(Article reposted from Finextra. Author: Níamh Curran, Senior Reporter, Finextra)
Amid increasing ecommerce sales, changing consumer expectations, and regulatory shifts, payments issuers and processors need to continually evolve to decrease risks from card not present (CNP) transactions and customer authentication process.
As the number of online payments grows, organisations are at increased risk of loss as a result of CNP fraud. It is imperative that companies implement fraud prevention tools to combat growing threats and the resulting loss of revenue, and this is where 3-D Secure (3DS) risk assessments and authentication comes in. Though 3-D Secure is not a new concept – and is mandatory across the UK and Europe – updates to the protocol are coming this fall. With these changes, this a good time for issuers to reassess the compliance and performance of their 3DS platform.
Finextra spoke with Outseer’s chief customer success officer Mark Harvey and director of professional services Oren Shpigel on how to pick the right 3-D Secure provider.
What is 3-D Secure and how has it evolved?
3D Secure is a protocol designed to add an additional layer of risk assessment and authentication to credit and debit transactions. This extra layer of security not only helps verify and fight fraud, but adopting it also helps comply with the current EU regulation, PSD2.
In 2018, 3-D Secure 2.0 was introduced to support online and mobile purchases. Instead of requiring consumers to complete authentication at checkout, with 3DS 2.0, issuers’ Access Control Server (ACS) platforms were able to conduct risk-based and biometric authentication, therefore removing friction from less risky purchases. In 2019, PSD2 was updated with an imperative for strong customer authentication (SCA) for electronic payments, which mandated two-factor authentication. It also outlined a common set of standards and regulated third-party involvement.
Fast-forwarding five years to 2024, the EU has introduced a legislative package that will again modernise the existing regulations. This package consists of the third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR1), which contains new directives on the performance requirements of APIs and the minimum functionality that they should support. In addition, PSR1 will streamline authentication, resulting in even lower friction at checkout. The Instant Payments Regulation will also extend IBAN and name checking via Confirmation of Payee.
With 3DS, banks, financial institutions, and merchants can offer automatic and seamless authentication embedded into their platform. Payment providers will need to look to partners for 3DS solutions, as they can provide interoperability and offer a holistic view of threats. Payments firms with partners in place have the advantage of ensuring 3DS authentication is occurring in the background and are likely letting security checks roll on without too much thought. These upcoming regulations make it essential for payments service providers to reassess their 3DS platforms and ensure that they are flexible and prepared for all regulatory and market changes.
Key features of a 3DS solution
When looking to change 3DS providers, it is important to choose a provider that has sufficient experience. While 3DS is a mandatory protocol, it is important to take time to understand performance of solution providers and their impact to key profit drivers like fraud prevention, operational costs, and interchange fees. What should you be on the lookout for when assessing partners for a 3DS solution?
1) Better data and control of customer interventions make 3DS a profit driver
In conversation with Harvey, he shared the sentiment that the 3DS protocol is itself “only a piece of the puzzle. Many look at the protocol and believe that all providers are the same, and it is therefore a commodity, but that couldn‘t be further from the truth. The real value comes when a solution uses better data science powered with consortium data. This plays a significant role in the performance of the solution because it helps catch more fraud and reduce losses.”
With 3DS, issuers’ ACS platforms can conduct risk-based and biometric authentication and as a result, data-driven behavioural authentication can be completed. An advanced, data-driven 3DS solution can take this a step further, creating a customer profile using historical data, and then comparing it to the customers’ online behaviour when using the system. All this can be completed behind the scenes, without the customer’s involvement, so there is no friction added in the customer experience.
Precise control of customer intervention is also critical to minimise false positives and tune in to highly predictable intervention rates that meet regulatory requirements.
The differences in better data and control of customer intervention can create staggering results. According to Outseer’s customers, organisations can save between 10s and 100s of millions of pounds.
2) Flexibility improves customer experience and reduces costs
Another feature that financial institutions and issuers should be on the lookout for when evaluating 3DS ACS systems is flexibility. This alone can make a difference in operational costs, and a frictionless customer experience vs. a higher-friction experience.
