New Case Study: A U.S. Issuer’s Experience with Visa’s IDX Solution

New Case Study: Visa’s IDX Solution

Read it here
FAQS

Frequently Asked Questions Answered

3-D Secure is a globally accepted authentication solution designed to make ecommerce transactions more secure in real-time.rnrn3-D Secure provides an additional layer of security for ecommerce transactions prior to authorization. It enables the exchange of data between the merchant, card issuer and, when necessary, the consumer, to validate that the transaction is being initiated by the rightful owner of the account.rnrn3-D Secure 1.0, developed and owned by Visa, has been in the market for 20 years. EMV 3DS is the new generation of the 3DS protocol, developed and owned by EMVCo.rnrnCardinal is a certified EMVCo vendor supporting four major components: 3DS Server, SDK (Android and iOS) and Access Control Server (ACS). Cardinal has been providing global authentication services for over two decades.rnrnFor more information, click here.

The process where data elements from a consumer’s online shopping session and transaction request are shared between the merchant and issuer to verify cardholder information and to evaluate the risk of a transaction, all in real time. In simple terms, authentication is the process of verifying that the person making a purchase is who they say they are. Authentication can either happen passively in the background, or if the transaction is perceived to be risky, an issuer can engage with their cardholder to actively authenticate using methods like one-time passcodes (OTP) or biometrics.

The process of verifying that a payment credential has sufficient funds to cover the amount of the transaction. An approval response code is sent to the merchant from the card issuer that verifies availability of credit or funds on the cardholder account.

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement states that payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud.rnrnSource: The EBA RTS

Risk-based authentication, which is provided by Access Control Servers (ACS), is the evaluation of a transaction’s risk profile that typically involves analyzing:rnrnContextual data from the merchantrnCardholder/merchant transaction historyrnTransaction characteristics such as amount, device ID, and locationrnrnA risk score model and/or risk rules can be used to determine if:rnrnAuthentication is successfulrnAdditional cardholder information is requiredrnAuthentication failedrnrnRisk-based authentication allows the issuers to authenticate its cardholders without asking for any additional information on the majority of the transactions, performing step-up authentication only on the riskiest transactions. Less than 5% of transactions are expected to be stepped-up for additional verification, such as a one-time-passcode. When used effectively, risk-based authentication may provide protection against fraud, increase completed sales, and lead to a better experience for all stakeholders.

Consumers should not know that authentication is happening, unless their transaction is being challenged. In most cases today, risk-based authentication is used to minimize the consumer impact during authentication. That means that most times, authentication is performed by the card issuer in the background, using data they know about their cardholder and data that the merchant shares with the issuer, to make a risk decision about that transaction. If there is something about the transaction that appears to be risky to the issuer, they may challenge the transaction, requesting more information from the consumer (vs. having the transaction declined by the issuer without a challenge).

Our solution supports both. During this period of transition, where some issuers and merchants are still using 1.0 and some have adopted EMV 3DS, it’s smart to have the ability to authenticate with both, so that you’re eligible for liability protection, to help maximize your potential authenticated transactions, help reduce your false declines and fraud, help increase authorizations and likely deliver a better consumer experience. This applies to the following card networks that still support 3DS 1.0.2: Visa Secure, Mastercard SecureCode, American Express SafeKey, Discover/Diners ProtectBuy, JCB J/Secure.

One way to handle protocol routing is the way Cardinal does it – with our 3DS replay feature. When the merchant is using EMV 3DS and 3DS replay is enabled, EMV 3DS authentication is attempted and if the issuer is not using EMV 3DS, the transaction is re-routed as a 3DS 1.0 transaction and can be authenticated using 1.0 or as an attempts transaction, giving the merchant liability protection and a better chance at authorization approval.

With EMV 3DS, implementation options include connecting to the 3DS server (known as MPI – merchant plug-in – for 3DS 1.0) via a javascript, an API, or a hybrid method, depending on your business’ needs. For mobile transactions, Cardinal provides SDKs (software development kits) that support native applications in iOS and Android. If your business does both browser-based transactions and mobile transactions, you’ll want to implement both solution connections. Cardinal can help since we are certified with EMVCo.

