One of the existential challenges remaining in payments is the need to accurately authorize transactions conducted online. While markets like the EU, UK and India have mandated strong customer authentication for online transactions, the U.S. is the largest market where such stepped-up authentication remains optional. Only a very small portion of eCommerce purchases utilize the 3-D Secure protocol due to lingering concerns about imposing friction and delay on a consumer base that thrives on convenience and fully understands its chargeback rights.

The Payments Performance team at Stripe recently published a blog post noting that in their controlled testing of 3-D Secure, the impact on approval rates was negative compared to running similar transactions without additional authentication. We were surprised by those results and wondered what the card issuing community would make of that counter-intuitive finding.

In this episode of Payments on Fire, we decided to get both sides of the story from two good friends of Glenbrook. Amandeep Batra from Stripe joined us to provide the merchant perspective; Dewald Nolte of Entersekt, a leader provider of 3-D Secure Access Control Server solutions joined us to offer the issuer perspective.

Bryan Derman: Hello, everyone. I’m Bryan Derman, Managing Partner at Glenbrook and your host for this episode of Payments on Fire. One of the existential challenges remaining in payments is the need to accurately authorize transactions conducted online. While the EU, UK, and India have mandated strong customer authentication for online transactions, the US is the largest single market where such stepped up authentication remains optional. Only a very small portion of eCommerce purchases utilize the 3-D Secure protocol due to lingering concerns about imposing friction and delay on a customer base that thrives on convenience and fully understands its chargeback rights.

The payments performance team at Stripe recently published a blog post noting that in their controlled testing of 3-D Secure, the impact on approval rates was negative, compared to running similar transactions without additional authentication. We were surprised by those results and wondered what the card issuing community would make of that counterintuitive finding.

In this episode of Payments on Fire, we decided to get both sides of the story from two good friends of Glenbrook. Amandeep Batra from Stripe joined us to provide the merchant perspective and Dewald Nolte of Entersekt, a leading provider of 3-D Secure access control server solutions, joined us to offer the issuer perspective.

I think you’ll find the discussion very interesting as we work to bring the two sides together in order to battle their common enemy, transaction fraud. I’m happy to be joined today by my partner, Chris Uriarte.

Chris Uriarte: Hi, Brian. How are you? Good to be here. This is an exciting topic today. Can’t wait to get to this one.

Bryan Derman: Yeah, this will be exciting. And we’re privileged to have two distinguished guests to talk about the topic today. First with us is Dewald Nolte of Entersekt.

Dewald Nolte: Hey everyone. Great to be here and looking forward to the discussion.

Bryan Derman: Thanks so much for joining us. And we’ve got Amandeep Batra from Stripe.

Amandeep Batra: Hey, everyone. Great to be on this podcast. I must say that I’ve been listening to Payments on Fire for quite some time, and so it’s glad to be here now and talk about some of our favorite topics.

Chris Uriarte: Great. We always love when a fan gets to come on the podcast.

Bryan Derman: Awesome. Well, we are thrilled to have you with us today for the podcast and before we get deeply into the topic, we always like to talk to people about their personal payments journeys and what brought you into this crazy industry and how you got here. So, let me start with Amandeep. Tell us your personal payment story.

Amandeep Batra: Yeah, sure. So I bring over 16 years of experience in the financial services industry. Mostly I’ve been focused on payments. So throughout my career, I’ve had the privilege of building and launching payment products, executing some large scale regulatory projects, and collaborating with some of the largest merchants to optimize their payment KPIs.

To talk about my different roles and my experience spans across various roles from working on multiple global brands, including payment companies, launching products, a major card network, managing type server for them, and most recently, in Stripe, I’m working as a payments performance strategist.

So in my current role, I work very closely with some of our largest and most strategic merchants that use Stripe for their payments processing and helping them develop optimization strategies that help them in achieving best in class conversion rates, mainly by improving their strategies across authentication, authorization, reducing down fraud, and driving down the costs.

So yeah, in a nutshell, I can say I’m lucky to have worked across the payments domain, across the three key players or actors that interact in the payments lifecycle, and may have seen the life from all the different angles, so far. I’m still learning.

