Why You Must Enable 3D Secure By the Sept 14th 2019 Deadline

Written By:
Michael Harbone
Published On:
June 24th, 2019
Read Time:
5 Mins
Category:
Payments

September is coming, and when it arrives, e-commerce merchants need to make sure they have enabled 3D Secure. Come September 14^th, the European Union is rolling out “Strong Customer Authentication” (SCA) requirements across the European Economic Area.

Up until September 14^th, most European customers will be able to complete a transaction simply by filling in their credit card number and pin. However, once SCA is rolled out, extra levels of authentication will be required. Customers will have to go through two factor authentication, providing two of the below:

Ayden illustrates two factor login.

3-D Secure has been growing in popularity over the last few years. Still, it’s largely been option. However, with the European Union rolling out SCA under the Payment Services Directive, it’s going to become all but necessary for any e-commerce companies that serve Europe.

Why is the European Union Necessitating 3-D Secure

E-commerce is booming in the European Union. 451 Research projects digital commerce sales to enjoy a 17 percent CAGR through 2022 in the region. With more money exchanging hands, that means the risks of fraud and theft will only increase.

In order to reduce fraud, protect customers, and make payments more secure, the EU is rolling out Strong Customer Authentication. While SCA will make the checkout process more cumbersome, it should reduce fraud and make online shopping safer.

The EU is rolling out increased fraud protections for consumers.

There are some situations in which a purchase may not be subject to the SCA’s two-factor requirements:

Low-value transactions- if the transaction is less than $30 it is exempt. However, if the card is used 5 times or total charges top $100, authentication is required.

Recurring transactions- subscriptions and other recurring transactions are exempt after the initial verification.

Trusted beneficiaries- consumers can choose to whitelist companies through their bank.

MOTO- Mail orders and telephone orders are exempt.

Inter-regional- if either the issuer or acquirer of the card is outside of Europe, the transaction is exempt.

Still, the SCA will require merchants to take additional steps to verify the customer’s identity. Unfortunately, just 25 percent of businesses are aware that they need to meet SCA requirements. The most straightforward way to do this is to use the 3-D secure protocol.

How 3D Secure Works

3D Secure, or 3 Domain structure, is a security protocol that has been set up to combat fraudulent online transactions. 46 percent of Americans report having suffered from credit card fraud within the past five years and globally, fraudulent charges topped $24 billion in 2016. 3D Secure aims to combat such fraud.

Visa illustrates how 3D Secure works.

The 3D Secure 1.0 system uses a three part process to verify the customer’s payment. The interoperability domain (such as a payment system), the card company (i.e. visa), and the acquiring bank will all verify the transaction. From the user’s perspective, the payment process remains

First, the customer plugs in their debit or credit card information into the payment form. Once they submit the payment, the issuing bank will verify the payment. Sometimes this process is automated, other times the user will have to provide additional information, such as a pin.

The 3-D Secure process illustrated.

Now, 3D Secure is being updated, and the SCA will necessitate some changes. Let’s take a look.

3D Secure 2.0 is Introducing More Changes

The 3DS system continues to evolve and 3D Secure 1.0 is being phased out in favor of 3D Secure 2.0. Like the original authentication system, 3D Secure 2.0 will involve data sharing and authentication between the connected merchants, payment networks, and financial institutions.

However, 3D Secure 2.0 will allow for better data sharing and analysis. Security experts believe that this will make it easier to sniff out and deny fraudulent transactions. In order to meet EU requirements, 3D Secure 2.0 will also support two-factor identification. This could include biometric scanning and other advanced but convenient verification methods.

Further, 3DS 2.0 has been retooled to better handle mobile payments. The original 3DS system was actually launched before smartphones were even a thing. As a result, 3DS 1.0 sometimes struggled with mobile payments. Given how much e-commerce activity occurs through mobile devices, it’s vital to offer a secure but convenient mobile checkout process.

Benefits of 3D Secure

Still not looking forward to dealing with the hassle of setting up 3D secure? First, as I already pointed out, you all but have to set up 3D secure by September 14th. If you don’t you’ll either have to stop doing business in the EEA or risk fines. However, you shouldn’t even look at enabling 3D secure as a bad thing.

Yes, it’ll take a bit of work but the payoff should outweigh the time and resources spent. Let’s look at a few of the benefits of enabling 3D secure.

Keep 3D Secure’s Liability Shift in Mind

Unfortunately, ecommerce stores and other online retailers can be held accountable for fraudulent charges. However, if you have enabled 3DS authentication, you may not be liable for certain fraudulent charges. This is because liability shifts to the card issuer.

In order for liability to be shifted, the attempted charge must have been authenticated or there must have been an attempted authentication. Various rules and conditions apply. For example, recurring charges are not eligible for liability shift.

3D Secure May Result in Increased Sales

Online shoppers are rightfully wary when it comes to handing over credit card numbers and other bits of sensitive data. As I already pointed out, fraudulent charges are common. As such, many consumers try to avoid using their credit cards.

In fact, 85 percent of shoppers will avoid making a purchase if the website appears to be unsecured. You need to use HTTPS and the appropriate padlock symbol. At PayKickstart, we’ve also found that adding security badges in the shopping cart can reduce abandonment rates.

At PayKickstart, we’ve found that security badges and other badges can reduce abandonment rates. Check out our infographic below:

Conclusion: If You Serve Europe, You Need to Enable 3-D Secure

3-D Secure will likely be the easiest solution for meeting Europe’s SCA requirements. So if you’re serving European customers, you need to get your business prepared to enable 3D Secure. Fortunately, with PayKickstart, that’s easy.

Even if you don’t serve Europe, 3-D Secure is a great way to guard against fraud. However, by requiring additional steps, you could lower your conversion rate. So keep that in mind.

Share this post:

Or copy link

Michael Harbone

Michael Harbone is an experienced copywriter, writing professionally since 2017. He has written for multiple digital marketing companies gaining the reputation for writing engaging, concise articles one which received an award from Upcity.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__stripe_mid	1 year	Stripe sets this cookie cookie to process payments.
__stripe_sid	30 minutes	Stripe sets this cookie cookie to process payments.
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
csrftoken	1 year	This cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
enforce_policy	1 year	PayPal sets this cookie for secure transactions.
laravel_session	1 hour	laravel uses laravel_session to identify a session instance for a user, this can be changed
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
ts	3 years	PayPal sets this cookie to enable secure transactions through PayPal.
ts_c	3 years	PayPal sets this cookie to make safe payments through PayPal.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
XSRF-TOKEN	2 hours	This cookie is set by Wix and is used for security purposes.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
nsid	session	This cookie is set by the provider PayPal to enable the PayPal payment service in the website.
tsrce	3 days	PayPal sets this cookie to enable the PayPal payment service in the website.
x-pp-s	session	PayPal sets this cookie to process payments on the site.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
_gat_UA-44547153-6	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
l7_az	30 minutes	This cookie is necessary for the PayPal login-function on the website.

Cookie	Duration	Description
_dc_gtm_UA-65222323-1	1 minute	This is a Google Tag Manager cookie that is used to control the loading of a Google Analytics script tag, to track the performance of ad campaigns.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_user	1 minute	Google Analytics sets this cookie to throttle request rate.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_session_id	14 days	Cookie set by G2 to store the visitor’s navigation by recording the landing pages. This allows the website to present products and indicate the efficiency of the website.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Why You Must Enable 3D Secure By the Sept 14th 2019 Deadline