With EMV 3DS, if you are using Cardinal, latency may not be an issue, depending upon network rules. Cardinal uses a parallel processing method instead of processing authentication steps sequentially. This means that during authentication, Cardinal begins collecting and analyzing data before the consumer even submits their order, to allow authentication to happen as quickly as network rules will permit. Other methods that process sequentially can wait to begin authentication, and process transactions step by step, which can take more time to complete. Everything we do at Cardinal is about creating an engaging experience for both you and your customers. We work continuously with you to optimize your authentication strategy to increase approvals while decreasing fraud – all to improve the customer journey.

Cardinal supports Visa, Mastercard, American Express, Discover/Diners, JCB, UPI and other regional payment networks such as Cartes Bancaires and ELO, with more to come on our roadmap. Stay tuned or ask your Cardinal rep if you have questions about specific networks or regions.

This is something that is near and dear to Cardinal’s heart. Our focus has always been on improving the consumer experience during authentication, and it’s what we do today. We know that friction during authentication may cause cart abandonment, so we work to optimize the authentication process and introduce friction only when it is necessary – when the transaction is high risk, or when a government mandate requires a consumer to interact during authentication.rnrnWith EMV 3-D Secure, the 100+ data points collected and shared with issuers help them make more confident risk decisions, often without checkout friction, for a better consumer experience. Our Customer Success and Global Customer Support teams have one primary goal: to engage and guide customers through the complexities of the payment authentication ecosystem. Throughout the whole implementation process, Cardinal’s team of authentication experts consults with you to make the process as frictionless as possible for both you and your consumers.

As a 3DS server provider, our implementation teams are usually able to work as fast as a merchant team can. The coding and development work is done by the merchant and Cardinal helps configure, validate and test. It also depends on the complexity of the implementation, so if a merchant is doing browser-based and native app SDK, and depending what the merchant’s business looks like (is the merchant digital-only or brick-and-click, does the merchant have an order management system that needs to pass all the data elements, does data need to be passed downstream to other third parties?) All of these answers can impact the time involved for implementation.

Chip cards are exclusive to in-person transactions, and EMV 3-D Secure works to secure digital transactions. Both specifications are owned by EMVCo, who strives for standardization, security and interoperability between card schemes.

This plays into the issuer’s risk assessment within their ACS (Access Control Server), which is used for authentication. The amount of the transaction comes into play when the issuer decides whether to passively authenticate or challenge their cardholder. Amount can be a data point that is part of that decision. In 3DS 1.0, amount may have played a bigger role, given fewer data points were available to make a risk decision. In EMV 3DS, there is a lot more data available – ten times as much data than was available in 3DS 1.0. There are additional risk indicators and data fields that the issuer can feed into their risk models. In this case, transaction amount may not play as big a role in the risk decision, and the issuer can use the EMV 3DS data points in addition to amount, to make their risk decision.

Merchants don’t need to enroll individually with each card network. That is something a 3-D Secure provider can handle for them in most cases (there are some steps that a merchant’s acquirer may need to do) to get a merchant loaded into the network’s Directory Server. Any 3DS provider should be able to outline what actions need to be taken to get a merchant set up.

In Europe, the answer can be pretty obvious. We’ll cover that later in this answer.rnrnOutside of Europe (and other regulated regions), merchants may choose to take advantage of the benefits of 3-D Secure, including liability protection. This means that when an issuer authenticates a digital transaction, they believe that the transaction is good, and stand behind their authentication to the point that if the transaction turns out to be fraudulent, they will take responsibility for the fraud. Spinning it from the merchant’s perspective, if a merchant sends a transaction for authentication and the issuer authenticates it, the merchant is off the hook if the transaction turns out to be fraud. This is a huge benefit to the merchant, and a huge risk mitigation tool. The issuer has a lot of information about their cardholder, so if they authenticate the transaction, they are pretty confident that it is their cardholder.rnrnIn Europe, when SCA is enforced starting December 2020 (for most of the EEA and September 2021 for the UK), if SCA is required, 3DS isn’t used and an exemption isn’t used, the likely result will be a soft decline indicating the transaction needs to be authenticated. If the merchant re-submits the transaction without authenticating it, it then can be hard declined, and the merchant loses the sale.rnrnOur advice is to get EMV 3DS in place now because we anticipate the effects of not having it to get progressively more severe, as regulatory bodies start enforcing the SCA requirements. Planning and implementing in advance gives merchants the opportunity to get it up and running and optimize their 3DS performance, in advance of any deadline pressure. Another benefit to implementing 3DS now is that merchants won’t be scrambling at the last minute before enforcement deadlines. Think about the countries who plan to start enforcing December 31 of this year. The months leading up to that deadline are usually the busiest of the year for many merchants and can involve site freezes for the holiday shopping season. For that reason alone, acting soon makes sense.