Bryan Derman: Awesome. You are doing God’s work as we define it at Glenbrook. How about you, Dewald, did you know from the time that you were a very small child that you were destined to have a career as a payments professional?

Dewald Nolte: You know, I, I probably have a bit of a non-traditional story in terms of where mine started. It actually didn’t start in payments. My story started when I was a student, computer engineering student, kind of back in the day. I was kind of getting together with some of my co-founders of the company for Entersekt on Thursday nights to brainstorm ideas for new companies at the time, right.

We’re young and bright eyed and we’re going to solve the world’s problems, right. That stage of your life. One night, one of my co-founders actually came back from a security conference and he said, “You know, it’s interesting, all the banks use these SMS one time pass keys or codes, right, that they text you and then you type that in for the transaction. And yet, my mom’s bank account was cleaned out last week without her knowledge. How’s that?” And we started thinking, yeah, how is that? That shouldn’t be possible. And kind of figured out what the attack was at the time and came up with a solution to protect against that attack and started selling it to banks, as one does, right, as young students, the banks really like to buy from students. And so, it started there and I think really, as we started implementing the solution, we realized that, if you look at how authentication challenges really kind of evolve over time, we started realizing that in order to really secure a digital channel, you have to understand how to actually authenticate payments, right?

Payments is actually the most risky kind of interaction that you have on a digital channel typically, right? Whether that’s moving money between accounts, whether that’s making a payment. And so I started from authentication, but effectively ended up in payment authentication. And that’s pretty much what we do at Entersekt now. That’s really where my focus is in terms of really focusing on transaction authentication and financial transaction authentication. And that’s how I ended up, roundabout way off ending up in payments, but eventually got bit by the bug and really love what I’m doing.

Bryan Derman: Very nice. Now, Amandeep, I’m going to bet that anybody who’s bothering to listen to Payments on Fire has probably heard of Stripe before, but tell us a little more about your role and particularly your involvement with the 3-D Secure protocol within Stripe.

Amandeep Batra: Yeah, sure. As I said, in my role as a payments performance strategist, we mainly build optimization strategies for merchants who are using Stripe for their payments processing. And there are four key pillars that we have on which we build these strategies on, authentication, authorization, fraud, and cost, with an overall goal to provide the strategies in a way that the merchants who are using Stripe gets the best out of the products they’re using. So that best is in terms of the best conversion rates, right? And also driving down the cost. So ultimately, that is what we do. My interaction with 3-D Secure, which is our topic of today, started in my previous role where I got a chance to build and ship the directory server for one of the prominent card networks.

So at that time, 3DS version one was deemed to be sunset. There was a date set there, but it did not happen in my journey with them. I had moved into Stripe and after that, we got to a 3DS V1 sunset, but I had worked mostly at Mastercard, the card network I’m referring to, building 3DS V2 over there, which also quote unquote is their identity check product, right?

So that is how I got introduced to 3DS. And prior to that, because I was working in the regulatory space in Europe, PSD2 brought into the fold with Strong Customer Authentication. So I was leading a business change program with an issuer prior to Mastercard. And that is where we build certain products from an issuing standpoint of how can we strongly authenticate our consumers, be it interacting with their bank account or using payments through their cards.

Obviously from a card perspective, it was all associated to the card networks. So that’s how the journey started, or the interaction with 3-D Secure started, and it’s ongoing. The love affair is ongoing. In terms of Stripe, now I’m leading the authentication strategies for Stripe when it comes to payments performance.

So in my role, I work quite closely with the product team that builds the authentication based products at Stripe. And helping them build the roadmap or bringing in the merchant perspective to them, because ultimately the goal of Stripe is to increase the GDP of the internet, and that is by increasing the eCommerce traffic and getting the best conversion rate for whoever is using Stripe. So that’s the whole story behind what we do.

Bryan Derman: So as we would expect, Stripe primarily playing from the merchant side of how to utilize 3-D Secure. To present the contrast, Dewald, tell us a little bit about what Entersekt does in the space, who the customers are and how you serve them.

Dewald Nolte: Sure. As I briefly mentioned, we started as a company initially securing digital banking transactions and so we pretty much started at the issuer, right, from the other side and we evolved this from a security point of view more into a holistic approach. We realize that there’s different trigger points for a transaction, right?

