PRESS RELEASE: Finally an Option to Implement 3-D Secure that Actually Makes Sense

Sarasota, FL, March 18, 2013 / By: David Montague


I can’t tell you how many times I have been asked my opinion on the 3-D Secure programs offered by the major card brands. As an independent risk consultancy, our opinion has been pretty consistent over the years; we didn’t see much reason to consider 3-D Secure, outside of limited circumstances, until there was greater consistency in the programs across card brands and, most importantly, there was a better way to address the consumer experience to ensure sales conversion was not adversely impacted. It has been over 10 years since Verified by Visa and MasterCard SecureCode launched, and I am pleased to see that the market conditions look to have finally aligned to change our perception of 3-D Secure as a viable and very useful fraud technique to “re-consider”.


In short, we see three major market changes that have changed our perception of the viability of 3-D Secure in today’s market that include; (1) EMV is coming to the USA and there are increasing mandates and adoption of 3-D Secure worldwide making it useful in more cases and markets – the opportunity has reached a point that the effort to implement it makes more sense, (2) MasterCard in the fall of 2011 aligned their liability policy in the US market to be more in line with the policy from Visa, making the 3-D Secure program more consistent across card brands in liability protection for US cardholders, (3) a third party vendor implementation of 3-D Secure, CardinalCommerce, has emerged that can address the consumer experience and abandonment issues by allowing merchants to automate and control when and where actual cardholder authentication actually occurs.


3-D Secure is one technique merchants can apply to perform authentication, to receive fraud liability coverage or both. It is a tool to compliment a full fraud strategy and solution, not replace it. But with the changes to 3-D Secure in recent years and more control on how and when to use it, merchants should reconsider the value proposition and what it can provide, even if just considering a low-touch approach. These programs can provide reductions in interchange, increased fraud liability protection, and today be implemented in a manner that minimally changes the user experience.


EMV & Increasing Mandates and Adoption

From the start merchants saw the potential and value of 3-D Secure: that an additional layer of authentication between the cardholder and their card issuer could reduce risk for online transactions and could provide merchants with much needed protection from fraud on covered transactions. However, low adoption, poor education, poor program implementation, and broad inconsistencies across card brands and regions early on led to merchant and consumer confusion and lost sales for many of the early adopter merchants. Many in the online merchant community developed the disposition that 3-D Secure was a sales killer and more trouble than it was worth.


The reality is that 3-D Secure has come a long way, and while there are definite issues and concerns to address with consumer experience and abandonment, options such as CardinalCommerce finally give merchants an option to address these shortfalls. In terms of the program, 3-D Secure if implemented properly can provide reduced risk through liability shift, lower costs through interchange reduction in certain regions and it could actually be a means to increase sales conversion.


The first 3-D Secure programs, Verified by Visa and MasterCard SecureCode, launched in 2001. Other card associations, American Express and JCB, have developed 3-D Secure programs of their own, several countries have mandated these programs, and requirements regarding liability shifts and have been updated in many markets over the years. The concept of mandates has helped many countries in the accelerated adoption of 3-D Secure programs, which in turn has led to a more consistent experience. Albeit, that consistent experience they achieved would be characterized by many merchants as being a consistent bad experience for consumers.

Verified by Visa and MasterCard SecureCode are deployed in over 100 countries, and there have been large strides in growth and adoption for the European and Asia-Pacific regions as the result of mandates. Verified by Visa is mandated for all eCommerce merchants in Italy while SecureCode is required to accept Maestro debit for all of Europe. Verified by Visa or other 2 factor authentication is required for all eCommerce transactions in India while 3-D Secure is required for the online gaming industry in Japan. Meanwhile in Australia all card issuers were required to enroll Visa cardholders in VbV by April, 2013. Such mandates have increased consumer, merchant and issuer adoption of 3-D Secure programs, and although there hasn’t been similar mandates for the U.S. market, there has been increased incentives for merchants in hopes to spur adoption.