“There is no one-size-fits-all answer to 3DS or any fraud detection solution,” Harvey stated. “Trying to establish how the customer strikes a balance between, for example, fraud detection vs. the customer experience vs. their operational costs and efficiencies or budget. That’s a balance that is unique to pretty much every customer. Some of that is their own business decisions. Some comes from regional mandates.”
This flexibility across priorities is needed when setting up a 3DS solution. Individual customer needs should always be considered.
3) A provider who is keeping up with regulatory changes and technology advances
A 3DS solution should also keep pace with regulatory changes and make changes in their product such that they take effect immediately after the regulation takes effect.
And in addition to keeping up with shifting regulations, they should also be constantly innovating and updating their 3DS technology. There should be active engagement from 3DS providers with the both standards bodies and the card networks to both understand and influence the direction of technology and regulations.
Harvey elaborated on this point, and went on to say that once a 3DS solution is set-up, “it’s only the start. The fraud landscape is continually changing. Fraudsters continue to innovate. Customer expectations change. Regulations move on. And competition is increasing with challenger banks, open banking, etc.”
Providers should also be able to provide their customers – whether it be banks or merchants – with information regarding solution updates on a predictable timeline, so plans can be made for the impact they might have.
Harvey added: “You need a 3DS solution that can give you what you need today, but also be capable of staying with you during that ongoing change.”
Cost and time considerations
Cost and time should not be seen as a barrier to introducing 3DS solutions as part of the payments process. Unlike many IT changes, the cost and time to implement a 3DS solution should not be excessive. In terms of time to value, a three-month transition should be well within reach for providers – even very large ones.
Harvey commented: “3DS should be thought of more like an onboarding process, not an implementation project. It really doesn’t need to be a long, involved, expensive project.”
To ensure a quick time to value and a smooth implementation and onboarding process, you should look for a solution provider that has extensive experience implementing a 3DS solution. A 3DS solution provider should have a proven, well-defined and well-documented onboarding methodology based on their experience. Their process should be end-to-end, from planning through to testing and go live support. Additionally, suppliers should be able to adapt their approach depending on the financial institution’s timeline, resources, and priorities.
Does switching providers have to be a painful experience?
A good 3DS implementation doesn’t have to be painful. Shpigel said: “With every new customer, we adjust our methodologies and our onboarding process based on their needs. We use our best practices, built over many years, to meet their requirements. At the end of the day the aim is to deliver the maximum value as quickly and as cost-effectively as possible.”
The provider should be assigning a project lead who is experienced in 3DS onboarding to guide their customers through the process, listening to and considering their individual priorities, timelines and resources.
There should also be close collaboration with customers throughout the onboarding process, with specific guidance based on experience and best practice.
Shpigel added to this: “The experience the team has, the knowledge they have, and the level of understanding they’re bringing to the customers, that’s what should make the difference for the customer.”
And once implemented, a good provider should continue their relationship with the customer, ensuring that the solution is assessed regularly. Solutions need to continually adapt to the needs of the payment provider and changes in regulations.
Risks involved in changing provider
Financial institutions should not be afraid to change their 3DS provider to keep up with upcoming regulatory changes, or advancements in technology. Choosing a 3DS provider with a superior track record of implementations and capabilities can minimise transition risks. However, there are some challenges to consider:
- Not planning ahead: There should always be proper planning ahead of any transition. A 3DS project should have specific set of activities and goals which can be appropriately planned for, helping to smooth the process.
- Not opting for a tailored approach: Your provider should have a specific 3DS implementation approach that will fit your needs, which can’t be found from a generalist provider. An experienced 3DS implementer will be able to guide customers along the way, during the implementation and beyond.
- Using inexperienced solution provider resources: You are unlikely to go through this type of project very often, but your solution provider should be using resources with a depth of experience across many projects.
A change in regulation always makes for a good time to reassess how you’re using your technology solutions. An effective 3DS solution can be imperative in preventing fraud in your business, but it is also a requirement. When investigating whether you want to change your 3DS provider, it should be known that it shouldn’t be costly, it shouldn’t take an extended period, and the provider should remain responsive to your needs.