Whether that be an eCommerce checkout, or is it a transfer, is it a subscription, right? Is it a payment from a digital wallet or via call center initiated, right? And so each and every one of these different trigger points typically have unique parameters that you have to consider in terms of how to secure and how to also really make that user experience better in terms of those points in the user journey, that’s like the highest point of friction when you actually want to make a payment. So that’s really where we started in terms of really looking at that from an issue perspective. And then recently, we acquired a company that had assets also in the directory service space, as Amandeep mentioned earlier, and also focused on the acquiring side for banks. And so from a 3-D Secure perspective, we have the capability to see across the three domains, really see the entire path of the transaction.

And that really then is something that we’re quite excited about to kind of see, okay, given the fact that we’re able to understand that journey across right from where it starts all the way to the end, how can we help to optimize and make that better, right? And so that’s really kind of where we focus but pretty much starting from the main focus from the issuing side.

Bryan Derman: All right, Chris, we’ve got the 360 degree view of 3-D Secure here.

Chris Uriarte: Yeah, absolutely. I was just going to say, incredible experience here throughout the value chain and also probably throughout the entire history of 3-D Secure. And I had to chuckle, Amandeep, because I’ve heard 3-D Secure called a lot of things in the last 20 years, but never really heard it referred to as a love affair.

So that is definitely a first for sure. But given your guys’ focus on what you do day to day, I definitely see where you’re coming from it. And I think maybe it’s a good time for us to level set a bit before we really get into the thick of things. We really saw the biggest boost of 3-D Secure occur about a decade ago.

Amandeep, you mentioned PSD2, or the Payment Services Directive, which was a set of legislation in the European Union that initially required the concept of Strong Customer Authentication, or SCA, for many eCommerce transactions. I think what we saw as a result of that is 3-D Secure quickly becoming really the de facto way of meeting those specific requirements for card payments.

And at that time, many people in the world thought that perhaps this was 3-D Secure’s big global moment, right? That 3-D Secure was going to expand beyond the EU, was going to be used more regularly, even though it really wasn’t mandated in most other geographies, particularly here in the United States.

But, we really haven’t seen that significant adoption take place for merchants in the unregulated geography. So maybe, Amandeep, I’ll start with you first. What are you seeing regarding these trends around 3DS adoption in the US and maybe some other parts of the world? And what are some of your thoughts as to where we currently stand?

Amandeep Batra: So yeah, as you directly pointed out, PSD2 actually gave a bit of a boost to 3-D Secure, especially in the markets like Europe and the UK. I think globally everyone would have seen the uptake zoomed 10x or 20x in that period when the implementation phase was going on. And it wasn’t a smooth transition as well as many would agree.

The merchants had a bumpy road at the time when the implementation was happening. Same with the issuers. And acquirers and card networks are continuously rumbling with each other around how best we could position this. Because the problem at that time in Europe was unique because Europe had one regulation, but then it was to be adopted by multiple countries.

So there was a different flavor by each of the competent authorities at time, which made that implementation phase a little bit rocky, but having said that, now we are in a phase in Europe where authentication is hand in glove with authorization. What I mean by that is authentication success is translating to the authorization success and we have learned the hard way and regulation has made that happen.

So the mandate was really the push behind it. Now coming to the question about the markets, which are not yet regulated. So the one thing which I can reference is that if we look at the last three to four years, what we have seen on Stripe side is that there has been a steady growth in all geographies in the usage of 3-D Secure, even though it has not been to the same level as of Europe or UK, there has been a growth in the usage overall.

So what we have seen is that global businesses especially, they saw that they have gain some success in their fraud prevention strategies in markets like Europe and UK. Can they replicate the same in markets which are not yet regulated? But still 3-D Secure can play a pivotal role in helping them fight fraud in those regions.

So they were global businesses who were regularly requesting us whether we should be including 3-D Secure in our fraud prevention strategy. And that is still the case. So there has been a demand there. But the uptake of, I would say the adoption is not yet to that level where we can say that it is pretty smooth in markets like US, for example. And in order for us to understand that bit, I would like to maybe start a little bit about what can be certain merchants motivation from a merchant perspective when they consider 3-D Secure in markets like US.

