How merchants, gateways & processors can change the payments industry with EMV 3DS
The concept of purchasing goods on credit is nothing new. As humans, we’ve been doing it at least as far back as 5,000 years ago, when Mesopotamians and Harappans conducted trade via a basic credit system. But credit cards, well, they’re relatively new.
First introduced in the late 1940s and early 1950s via a closed loop system, they’re usage quickly grew. By the late 1950s, American Express had created the first plastic card, and Mastercard had introduced the first card that allowed you to carry credit—meaning you didn’t have to settle your bill in full each month. By 1960, over a million people had started using credit cards worldwide.
The payments industry has changed significantly over the following decades, with card usage continuing to grow. Each year, the percentage of cash-based transactions and in-person purchases dwindle as card-based e-commerce percentages rise. But while the popularity of debit and credit cards has grown at an incredible clip, the payments system and technology that supports it haven’t been able to keep up the pace.
In the early 1970s, the magnetic stripe was invented by IBM, a major technological innovation for credit cards. Prior to this, each credit card transaction required calling the bank, verifying information, and the old carbon paper slip, a process that took multiple minutes to complete. By 1973, Visa introduced the first computerized system to verify information, substantially cutting down on transaction times.
Both of these developments substantially changed the payments industry. Until this point, very limited data was needed to approve a credit card purchase, and few actors existed within the payments ecosystem. As swipe-based payments took over, the computerized system required more and more data in order to confirm or deny a purchase. While technological breakthroughs allowed the industry to increase the amount of data over time, since then, the payment world has basically been applying patches to an antiquated system, playing catch up, and delivering a poor customer experience.
When the computer revolution started in the 1990s, things began to change even more rapidly. The rise of e-commerce led to a spike in credit card fraud, creating a drastic need for richer data to confirm or decline a purchase, and laying bare the approach of adding more data capabilities in a piecemeal manner. In 2001, Visa introduced 3-D Secure (3DS), which added extra layers of security to prevent fraud and decrease false declines. 3DS was created to shift liability from the merchant to the issuer (if the issuer approves the request) and provide secure remote commerce. And it’s the basic system that we’ve been operating on up until now, but one with significant drawbacks.
Online purchases and technology have increased drastically, and as a result the original 3DS system delivers consumers a poor user experience via long processing and verification times, while merchants are left to deal with cart abandonment. At the same time, the players that constitute the payments ecosystem have become more diversified, which when combined with new technologies, provide opportunities to remake a system in need of modernization.
Understanding the parties that make up payment processing
Closed-loop systems, where a consumer uses a card, the merchant charges the bank, who is then reimbursed by the consumer—with the merchant’s bank and the bank supplying the consumer credit being one and the same— aren’t as prevalent now. But you still see them when retailers (like Kohl’s or Gap, Inc.) offer consumers store branded credit cards.
Instead, we have open-loop payments, where the merchant’s acquiring bank and the consumer’s issuing bank are different. There are tens-of-thousands of these card issuing or accepting banks today, with the payment associations (MasterCard, Visa, etc.) providing the connection between them.
A card issuing bank may not even be aware that the merchant’s bank exists, but the payment association ensures that a branded card can work as long as the merchant accepts the brand. Over time, this open infrastructure has become more complicated; the card issuers and acquirers realized that they could outsource many of the services involved in card issuing and acceptance. This has resulted in an ecosystem that’s constituted by a series of intermediaries, who perform niched functions to ensure that the system runs smoothly.
From the perspective of a merchant, understanding all of the parties within this system can be overwhelming. But because accepting credit card purchases is essential for almost every business now, and there are options for how a merchant chooses their system to accept cards, some understanding is essential.
Below are the major entities that comprise the payments ecosystem, with a basic definition for what each does.
Network: The network is composed of eligible financial institutions that form a credit card association. Examples are well-known names like Visa, Mastercard, American Express, or Discover.
Issuer/issuing banks: This is the consumer’s bank. They effectively make the payment when a consumer purchases an item with a credit card.
Gateways: A software platform that provides an interface between merchants and acquiring institutions. Gateways effectively act as an online payment terminal, ensuring that information is properly transmitted to and from the merchant.
Processors: An entity that performs specific functions similar to a gateway, where the gateway is responsible for information, the processor is responsible for the flow of funds.
Acquirers/acquiring bank: The payment goes to the acquirer, who acts as the merchant’s bank.
Merchants: The merchant selling the goods or services is then paid by the acquirer for what the cardholder purchased.
ISOs (independent sales organizations) & MSPs (member service providers): Parties within the payments system that aren’t members of the credit card association, but legally interface with the cardholder, merchants, issuing banks, and acquiring banks.
Within each of the categories above, there are a myriad companies competing for market stake, and subcategories, and well, it quickly becomes pretty complex for most merchants to understand fully. Each party within the system charges a fee to process the payments as money is transferred from consumer to merchant.
The complexity of the system has led some merchants and enterprise-level organizations to ask if a consolidated ecosystem would be preferable. Some companies now offer a consolidated payments scheme, which takes some of the need to understand the complexity of the system out of merchants’ hands.
