3D Secure: Optimising risk rules for checkout success

There are two competing aims that are crucially important for eCommerce businesses. The first is protecting both the business and its customers by preventing fraudulent transactions and adhering to all the relevant regulatory obligations. The second is optimising profitability, by keeping user experience seamless and removing any obstacles that might stand in the way of a transaction being completed. 

One tool that can help businesses meet these goals simultaneously is 3D Secure. This authentication protocol adds an extra layer of security to online payments, while providing a fast-track checkout experience for transactions that are low-risk. In this article, we’ll look at key strategies for optimising risk rules to ensure that businesses are protected against fraud while providing a seamless checkout process. We’ll also look at the evolution of 3D Secure technology and the regulations that are relevant to its implementation.

Understanding 3D Secure

3 Domain Secure (3D Secure or 3DS) is an additional layer of payment security designed to protect online credit and debit card transactions. It does this by asking the card holder to authenticate their identity during an online payment transaction, making it harder for fraudsters to exploit stolen card information. Typically, this authentication involves the cardholder entering a one-time password (OTP) or a personal identification number (PIN) during the checkout process.

The original 3DS protocol was introduced in the late 1990s by Visa and Mastercard to enhance the security of electronic transactions. 3D stands for “three domains”: the card issuer, the business receiving the payment and the infrastructure platform that acts as a secure go-between for the consumer and the retailer.

3DS1 had limitations in terms of user experience, with pop-ups and redirects leading to a less-than optimal checkout experience for users. An updated version, 3D Secure 2.0 (3DS2) was introduced as a response to these shortcomings and has become widespread globally. The improvements include a more advanced data-sharing procedure between merchants and issuers, better risk-based authentication and more frictionless UX.

The balancing act: Security vs. user experience

Maintaining robust payment security measures while ensuring a smooth checkout process is an ongoing challenge. Preventing fraud means requesting additional information from customers to verify their identity. However, having to provide this additional information every time a purchase is made can be onerous and off-putting to customers, leading in the worst-case scenario to abandoned carts and a loss of repeat business. Here are some of the key pain points when it comes to user authentication:

Additional checkout steps: Being redirected to another page or confronted with a pop-up, and then having to enter additional information can disrupt the checkout flow and make the transaction feel unnecessarily complex. 

Unfamiliarity: A lack of awareness about the 3DS process can result in users hesitating or abandoning their transactions.

Compatibility issues: The 3DS system must be compatible with the user’s browser or device, and it must be optimised for mobile devices, or the user experience will suffer.

Delayed messages: Some authentication methods, like texting or email a one-time passcode, may be subject to delays, making it less likely the customer will complete the transaction.

One way of balancing the need for security with an optimal user experience is to implement user-friendly authentication methods. Fingerprint scans, for example, can be completed seamlessly and almost instantaneously. Another is to assess which transactions are low-risk, and allow those to be completed with fewer interventions. We will dive deeper into risk optimisation to explain how this works below. 

3D Secure and the regulatory landscape

PSD2 and SCA

Businesses operating in the European Union must comply with a piece of legislation called the Revised Payment Services Directive (PSD2), which mandates Strong Customer Authentication (SCA) in certain circumstances.

PSD2 was being developed when the UK was still an EU member state, and the UK also requires SCA under its own legal framework, however differences have been introduced. For the purposes of this article, we’ll focus on the European version of SCA as defined in PSD2.

SCA specifies three types of authentication: using something the customer knows (such as a password), something they have (such as a mobile device) or something that is inherent to who they are (such as a fingerprint.) To conform to SCA standards, electronic transactions must be authenticated in at least two of these three different ways, unless they are deemed low-risk.

Effortless compliance with 3DS

3D Secure provides a standardised way for merchants to comply with SCA requirements, because of the two-factor authentication it incorporates into the checkout process. It also helps shift liability off the merchant onto the customer’s card issuer in the event of disputes. 

Although SCA was developed in Europe, its impact has been global as other countries have recognised the importance of strengthening online payment security and have put in place similar measures, or are considering doing so. For this reason, implementing 3D Secure is a way of ensuring global compliance and future-proofing businesses as they grow.

