3D Secure: Does it Make e-Commerce Any Safer?
Posted by Keegan Johnson on Wed, Sep 01, 2010
 3D Secure is the generic name given to a protocol; the three branded versions are "Verified by Visa" (VbV), "MasterCard SecureCode", and JCB International's "J/Secure". |
In this 3-part series, I examine what 3D Secure is and why it was developed, discuss its successes and failures from the perspectives of merchants, consumers, banks and security experts and how it's been adopted in different geographies, and finally conclude with an evaluation of how well it addresses the problem it set out to solve and whether better approaches might exist. I invite your questions and comments regarding your personal 3D Secure experiences.
Introduction: Part 1 of 3
Our European readers are likely very familiar with 3D Secure in some form, but here on the other side of the Atlantic, not so much. So, first some background.
3D Secure is the generic name given to a protocol originally designed by Visa that is promoted as offering an added layer of security through user authentication to prevent payment card fraud. Visa offered the scheme to other card associations who have implemented it under their own branding. The 3 branded versions are Verified by Visa (VbV), MasterCard SecureCode, and JCB International's (Japan Credit Bureau) J/Secure.
Poorly implemented and marketed (there is lots of market confusion about what it is, even in Europe where it has high penetration and most online shoppers have encountered it at least a few times), you may hear any of these 4 terms bandied about. Know that they are all basically the same thing. If you want to dig in to more detail, this Wikipedia article covers the basics.
Why use 3D Secure?
MasterCard offers this business case on their website:
- 70% of online shoppers are very concerned about security and fraud issues
- 26% would purchase more frequently online if there were more security protection from a card
- 44% of those likely to use SecureCode would be likely to buy more online
- 66% of online consumers who do not make purchases online cite security concerns as the main reason
As this series of articles will discuss, if security, consumer protection, and increased sales are the real issues, we'd all be better off not using 3D Secure technology, because it isn't secure, doesn't offer any additional protection to the consumer beyond the "zero liability" for fraud that is already guaranteed, and often causes sales to drop because consumers don't understand it, don't trust it and don't like the inconvenience.
The sales pitch versus the reality
Most merchants who chose to adopt 3D Secure do so because it shifts liability for card-not-present fraud to the card issuer on 3D Secure-authorized transactions. Without this economic incentive, it's unlikely 3D Secure would have gained significant market traction.
In some industries with high risk profiles and large dollar sales (e.g. airlines), and where there are limited choices and demand is relatively inelastic (if I want to travel from Toronto to Atlanta, for example, I have only 2 practical choices, unless I'm prepared to take the time to drive), this liability shift and reduced fraud cost outweighs lost sales and what consumers think about the inconvenience.
As a result, purchasing tickets is one of the most likely places consumers are likely to encounter 3D Secure in the US. In most other business categories, there is simply too much competition for retailers to risk offending, inconveniencing or confusing customers.
It's different in Europe
Adoption in Europe has been much broader than in North America. We speculate that part of the reason for this is that the US e-commerce market was much more established when 3D Secure was introduced, with many more merchants and much more competition within categories. Thus merchants are less willing to do anything that might introduce a perceived inconvenience or a reason for consumers to go elsewhere.
In the UK, the MasterCard Maestro brand which is one of the most widely used cards, basically issued an ultimatum that if merchants wanted to accept their payment cards online, they would need to use 3D Secure. This single spur to adopt has dramatically changed the game there, making ability to accept online payments a critical factor in adoption, although it hasn't completely mitigated concerns about security, lost sales or consumer fear of fraud.
As a result of this enforced implementation, adoption in the UK market for instance, has risen from below 20% to around 80% of UK merchants in just 3-4 years, although there are some notable holdouts. Amazon, the world's largest online retailer (by far), refuses to use 3D Secure, citing consumer inconvenience. Amazon also has very sophisticated fraud systems in place already, so stands to lose more in sales and customer goodwill than it would gain in fraud savings.
Summary
In summary, 3D Secure has had a spotty record since it was introduced by VISA nearly 10 years ago in 2001. In the last few years, it has become much more successful in Europe than in North America where it is still an oddity. It has helped lower fraud a little bit, particularly in the UK market (but not the Total Cost of Fraud - a concept which we'll touch on in future articles that helps explain lack of market traction), but at the expense of consumer angst and lower sales for many merchants.
In the next article in this series, I'll detail the complaints about 3D Secure and why merchants and consumers generally don't like it, and the cost burden it imposes on card issuers.