If you do business in Europe, you may be subject to SCA enforcement. Even though most countries have postponed their enforcement until the end of 2020 and some countries into 2021, that’s not very far away, and you probably do not want to do the work of implementing EMV 3DS during the busy holiday shopping season.rnrnAnd as issuers come on board with implementing EMV 3DS, merchants can take advantage of sharing the additional data fields of EMV 3DS with issuers, so they can make more confident risk decisions, as well as offering consumers a better, smoother checkout experience (and less chance of checkout friction). EMV 3DS helps merchants win in the marketplace, using this advanced technology.rnrnAnother benefit for merchants using EMV 3DS is the ability to authenticate mobile transactions. The mobile consumer experience using the original 3DS was not well supported, whereas the mobile experience with EMV 3DS is much improved, which is important now, with mobile transactions at an all time high.

That depends. It depends on your digital commerce business and who your 3DS provider is. Some providers, like Cardinal, have created easy-to-use interfaces, and have certified their mobile SDKs with EMVCo to make sure they support the protocols as EMVCo intended.rnrnFor merchants of different sizes, there are considerations on how EMV 3DS should be implemented. For smaller merchants, EMV 3DS can be implemented easily with selected shopping carts, which have 3DS as an option. Sometimes, this can be as easy as dropping a javascript onto your checkout page. For larger merchants or those who use a custom shopping cart, other implementation methods are available.rnrnThere are two parts to authentication: data gathering and sending the information to the issuer. Sometimes these can be combined into a single step, and sometimes they are done separately. The data gathering can be more complex, since more data fields are being shared with the issuer so that they can make a more confident risk decision, as well as using the data to authenticate the consumer behind the scenes, with minimal friction. If your provider supplies tools to make the data collection easier, the whole authentication process can be a lot easier for the merchant.rnrnJavaScript on the checkout page is needed to collect the device data information of the cardholder. If a vendor tells you that you can implement EMV 3DS without JS on your checkout page, that is not true. While you can do a custom integration without JS, you will still need it to collect the consumer’s device information to share with the issuer for their risk assessment, per the EMV specifications. And what that ultimately means to you is that if the vendor is not implementing JS, you will need to build, implement and maintain it yourself. We have a variety of implementation solutions which provide flexibility to meet varying needs or desires of merchants. We can facilitate technical discussions with your teams to find the right fit.

The short answer is that especially in places like Europe, where there is a high penetration of 3DS use, 3DS has had a positive impact on conversion rates. As EMV 3DS begins to be more The short answer is that especially in places like Europe, where there is a high penetration of 3DS use, 3DS has had a positive impact on conversion rates. As EMV 3DS begins to be more

In regulated regions, like the European Economic Area (EEA) where PSD2’s Strong Customer Authentication requirement is in effect (though not being enforced in most countries until late 2020-early 2021), EMV 3DS helps solve for SCA by facilitating the two-factor authentication requirement.

In non-regulated regions, EMV 3DS is especially helpful to merchants and issuers. The additional data available with EMV 3DS helps issuers make their risk decisions behind the scenes, decreasing the possibility of consumer impact with authentication. Additionally, EMV 3DS is beneficial because it allows authentication during digital commerce from most connected devices, like mobile phones, tablets and more.

India, for one, has had mandates for 2FA, for more than ten years. The RBI (Reserve Bank of India) has stepped in and said that fraud is out of control for digital commerce, so every digital transaction must be authenticated. (This requirement has been relaxed in recent years to any remote transaction above 2000 Rupees must use 2FA).rnrnThere are some countries where the networks have stepped in and pushed 2FA, like Visa in Australia and New Zealand, which require 2FA as of April 2019.rnrnThis is an ever-changing situation, so merchants who are operating in different regions should make sure to keep an eye on where 2FA is required.rnrnVisit u003ca href=u0022https://demos.cardinalcommerce.com/3DS_Info/Country_Mandates/index.htmlu0022u003ehttps://demos.cardinalcommerce.com/3DS_Info/Country_Mandates/index.htmlu003c/au003e for more information.