Right. There are actually two to three themes which I think constitute why merchants would want to have that. One of the themes is that they would want to automate something as a fraud prevention strategy. So many merchants do have a block rules, but we all know that by having block rules, there is a possibility that they are not performant enough, or they are too blunt that you are also blocking good traffic. So how can we automate that bit? Maybe 3-D Secure is one route where you can do that. There is also a merchant segment, which is very cost sensitive around the fraud and the risk of dispute. They do not want to take the risk of chargeback or the cost that comes with it. So they really want to fight that upfront. So 3-D Secure is kind of a tool that is being used for those type of merchants. And lastly is the card brand monitoring programs. There can be some merchants who enter into this card brand monitoring programs or are hovering around the thresholds to enter into card brand monitoring programs.

Chris Uriarte: Yeah, that’s a really good point, that last one. Almost a strategy of last resort. When you look at your various options available to you there that you haven’t implemented, certainly coming in and using 3-D Secure to help bring you under control if you are right on the borderline of those programs, that’s an interesting approach that I haven’t heard before.

Very interesting. Dewald, are you seeing similar things out there from your perspective? what’s your view of the current state of play?

Dewald Nolte: It’s definitely an uptick as Amandeep was going to mention, right? We’re definitely starting to see slow uptick in some of the non-regulated markets I think something that kind of helps with that is the example, wanting and being able to learn from some of the successes and mistakes, right, of PSD2 Europe as an example, right? I think that really kind of does help to have that example of what, what it could be, because at the end of the day, the power of this protocol is in its ability to share relevant context between the merchant and the issuer to be able to make the right decision. Obviously, if you look at a transaction, the context that a merchant would have is very different to that that the issuer would have, right? You might have a guest shopper as a merchant with a card versus on the issuer side, the issuer has a longstanding relationship with that cardholder, right?

And so putting those two contexts together could really be a very powerful thing in terms of making sure that you’ve got the right context to make a good decision there. And so we’re definitely starting to see uptick there, but I think we definitely are still some ways from getting where we need to be in terms of the amount of traffic that goes through that.

And I think there’s a lot of work that we’re going to have to do on both sides, whether that be on the merchant side in terms of the data quality, those kind of things that they send versus how issuers actually, what they do with that. And so I think just in general, in terms of the state that we are, I think we’re making progress, slow progress at this stage, but certainly, we have some work to do to kind of get the full benefits of that rail.

Bryan Derman: I think I’d observe here in the US, probably the largest unregulated market, we have a little bit of a chicken and egg problem, I think, with 3-D Secure. You know, if you start with merchants, they’re always very sensitive to conversion rates and introducing any friction to a checkout flow. Even if you offer them a liability shift, there’s still a lot of sensitivity and they’re hesitant to take any chances with what may be an unknown authorization process on the issuing side. When we talk to issuers, it is a little bit unclear what the degree of commitment and investment to 3-D Secure is. So merchants are worried that the issuer won’t be there, issuers will say merchants really aren’t adopting it, merchants will say we’re not adopting it because we can’t predict how issuers will use it.

If we start on the issuing side, Dewald, what are you seeing in terms of the emerging behavior of issuers in unregulated markets?

Dewald Nolte: Yeah, if I look at the US market, which is, as you mentioned, the biggest unregulated market here, it really is an interesting chicken and egg is probably the best way to put that in the sense that I think we’re probably at the moment, a fraction of transactions are really sent via that rail at the moment, right?

So the majority of transactions are typically not sent via 3-D Secure. I think we’re probably at about a three percent adoption at the moment and what happens inevitably from an issuer’s perspective is that the three percent, the transactions that are sent on that rail, tend to be the risky ones And so if you’re having a risk engine look at these transactions coming in and most of them are high risk, you kind of get trained to interpret them as high risk.

Bryan Derman: I see what you’re saying. It’s a small base of high-risk transactions. That doesn’t sound like a place where I want to invest as an issuer. I’m not going to get a payback if that’s all I see.

Dewald Nolte: What we’re starting to see now which is encouraging in terms of some green shoots is that some of the bigger merchants are starting to realize that and starting to actually send more data across the 3DS rail, even when it’s not necessarily deemed like very high risk.

