What is 3DSecure?
I’m going to assume that, seeing as you are reading this blog, you probably have more than a passing interest in ecommerce & have made a recent online purchase. You likely found yourself entering your delivery address & billing details on a well designed, integrated form & reached a clearly laid out confirmation page. Happy with the whole shopping experience, you click confirm only to be confronted with one of these ugly screens. Looking nothing like the site you were on & displaying some vital credit card information, you wonder if your browser has been hijacked by a malicious script. For a lot of customers, this is enough for them to click the cancel button or close the browser window but on closer inspection, it turns out it is actually an extra layer of security introduced by some of the major banking groups at the behest of the two most popular card service providers, Visa & Mastercard.
Visa’s system is called Verified by Visa whilst Mastercard plumped for the less catchy Mastercard Securecode. Both are based on the same technology & the names all refer to the same basic system. After confirming their details with the merchant, the customer is presented with a window that asks for some personal information, be it letters of a password or a code sent by SMS, which is intended to verify their identity. If correct, the merchant is informed of the success & the customer proceeds to the thanks page.
Why is it rubbish?
The 3DSecure system has come under extreme criticism from both merchants & customers. The first complaint stems from the roll out of the system & the lack of information provided to shoppers. The system was introduced in November 2010 with no fanfare & users first discovered they were now enrolled when shopping. Presented either as a pop-up or a frame within the checkout, people were left with no way to verify that this strange new window was provided by their own bank & had not been told to expect one. Sensibly, following advice they’d heard from web security experts regarding windows that you didn’t recognise, many cancelled the transaction. Others continued & were asked to activate their account whilst on the site, not knowing if the password related to their bank or the shop they were purchasing from. Mobile sites suffer from even more issues as many older devices don’t offer the features required to implement the 3DSecure system at all.
These issues have been compounded by the seemingly random order in which banks have been forcing merchants to comply with it. There is no consistency with similar sized sites working with the same bank finding one has been enrolled whilst another hasn’t. Many companies cite large business like Amazon.co.uk as an example of why to hold out in implementing 3DSecure but I worry they are missing the bigger picture. Amazon are one of, if not the most sophisticated ecommerce retailers in the world. They have a dedicated fraud team & years of experience detecting suspect transactions. It is likely they opted to hold out after evaluating the current cost of fraudulent orders versus the drop off in sales due to its implementation. In the eyes of the banks, it is the smaller retailers that are most vulnerable so it makes sense that they be the first forced to use the system.
Why do I need it?
Prior to the 3DSecure system, ecommerce sites were liable for any funds received through fraudulent transactions. A lot of merchants falsely thought that once the money was in their account, it was safe to despatch the goods regardless of how suspect the order might look. Unfortunately, even months after completion, the cardholder’s bank is able to request a chargeback refunding the money out of the merchant’s account. The chargeback system can be used in cases of fraud or customer complaints where they don’t receive the purchased goods.
The introduction of the 3DSecure system places the liability for these funds back onto the banks rather than the merchant. What this means is that any fraudulent transactions that have passed the issuing bank’s 3DSecure checks are covered by the issuing bank & therefore the merchant is not at risk if the order turns out to be fraudulent. To sweeten the deal, many banks are offering reduced transaction fees for orders that do go through the extra layer of security.
What should I do next?
If you’ve got 3DSecure implemented then that’s great. You don’t have the option of turning it off & your regular customers are likely used to the system now. What we would recommend is that you ensure the checkout makes it clear that the new window they are seeing is part of the checkout & something they will need to complete. A little bit of information from you at that stage could mean the difference between a sale & an abandonment. If you don’t have it yet, it is a safe bet that your bank has its roll out planned. Once it is enabled with your bank & payment gateway, there is a bit of work to do on your site to ensure that the checkout is 3DSecure enabled. After that, all you’ll need to do is let your customers know.
3DSecure doesn’t mean you should stop being vigilant when checking orders but it does mean that you aren’t liable for those orders it did check. The system might be flawed but in the long run, it will save you money in both lower fees per transaction & chargebacks due to fraud.