As a buyer or e-merchant, you have probably gone through the 3D Secure (3DS) security system one day to validate your online payment. This security protocol is specially designed to guarantee the security of credit card purchases on the Internet . Faced with an increasingly digital world - governed by new European standards (DSP2) and the standardization of payment transactions - the 3DS is even destined to evolve to become even more effective against fraud . We explain everything to you in great detail.
Pervasive Fraud
With the pandemic, e-commerce has been propelled into new ways of consuming individuals . Digital uses have multiplied, as has bank fraud, which has followed the same expansion.
A clear statement
With digital progress and the introduction of new models integrating this aspect, new threats have appeared . Sneaky and massive, these frauds can have dramatic repercussions in the lives of often unsuspecting buyers.
Take the example of banks: agencies are now more responsible, grant fewer physical appointments and favor digital channels for exchanges . Thus, it generates less paper consumption and much more digital use. Problem ? This generates a significant amount of data sharing - considered sensitive - and ultimately increases the risk of attacks and fraud .
At the same time, credit card information is increasingly sought by fraudsters on the Dark Web , which feeds this parallel market and leads to ever more victims. The impact of a cyberattack on banking services can be devastating for them. And for good reason, 18 million people were victims of cybercrime in France in 2020 (according to a Norton study). The platforms and means of payment therefore had to react to fight against this fraud!
A context conducive to the explosion of cybercrime
In 2020, with the global pandemic, consumer habits have evolved. Between telework, online purchases and shopping orders, video courses, video games, collaborative platforms to always stay in touch, and downloading of communication tools, the number of hours spent in front of screens (computer and smartphone combined) in 2020 exploded, with an increase of 46% compared to 2019 (source Médiamétrie). At the same time, the number of cyberattacks has also exploded with a +255% increase in 2020 ( ANSSI figures), with an exponential increase for phishing , with 67,000 fraudulent transactions (source Febelfin ).
3-D Secure, quesaco?
Deployed under the trade names “Verified By Visa” and “MasterCard SecureCode”, this system for securing and authenticating bank card payments on the Internet was launched in 2008 <by Visa and Mastercard . Its objective is to limit the risk of fraud on the Internet , in particular during hacking with the fraudulent use of payment card numbers. It checks during each online payment that the card is indeed used at time T by its owner .
A story of common interest
Regarding the acronym 3-D, it corresponds to the 3 entities that it connects: the merchant or the credited bank , the bank issuing the payment card and the bank card system (Visa or Mastercard).
In practice
During a purchase guaranteed by 3-D Secure, you will need to enter your bank card information : the 20 digits of your card, the expiry date and the 3-digit cryptogram on the back of the card. You will then be redirected to a page linked to your bank to provide the additional information required for your authentication . You will obtain this information by means of a code received by SMS on your telephone number (connected beforehand to your bank), or via your banking application, which will ask you for validation. Your authentication is finally complete and your purchase is finalized in complete security.
3-D Secure 2.0
This more advanced version of the 3-D Secure security protocol still aims to limit the risk of fraud and protect the banking information of buyers on the Internet. It is an improved version of 3D Secure which allows more fluid authentication. For example, authentication can be done directly via a pop-up on the same purchase window instead of opening a new window for you.
But this time, the Strong Customer Authentication (SCA or double authentication in French) is no longer recommended, but imposed on Internet users who make their purchases online. In September 2019, the Regulatory Technical Standards (RTS), supervised by the European Banking Authority, defined this Strong Customer Authentication by the combination of at least two authentication factors among the following: the knowledge factor (password, secret question, secret code, etc.), the possession factor (mobile phone, connected device, smart card, etc.) and the inherence factor (facial, voice or fingerprint recognition). This whole validation and authentication process was built with the institutional banks, which act as a link in this verification process.
Since then, we have moved from validation by sending a verification code by SMS to double authentication via several channels .
This first SMS authentication system should disappear in October 2021 to be replaced by 3-DS 2.0. However, the PSD2 directive provides some exceptions to the rule , for very specific cases.
Exceptions to double authentication
As you will have understood, this new standard concerns all players who wish to interact within Europe . Thus, all online card payments are subject to this double authentication during an online purchase . But like any regulation, it has a few exceptions for which authentication by 3-D Secure is not required:
- low-value transactions such as payments of less than 30 euros, for which the risk of fraud is low given the limited amount.
- recurring transactions and subscriptions : PSD2 allows recurring transactions of the same amount to no longer be authenticated from the second transaction. A single authentication is therefore necessary, unless the amount of the transaction changes. In this case, a new authentication will be requested,
- whitelists : each user has the option of creating their own whitelist, including trusted list. This list is kept by your bank and exempts its beneficiaries from 3-D Secure authentication,
- distance sales transactions Mail Order Telephone Orders (MOTO) : these transactions are not considered as electronic payments, since they are made by e-mail or by telephone. They are therefore exempt from any authentication,
- inter-regional transactions , for all buyers or merchants based outside the European Union,
- business card payments .
Now that everything is clearer to you, all you have to do is move on to the standards. And if you are still undecided, our Pikka experts can take over and support you in this update of your e-shop.