The requirements of SCA are that the consumer needs to provide two out of three of these elements: something they have (like a mobile device), something they know (like a password or answer to a knowledge-based question) and something they are (a biometric, like fingerprint or facial scan). EMV 3-D Secure has greater capabilities to support those elements and to make sure that transactions are approved. EMV 3DS v2.2 allows merchants and issuers to manage SCA exemptions vs. having to challenge every transaction. It also supports biometric authentication and other authentication methods that satisfy the SCA requirements. Maybe more importantly, the networks are requiring their issuers to move to EMV 3DS so they support all of these features.rnrnWhile technically, 3DS 1.0 may satisfy the requirements of SCA in some use cases, the networks are recommending that issuers use EMV 3DS so that consumers have the best user experience available.

When talking about SCA, most merchants immediately want to use exemptions. We suggest taking a step back and evaluating the transactions you have first.rnrnIssuers and acquirers play an important part of exemption management. For example, the low value exemption can apply in a lot of cases, but you need to remember that there are rules around it. Even when transactions are under 30 euros, and a merchant may be able to use the low value exemption, a challenge may be necessary. The low value exemption can apply only after the first transaction under 30 euros is challenged, and every sixth transaction must be challenged, or when the cumulative total exceeds 100 euros before the fifth transaction. Merchants would not know the exact PAN velocity count.rnrnAnd while SCA is technically the law (though it is not being enforced yet), the card networks are still developing the technologies to manage some of the exemptions.rnrnStay in touch with your 3DS provider and your acquirer to make sure you have the most up-to-date information on how you can manage and use SCA exemptions.

We have seen increases in ecommerce activities since the COVID-19 outbreak began, and because of this, merchants should consider potential impacts of the rules they are writing (or have written in the past). Rules should be reviewed on a regular basis, especially during times of volume increases, potential fraud exposure and increased store pickup volumes, for example. What made sense at another time may not be the right rule today.rnrnFor example, if a merchant’s rule was set to challenge a transaction when the consumer ordered online to pick up at the store, the number of challenges may be increased during the pandemic, and the merchant may want to pause that particular rule and look for another way to authenticate the consumer on buy online, pick up in store (BOPIS) transactions, if they want to avoid challenging their buyers. You should talk to your 3DS provider to work out what the best options are for your particular business.

We advise everybody during the transition period to maintain both versions. Once the transition is fully completed and the networks stop supporting version 1.0, then yes, absolutely, issuers can stop supporting version 1.0. Right now, some merchants are not ready, some merchants are choosing for whatever reason to stay on version 1.0, so we are advising all issuers to continue to support version 1.0.rnrnNote that each payment network has its own dates for supporting the different versions of 3-D Secure.

That is certainly a key consideration for merchants. When merchants implement 3DS, they should make sure they only need to do one core implementation. With Cardinal, merchants who implement today are certified for EMV 3DS versions 2.2 and 2.1 (the latest versions in production), as well as 3DS 1.0. If you are thinking about implementing now, make sure your provider can support all current versions, including version 1.0, which will be used for a time during the transition.rnrnWhen the next version of EMV 3DS is released, there may be incremental work on the merchant’s part of take advantage of new data points and fields for new functionality, but it’s not a case of replacing the entire implementation every time there is an update to the EMV 3DS spec.

When EMV cards were launched in other regions, Card-Present (CP) fraud went down and Card-not-Present (CNP) fraud went up. That is happening in the U.S. right now. Fraud is growing at 11% and some of our merchants have reported a 30%+ increase in fraud attempts. This surge in fraud puts your business at significant risk. Even though fraud is migrating online, you, as a merchant, must still stay in compliance with the card networks’ metrics.rnrnThe concept of EMV 3DS is not going to be “set it and forget it.” It will need to be revisited as new versions are released, and as the new versions evolve to meet your needs. Future versions are expected to address more SDK functionality.

Have a question you wish to see the answer to?


Learn more about us

CardinalCommerce, a Visa Solution, is a global leader in authenticating digital transactions. For over two decades, we’ve been bringing merchants, issuers, and shoppers together in an experience where everybody wins.