And what that does is it does give the issuer the ability to also see what good looks like, right? Sometimes, you start to see a more complete picture of what actually these transactions look like, and you can actually then train and make much better informed risk decisions around that because you can see, all right, this one looks bad. This one, here’s a pattern of what good looks like. And that really helps you to improve the system. And so I think certainly from that perspective, as we start to see more data flow across this rail, it definitely helps from a number of perspectives, first of all, with the ability for the issuer to make better and more informed decisions about that, because they’re seeing more data and more examples of what it should look like and what it can look like.

And at the same time, hey, if I’m seeing more traffic come through, and I see more balanced traffic come through, like you would see, for example, in the regulated markets, where we do see a good example of what it could look like. Then, of course, there’s reason to invest in that, and you can actually start to really make more of those transactions go frictionless and get a bit of experience from that perspective.

And so I think that’s probably something really that is encouraging to see where you have some more balanced traffic starting to come through that rail. At the same time, we are seeing a number of issuers, certainly we’re shouting from the rooftops in terms of, Hey, invest in this role and in this technology and in this rail and use some of the more modern technologies that are out there because the latest version of the protocol allows for more, modern technologies be used for better user experiences, right, when it comes to processing those transactions. So definitely seeing some movement in that direction.

Bryan Derman: That makes sense to me. If I think like a merchant, to me, you ought to be seeing a lot of transactions that are kind of in the middle, right? The ones that are clearly good after a merchant screens them, ought to just go through without it. The ones that are clearly bad on a fraud screen, if merchants and acquirers are being good citizens of the payments ecosystem, ought to be put away and never processed.

To me, in an unregulated market 3-D Secure could be the domain of, I’m not sure, I need some help from the other side here to make a good decision. Amandeep, what do you think about that as you work with merchants? Is that a better way to think about using the tool?

Amandeep Batra: We’ve been getting a lot of questions, especially from merchants, as I mentioned, global businesses really wanted to replicate what they saw in terms of success in the regulated markets and to Dewald’s point, yes, what we are seeing from a team’s perspective is that there is probably a perception in especially the non-regulated markets with issuing side that perhaps when 3-D Secure is associated to a transaction, there is a hint that it could be a higher risk or a higher risk transaction as opposed to others where 3-D Secure is not associated. So to exactly this point we actually ran a few experiments with a cohort of our businesses. We ran two weeks experiment actually, and we recently published a blog around that as well, where we actually started requesting 3DS for a certain set of transactions and compare them to the same set of transactions when we were not requesting 3DS. And as we know with 3DS version 2, there is an option that the protocol provides, which is a transaction can be authenticated frictionlessly where the issuer do not challenge the cardholder with the second factor authentication, or they can opt to challenge where the cardholder has to complete the challenge in order to approve the transaction.

So effectively, challenge flow is where they have to prove who they say they are, whereas in the frictionless flow, which is sort of like a risk assessment flow by the issuer, they do not challenge the cardholder. And what we observed as part of that experiment is the set of businesses for that two week period, they were getting the authorization rates at about 87 percent at the time when 3DS was not being requested, so prior to this experiment. And when we started this experiment, actually, the transactions that were approved by the issuers with 3-D Secure authentication success in a frictionless manner, there was a decline in the net authorization rate on those transactions.

When they were being challenged by the issuer, there was no degradation we saw in terms of the authorization rate. But we saw the degradation coming when they were frictionlessly approved. So effectively, we believe that that is where there is more work that is to be done by the ecosystem in markets which are non-regulated, especially in the US, because we think like issuers perceive those transactions where 3-D Secure was associated as potentially higher risk. A merchant may not want to take the liability for that. So issuers may also say they don’t want to take the liability for that. They approve the authentication, but subsequently decline the authorization.

Chris Uriarte: Yeah. So Amandeep, that’s really, really interesting. It’s one of the things that really piqued our interest in talking about this today. We saw this article that you published with your colleague, Sam Phillips at Stripe, and this analysis that you’ve done. Super interesting. I think, first of all, just because we don’t see a lot of things published out there that are really data driven, right?