But that simplicity comes with a cost. Namely, the fees merchants pay in these instances are much larger for processing a payment. For many businesses that rely primarily on card-based payments, this percentage is too large to justify the simplicity, or economically unfeasible. Additionally, consolidated solutions tend to offer a one size fits all approach, which isn’t fully customizable to each customer’s needs. And neither the issues that have plagued the payments ecosystem that revolve around consumer experience, nor the security and fraud protection desired by enterprises and merchants have been substantially addressed by technology that has continued to outpace the payments model.
The system created to deal with limited amounts of data needed for card swipes, PINs, and signatures isn’t really sufficient to deal with the instantaneous processing of large amounts of data needed to verify online payments. Even with the enhancements that came with the migration from magnetic stripes to chips, the traditional messaging doesn’t meet the needs of e-commerce. That doesn’t substantially change no matter the number of players that comprise the system. But big changes are coming. 3-D Secure 2 (3DS2) was created to address the above problems and update the payments system for the modern age of e-commerce.
What will 3DS2 do?
3DS1 has been continually patched as technology and consumer habits changed; however, from its first iteration it has always had issues. It was created well before we all had smartphones, and consumer habits were strikingly different when it was conceived. Basically, it wasn’t a great user experience, and created friction at checkout. This led to shopping cart abandonment, directly impacting sales revenue. At the heart of these issues was a basic problem of performing user authentication, where more data is needed to ensure a purchase is safe, without disturbing the consumer.
3DS2 addresses these shortfalls, and has been designed specifically for remote commerce transactions—both those currently utilized in the payments industry, and those anticipated to be more common in the future. By enabling the exchange of greater contextual data between the issuer, the merchant, and the cardholder’s bank, 3DS2 reduces fraud, including fraudulent chargebacks, without creating friction at checkout. All of this happens in real time via risk-based authentication methods.
With the massive increase in e-commerce this year, and new merchants moving to an online model out of necessity, this is incredibly important. Credit card fraud has increased alongside e-commerce. In 2018, Mastercard’s data shows that 28% of the 400 billion worldwide online transactions were high risk, meaning whether or not they were fraud couldn’t be verified. At this point, card-not-present fraud costs merchants around $20 billion each year, with each $1 of fraud costing financial institutions an average of $3.27, according to LexisNexis’ 2018 True Cost of Fraud report. The initial data on the ability of 3DS2’s fraud prevention tools to counter fraud, although limited, is extremely positive. Mastercard estimates that digital fraud is lowered < 12 bps when transactions are fully authenticated.
Importantly, 3DS2 allows this process to happen in fractions of a second via EMV 3DS authentication. $200 billion of sales are lost each year in the U.S. due to friction at checkout. However, 3DS2 leads to significantly less shopping cart abandonment, with over 95% of transactions authenticated according to Visa.
Early data provided by Visa suggests an uptick in authorization rates of 8% when compared to 3DS1, with Mastercard reporting an increase of 10%. This is due to additional data provided to the issuer.
More information allows issuers to make better informed decisions, which increases the authorization rate by feeding the issuer’s neural networks with this additional data, ultimately resulting in fewer false negatives (declining good transactions) and identifying bad transactions.
On their own, the above benefits make 3DS2 nearly essential for merchants. Equally as important, effective October 17, 2021, fraud liability protection for merchants submitting transactions using Visa Secure with 3-D Secure (3DS) 1.0.2 will no longer apply. For their part, issuers in the U.S. are required to upgrade to 3DS2 on August 31, 2020; if issuers don’t comply, there will be an automatic liability shift.
What does that mean? It means merchants, processors, and gateways will need to have 3DS2 implemented to take advantage of the chargeback liability shift to the issuing bank. While not a legal requirement, parties within the payments ecosystem need to begin to utilize 3DS2 as soon as possible to benefit from this systemic improvement. This major merchant benefit will only be realized as merchants push their suppliers to support 3DS version 2.0.
Europe, on the other hand, does have legal requirements under PSD2 (Payment Service Directive 2) which mandates merchants to implement SCA: Strong Customer Authentication (SCA). And while we don’t need to go into the regulatory requirements of the EU, what you do need to know is that 3DS is currently the only PSD2-compliant solution, so merchants who wish to sell from the EU to EU customers will need 3DS to meet all regulatory requirements.
Given the relative complexity of the payments ecosystem, and the massive changes we see in regards to e-commerce, it can be a lot to take in for merchants entering e-commerce or looking for better payment solutions. And the myriad acronyms and initialisms of varying parties and regulations can be a bit dizzying. But it doesn’t have to be.
To say it simply, if you rely on e-commerce as part of your business, you should be looking for a 3DS2 solution today. Its solutions will reduce friendly fraud and shopping cart abandonment, while increasing authorization rates. You don’t want to wait until the last minute and then get caught scrambling. You can implement 3DS2 now, start reaping the benefits, and stay ahead of the game.