Authentication exemptions under SCA

PSD2 allows certain types of transactions to go through without the additional authentication measures associated with SCA. Low-value transactions, payments from trusted beneficiaries, recurring payments and other types of transactions associated with a lower risk of fraud may be exempt from SCA requirements.

3DS2: An evolution in payment security

As mentioned above, 3D Secure 2.0 (3DS2) is a more advanced version of the original 3D Secure protocol that aims to remove unnecessary friction from payments while maintaining high security standards and compliance with SCA standards and PSD2 regulations. Modifications from the original version include:

• While 3DS1 primarily relied on static, rule-based authentication, leading to a one-size-fits-all approach, 3DS2 introduced risk-based authentication. This is a more dynamic, adaptive method, allowing low-risk transactions to go through with minimal authentication. Multi-factor authentication can then be reserved for high-risk transactions.

• Improved data sharing between merchants and card issuers, including device information, transaction history, and contextual data. This enables more accurate risk assessments, resulting in fewer authentication prompts.

• A more streamlined checkout process, with fewer pop-ups and redirects.

• More consideration for user-friendly mobile transactions.

• A broader range of authentication methods are supported, including the use of biometric data, such as fingerprint and facial scans.

With 3DS2, the card issuer determines the risk based on the shopper information available during verification. When additional information is required to verify the shopper, the issuer presents a challenge to the shopper, for example, entering a code sent to their phone. The frictionless flow is attractive to shoppers and provides increased checkout conversion rates.

Key factors in optimising risk rules

One way of creating an ideal balance between user-friendly checkout design and security-enhancing authentication methods, as we have established, is to assess the risk level of each transaction. The development of AI and machine-learning technology means that sophisticated risk analysis can be carried out in real-time, almost instantaneously.

Risk is a complex concept however, and multiple factors must be analysed. In order to automate the decision-making process, risk rules must be created. These specify the conditions that are used to assess the level of risk. Risk rules may consider the impact of the following factors:

• Transaction amount: High-value transactions may demand additional scrutiny.

• Transaction frequency: Is there an unusually high frequency of transactions in a specific time period? If so, additional authentication may be required.

• Geographical location: Certain regions may be considered high-risk.

• User behaviour: Is there anything that deviates from a user’s normal behaviour, for example, a different device, log-in time or location?

• Anomaly detection: There may be more technical indications of fraud, for example, deviations in network traffic, system access, or malware detected.

• Velocity: Unusually rapid transactions could suggest fraud.

• Pattern recognition: Historical data can be analysed to recognise patterns associated with fraud.

Risk rules are important in determining when to trigger additional authentication when implementing 3D Secure and other online payment security measures. The most stringent checks can be restricted to the most high-risk transactions, making the checkout process easier for other customers. 

Payment service providers (PSPs) such as Airwallex play a crucial role in helping businesses optimise their risk rules for checkout success whilst complying with SCA and other regulations relating to payment security and customer protection. 

Manage your risk strategy and maximise payment acceptance rates with Airwallex

Airwallex is a global payment provider that can help you effectively manage your risk strategy and maximise your payment acceptance rates. We offer state-of-the art payment security technology, including 3DS2, for all major card schemes.

Airwallex’s 3DS engine automatically picks the best strategy based on transaction risk, applicable regulatory exemptions, and policies. Frictionless checkouts are offered to shoppers considered low risk by the card issuer, and additional authentication is requested for higher-risk transactions. This maintains an optimal balance between checkout flow and security requirements.

The Airwallex risk engine leverages our own models in combination with external data sources to discern fraudulent transactions from legitimate ones. Merchants can customise their risk appetite to determine when 3D Secure should be leveraged, or a transaction should be rejected. Merchants can view the performance of the risk engine in the Airwallex Risk Dashboard. The Risk Dashboard displays essential fraud metrics and illustrates how the performance of the risk engine affects payment success and fraud rates. Merchants can track historical key risk metrics, identify fraud patterns through time, and see their performance in comparison to similar businesses. To learn more about Airwallex Payments click here.