This is truly driven off of experience and data that you’re seeing at Stripe. And this is an area that we’re not seeing a lot of people really talk about, about the performance in the unregulated markets. But maybe if I could just unpack a little bit what you said. One of the key things I think that you’ve highlighted is that there’s a bit of very different behavior between the way that issuers in the US, an unregulated market, are treating these 3-D Secure transactions compared to their counterpart issuers in Europe, right? So in a nutshell, what I hear you saying is you found that US issuers are treating 3-D Secure, really as kind of inherently riskier transactions, and thus they’re more likely to sort of outright decline 3DS transactions without putting them through that challenge flow, right?

So you’re seeing a lot of outright denials or declines, I should say, without even going to the consumer and asking for authentication. Is that right?

Amandeep Batra: Yeah, effectively. The thing is, they’re not declining the 3DS transactions. So that is where I think the whole kind of inverse behavior is coming up. And that is what we try to bring up in our blog as well, that issuers in the US, and maybe that is where some of the card network rules also kick in for issuers that they cannot have their authentication declines above a certain threshold, so they are not quote unquote declining 3-D Secure authentication requests, but rather they are approving them frictionlessly. So they’re not challenging the cardholders. One of the reasons that this could be happening is that they may not have a lot of means to challenge the cardholder properly yet.

Something that was heavily invested in the regulated market. So the whole SCA wave actually got in the issuers to build those authentication mechanisms, be it an OTP or a push notification or using biometrics. And all of that seems to be slightly missing in those geographies. So they’re also not reducing their overall authentication decline rates.

So frictionless authentication is what we see happening and it is the most frequent behavior of authentication in the US to approve 3DS frictionlessly and it is where we see the success on authentication via frictionless, yes. But we do not see that success translating into the authorization success all the times.

Chris Uriarte: Very interesting.

Bryan Derman: So is there a strategy there, Amandeep? You know, back to a point Dewald made, should I be sending more transactions through, let’s say, frictionless 3-D Secure, so I can train the issuers that this is not just sort of a last resort of trying to get an approval on a bad transaction, but show the issuer more of my transaction base so their systems can learn that it’s not uniformly a high risk kind of situation because they’re almost assuming it’s high risk before they even look at it now.

Amandeep Batra: Yeah, so I suppose all parties in the payments ecosystem chain probably are working towards the same goal, which is to reduce fraud and to improve the conversion. And every party in the chain, starting from an acquirer or the merchant themselves to an acquirer, to the card networks, and then to the issuers, they all have some sort of capabilities to risk assess a transaction.

And I believe that is where the ecosystem can work together, especially in the non-regulated markets, that we start to share more data with each other. And there is a trust that is built on that data throughout. If you just look at false declines, right? So, just like in the year of 2022, the false declines have been zoomed to the value of around 11 billion.

So that’s like such a huge number. And obviously with false declines and behaviors like this, what happens is ultimately, merchants would see the cardholders not returning back to their portals, right? Because they have seen a frustrated behavior going on.

Bryan Derman: Yeah, no, everybody loses, right? The merchant loses a sale. The cardholder is frustrated and maybe even mad at the issuer if they even understand who’s declined them. Dewald, do you want to comment?

Dewald Nolte: Yeah, so I actually have picked up on a very interesting trend just if I look at the last couple of months, where we’ve won some let’s say new business with issuers that have had very, let’s say legacy, like very old 3-D Secure implementations.

And I specifically, I’m going to talk about that, where we’ve come in to kind of modernize that system for them. What’s interesting about what we’re seeing here, we’ve been doing a lot of work with the issuers that we work with to actually fix, that is, if you think back to your 3-D Secure One kind of rail and the fact that there wasn’t a lot of data, there wasn’t really frictionless kind of authentication capabilities that really was supported by that rail.

Now, what we’re seeing is that a lot of issuers that are still, let’s say, in that legacy mindset don’t use the 3-D Secure authentication in the right way, in the sense that they almost say, Hey, I’ll just approve it here and then throw it over to my authorization system where the real authentication will happen, right?

So they almost throw the problem from the authentication rail over to the authorization rail and then rely on that to effectively take care of the problem. And that is exactly the problem that Amandeep is highlighting here. And we’re seeing this in a number of these systems where more of the, I guess, some of that legacy systems are still in place.

And that’s an area where we’re focusing a lot at the moment to say, no, no, no. You have to invest in the authentication leg and already there, do the work to clean up some of your data stream before it goes over to the authorization link. So that’s the first thing that we are really, really focusing on.

