Can 3-D Secure Protect Your Merchant Account Against Chargebacks?
By Chris Alarie on Sep 30, 2020
A frequent source of chargebacks is fraud resulting from identity theft. It is an easily imaginable and all too common circumstance: an individual has their credit card information stolen by a fraudster. That fraudster then uses that information to make an online purchase. The merchant, unaware of the fraudulent origin of the purchase, allows it to be completed. The victim of identity theft sees the purchase, reports it to their bank, and the merchant receives a chargeback.
Identity theft is a lamentable and largely intractable part of modern society. Fortunately, there are tools available to merchants that reduce the likelihood of unwittingly being drawn into these sorts of fraudulent schemes. Among the most versatile and powerful of these tools is Visa’s 3-D Secure.
What is 3-D Secure?
First introduced in the 1990s and majorly overhauled as Version 2.0 in 2016, 3-D Secure is a security protocol for online credit card payments. Its name refers to the three domains: the acquirer (merchant’s bank) domain, the issuer (customer’s bank) domain, and the interoperability domain.
3-D Secure is specifically a Visa protocol that they first developed and continue to employ under the product name Visa Secure. But it has been adapted by other credit card companies into their versions of the service, including MasterCard (SecureCode), Discover (ProtectBuy), and American Express (SafeKey).
3-D Secure helps merchants verify customers’ identities, cut down on fraud, and reduce the frequency of “unauthorized transaction” chargebacks.
How does 3-D Secure work?
3-D Secure facilitates the easy exchange of customer information between acquirer and issuer when purchases are made. The customer experience is frictionless while the merchant is able to complete the transaction with greater assurance that it is not a fraudulent purchase.
The general model of how 3-D Secure Version 2.0 works in the context of an online purchase is as follows:
The customer begins the process of making a purchase.
The merchant initiates 3-D Secure, sharing contextual data (including information like the type of merchandise, shipping location, and device type) about the purchaser.
The issuer reviews the contextual data in order to authenticate the purchaser’s identity.
If everything is authenticated, the purchase is completed.
The original version of 3-D Secure involved the use of a step in the purchase process requiring the customer to enter a password or code to validate their identity. However, many customers found this extra step to be annoying or untrustworthy, leading to abandoned purchases. Also, the technical requirements to enter the passwords potentially left consumers vulnerable to phishing scams.
3-D Secure Version 2.0
As a result of the vulnerabilities mentioned above, 3-D Secure 2.0 and later versions make less frequent use of passwords. The primary method of identity authentication lies in the data exchange, with passwords serving as a secondary measure in circumstances where the 3-D Secure technology finds a reason to suspect potential fraud.
3-D Secure Version 2.0 (and later) is informed in part by the necessity of satisfying Strong Customer Authentication (SCA). SCA is a directive within the European Union (EU) for payment service providers. The EU directive itself describes SCA-compliant authentication as consisting of:
An authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.
Examples of these elements include passwords (something the user knows), some sort of push-button or two-factor authentication on a mobile device (something the user has), and biometric data such as fingerprint or a face scan (something the user is).
Version 2.2—which is newly available this year—cuts down even further on the reliance of passwords by making greater use of biometric data.
3-D Secure Version 2.2
In addition to strengthening and refining 3-D Secures use of SCA, Version 2.2 introduces additional valuable features. One such feature is a whitelisting component that allows customers to compile lists of trusted merchants for whom payments can be processed without using the SCA verification process. Another feature is Requestor Initiated Payments, which could be especially useful for recurring or subscription billing transactions. Finally, Version 2.2 allows for decoupled authentication (authentication processed separately from payment) and delegated authentication (allowing merchants to send information to the issuer to prove that the customer has already been authenticated). Both of which should allow for swifter, easier transactions for customers and merchants alike without sacrificing 3-D Secures effectiveness at combating fraud.
The Right Tools for the Job
Using 3-D Secure in conjunction with MidMetrics is your best defense against fraudulent chargebacks. Our powerful dashboards and analytics tools offers real-time visibility into what’s going on with your chargeback activity and helps you identify patterns of fraudulent behavior.
MidMetrics is expertly designed to be easy to use, and it requires minimal IT effort for merchants to implement. It integrates with payment processors, gateways, CRMs, and service providers via API, and uses secure credentials to establish direct connections with card networks and banks.
Want to see MidMetrics in action? Schedule a demo with us.