PCI SSC publishes two new security standards for 3D Secure to support secure implementation
EMVCo releases updated 3D Secure specification, promotes risk-based authentication
Support 3D Secure version 2.0, roll out by Visa over 2018 and MasterCard by end-2020, reducing customer friction and ‘cart abandonment’
Point of View
On 25 October 2017, PCI SSC announced two new security standards for 3D Secure (3DS), and EMVCo released its updated EMV 3DS Specification, version 2.1.0. The specification and standards will support 3DS version 2.
Emma Sutcliffe, of PCI SSC, notes that the 3DS standards have been developed to address security in authentication, as mobile payments increase and threats continue to evolve. She also comments that a new and improved 3DS protocol - 3DS version 2 - together with the new standards will “…enhance the security of 3DS infrastructures and transactions and improve dynamic authentication for ecommerce…”
It is widely acknowledged that the current version of 3DS generates significant friction for the online customer, leading to abandoned shopping carts. Reflecting this most merchants do not use 3DS. In the US, only 18 per cent of surveyed online merchants use 3DS, despite 77 per cent having an online presence, according to a report by the US Payments Forum. Globally 37 per cent of merchants use 3DS.
With the current version of 3DS, customer friction arises when a 3DS authentication popup box appears, upon checkout at an e-merchant. Often this is when the customer first becomes aware of a 3DS program, such as Verified by Visa, MasterCard SecureCode and American Express SafeKey. Furthermore, the customer may be concerned it is a scam. Indeed, the ‘iframe’ popup box can be prone to ‘content spoofing’ or ‘phishing’ by hackers.
Under version 2.1.0 of the specification, cardholder friction is minimised and security is enhanced. It promotes use of risk-based authentication by developers and vendors to help issuers and merchants more easily distinguish genuine customers from fraudsters. The specification also provides for merchants to better integrate 3DS into their checkout processes, and supports transactions from mobile devices and applications, previously only supported in the browser.
Risk-based authentication analyses contextual information about the customer and the transaction to allow the issuer to make a real-time risk assessment in the background. Low-risk purchases are immediately processed, while riskier purchases require the customer to verify themselves, e.g. with a one-time dynamic password. With 3DS version 2, customers will no longer need to enrol in a 3DS program, removing significant friction, and static passwords will disappear.
Many issuers have already moved to a risk-based approach. However, version 2.1.0 of the 3DS specification provides for a standardised platform across issuers and merchants. Each card scheme is taking a separate roll-out approach; Visa will phase out its Verified by Visa enrolment processes and static passwords between April and October 2018, and MasterCard will do so by the end of 2020.
Visa now offers Visa ID Intelligence, a platform for third-parties to access a series of Visa APIs and a sandbox to test authentication products, presumably for 3DS version 2. Visa and ThreatMetrix have partnered to provide the platform, which was announced on on 19 October 2017.
PCI SSC Standards
The PCI 3DS Core Security Standard provides guidelines for identifying and implementing appropriate security controls to third parties developing 3DS security products. It defines physical and logical security requirements to protect the environment where Access Control Server (ACS), Directory Server (DS) and 3DS Server functions are performed.
A 3DS entity might already meet the general security requirements of the Core Standard, if it is already fully compliant with the PCI Data Security Standard. But it would need further security controls in place to meet the specific 3DS security requirements.
The PCI 3DS Software Development Kit (SDK) Security Standard targets third-party developers and vendors of 3DS cardholder authentication software embedded in merchant apps. The SDK Standard provides a minimum baseline of security features and functionality.
Card-not-present fraud in Australia continues to rise. Overseas developments are likely to reinforce this trend. The US is rolling out EMV chip-and-PIN technology to reduce fraud at the point of sale, which will likely increase CNP fraud generally. Introduction of the European Regulatory Technical Standards, under PSD2, will require stronger customer authentication for remote payments. This will see CNP fraud move out of Europe. The standards are likely to come into force some time in 2019.
In this context, the anticipated security and customer experience benefits of 3DS version 2 could become attractive to Australian online merchants. Merchants could protect sales while removing exposure to fraud losses.
The opinions and views expressed in this publication are those of the authors exclusively and do not purport to reflect the opinions, views or official policy position of AusPayNet or its members.