And I think the second thing, Amandeep, you mentioned this I think in that blog post of yours as well, is the fact that there’s a mismatch between the authorization link and the authentication link in the sense that it’s almost like the two don’t trust each other, right, in a sense.

And so, doing a lot of work there as well to go, look, if you trust what you’re doing in the authentication space, then trust it when it gets through to the authorization side. And so aligning those systems is certainly an area where, as we modernize a lot of these systems where we’re putting a lot of focus to make sure that something that was successfully authenticated is then trusted and recognized on the authorization side.

Chris Uriarte: Yeah, Dewald, you’re really hitting on a couple things that you and I have talked about in the past. The first around data is essentially this garbage in garbage out concept, right. You don’t have good data going into these models, then you shouldn’t expect good performance coming back from the issuer.

So I think a lot of merchants have to realize that, that you have to put effort in not just expanding your data set that you’re putting through the issuers, through 3-D Secure, but also ensuring that it’s good data quality there as well. So, I think that that’s a really important point.

The second one that you’re hitting on is this other theme that we’ve discussed, which is this sort of silo between the authentication side and the authorization side. Sometimes they’re very different systems. Sometimes they’re run by different processors on behalf of banks. Sometimes there’s not a consolidated risk strategy amongst the 2 of them.

And, you know, perhaps this is one of the things that is contributing to this disconnect that you’re describing and that Amandeep has described so nicely as well in the data analysis that he’s done in his blog. So, so super interesting topics.

Bryan Derman: It’s sort of depressing, what Dewald said, because the essence of 3-D Secure is data sharing, right? Let’s bring the two sides together because they each uniquely know some things about the transaction that can become more powerful if you put them together. But if you send data across to the issuer, and they just sort of ignore it and throw it directly to authorization, you’ve lost that opportunity. Amandeep, I know Stripe has done some things outside of the protocol to try to marshal the issuing community into this decision. You have your enhanced issuer network, as I think it’s called. Tell us a little bit about what’s done in that system and are the results any different than what you got when tested 3-D Secure?

Amandeep Batra: Yeah, sure. So, Enhanced Issuer Network was one of our products that started with a theme of trying to resolve this data asymmetry problem that we are talking about because every party in the chain has some risk assessing capabilities. And so it can’t be possible that the risk signals that are perceived by one party in the chain are so different to the risk signal by the other party in the chain.

So how can we bring in this data sharing aspect to it. So that’s how the EIN or Enhanced Issuer Network as our kind of product offering started. we actually have an AI-based fraud prevention tool on Stripe site called as Radar. So, effectively what Radar does is Radar risk scores every transaction on the fly.

And based on those risk scores, some decisions are taken on that transaction. And the way Radar risk scores is not just based on the transactional information we see from the merchants, but also assesses it based on the deep neural nets and millions of kind of transactional data points that it is being trained on.

Because a merchant may have seen that card for the first time, but there is more than 90 percent of the chance that that card may have been used elsewhere on the Stripe network. So that capability is what we wanted to use and share, and that is how EIN started. So the risk scoring we are calculating for each of the transactions when they are being initiated at Stripe, we are passing those risk signals to the issuers directly, the issuers who are part of our Enhanced Issuer Network. Effectively with the theme that we want to reduce the false positives that are being generated and build the trust level on that transaction, the trust level VC, can that be translated by the issuers?

So that’s how it started. Yes. To your point, it is not yet on the 3-D Secure rails. So we are doing that purely on the authorization rails. And based on the signals that we collate, we pass that over an authorization message to the issuers directly. And what we have seen from that is, for those transactions that are within this EIN network and the large businesses that were also part of our pilot when we ran it initially, they saw almost around 1 to 2 percent uplift in authorization rates and also a reduction in fraud rate, which was significant up to about 8 percent reduction in fraud rates.

Bryan Derman: I don’t know if you’ll agree with this, but it almost feels like you’ve said, I see the power of 3-D Secure, but the problem is too many issuers are not really implementing it. So I’m going to reach out to ones who are taking authentication a little more seriously and kind of do a private channel to them and share many of the same data elements, because I know they’re going to ingest them, analyze them, and respond to them. And I can get the lift that somehow I’m not getting when I use the networked version of universal 3-D Secure.

