers and online retailers were dissatisfied with the first version of 3D Secure. The website for entering the additional security factor was poorly designed, and the application and use of the required password were unclear. Furthermore, the process could not be easily integrated into mobile apps. Customers were frustrated and cancelled orders, which is never good for business.
The second version of 3D Secure - also known as 3DS2 - addresses these issues and enhances security. The new features also comply with the new EU Payment Services Directives. In addition, the credit card companies are responding to technical developments with the new version. Today, modern devices (e.g. smartphones) use authentication methods with biometric data: by fingerprint or by analyzing facial features.
3D Secure 2.0 is designed so that online merchants can integrate the procedure into the payment process, resulting in a more pleasant shopping experience for the customer. In addition, it should be an intelligent system. The authentication method therefore adapts to the risk, which means that lower security requirements apply to small amounts than to large amounts. In addition, 3DS2 can also be used for mobile payments and works with bank apps.
Pros and cons of 3D Secure in Mastercard and VISA
The 3D Secure process has advantages for both retailers and consumers, but also disadvantages.
| Pros | Cons |
|---|---|
| More security for customers | More effort for customers |
| Credit card providers bear the costs of fraud despite 3D Secure (liability reversal) | Lower conversion rates |
| Procedure is free of charge for all | 100% security cannot be guaranteed |
What should customers be prepared for?
For customers, the 3D Secure process should make it easier and better to pay online. Rather than trying the outdated process or abandoning the security check altogether, they can now benefit from a secure and modern process. Customers should be aware of this:
- Registration: In order to use 3D Secure with your credit card, you have to register with your bank. The bank that issued the credit card is responsible.
- Installation: It can be assumed that banks will in future use apps to send the 3D Secure code or request biometric data.
- At the ready: When paying, both the credit card and the smartphone must be available.
Even with 3D Secure, users should pay attention on the internet when paying with their credit card. The data may only be entered if you are sure that you are on the correct website. A valid SSL certificate is an indication that you can trust the site.
Implications for e-commerce
The EU’s PSD2 stipulates that from 14 September 2019 online payments must meet special security standards. 3D Secure payments meet the new requirements. In order to be able to use the new procedure, online merchants must contact their payment service provider (PSP). The PSP should offer a technical solution that merchants then only have to implement in their online shop.
- Contact PSP: First, online merchants must contact their payment service providers. Many vendors have already posted merchant information on their websites.
- Implement 3DS2: Since the new 3D Secure process no longer takes place on another website but directly in the shop, the technology must be integrated into the online shop.
It is advisable for merchants to offer 3D Secure in their online stores. The new system is much more customer-friendly, takes place entirely on the merchant’s website, and increases consumer confidence in e-commerce. This in turn leads to more conversions and therefore more sales.