Amandeep Batra: Well, at the time when we started EIN, especially in the US, because the uptake of 3DS is quite low, as Dewald said, roughly about 3 percent is what they are saying, so that wasn’t a huge volume where we could have had a lot of impact, so therefore we started on the authorization rails.

But at the same time, we are a strong advocate of data sharing and bringing in the data symmetry with the ecosystem. So we’ve been also working on other geographies where 3-D Secure is prominent and even in markets like US with the card networks on things like data-only 3DS flows, which kind of are on the same team.

So we’re building on that, but right now we don’t have enough, let’s say results to share. But from an EIN standpoint, we do have some results and that is where we are expanding on it at this point.

Dewald Nolte: Yeah, I think when we talk about the importance of data sharing, I think we’re all talking about the possibility of and the opportunity that that brings if we can really facilitate that in a good way. I’ll tell a story just to kind of bring the point home. So we have a recent example where we did a case study with one of our issuers in the MEA region. And they have a very big, domestic card base. And typically that card base would transact mostly domestically, right?

If you look at their target market, it’s mostly people that would transact within the country. And what we saw was, because of the way that the data was populated over the 3-D Secure rail, it looked like, based on that data, like the transactions originated from the UK.

Most of them. And it was just based on how the merchants were actually capturing the data and sending it through the rail. If you’re the risk engine receiving data, expecting that most of your cardholder base should be domestic, and yet the majority of it looks like it’s coming from abroad, what would you expect in that case to happen?

Obviously, you would immediately go with, this looks strange, like something’s up. And so what we did there is to implement the capability to actually capture and clean up that data and get better quality through working with them and suddenly, we were able to fix that to a profile that is more of what you would expect to see. Okay. Well, the majority is actually in-country with a couple of people traveling.

And so just back to the importance of working together, right? If you look at some of the initiatives that Amandeep was talking about, right, where there’s data being shipped through to the issuer. If I’m sitting on the issuer side, if you look at our issuer network using our ACS service, for example, and 3-D Secure. If I’m able to see, oh, these signals are coming in and I know it’s coming from Stripe, I know how to interpret those data signals from the issuer’s perspective, I could do a much better job from that perspective to interpret the risk and maybe result in a frictionless transaction versus, oh no, this looks strange, never seen this before. And so I think there’s such a big opportunity there if you get a couple of players to kind of just work together and fix the data sharing value equation, right? I think you mentioned that equality right there, Amandeep, in terms of what that looks like.

I think there’s a big opportunity to work together and actually prove out that we’ve seen what can happen when it’s implemented correctly. And certainly, I’m excited to see how we can affect that in this market, right, where there is, if you look at the traffic, 3 percent, there’s certainly a big opportunity to actually fix that.

Chris Uriarte: Yeah. I think everybody is realizing that data is king for sure with this specific problem. And, we’ve seen the examples of Stripes just take the initiative on their own, but we’ve also seen other risk management providers attempt to strike direct relationships with major card issuers.

We are now seeing Visa and Mastercard sort of wake up and more formalize the transmission of data over the 3DS data-only rails. Although, we still don’t have, as we’ve talked about before, you have to have cooperation on both ends, right? The merchants have to make a commitment to send data and to send good quality data.

And then the issuers have to make a commitment to actually do something with that data. Just having the rails there by itself doesn’t actually, the highway’s no good if nobody’s actually going to drive their car on the highway. Right? I think it’s certainly an interesting area for us to watch. No doubt.

I think when we were sort of preparing for this episode, I said to you guys, you know, one of the worst things that we could do is to leave merchants, in particular, to have them leave this episode saying, well, 3-D Secure still has all these problems associated with it. Let’s put it back on the shelf for another 5 years or 10 years and we’ll take a look at it again. And I think you guys have done a great job at articulating why, in this new generation of 3-D Secure, there is value for a lot of merchants to reexamine their 3-D Secure strategy.

And we have heard some really interesting stories. Like for example, we saw Best Buy in the US stand up at a major conference and tell everyone that they’re going to be putting most of their transactions, their online transactions, through 3-D Secure. And it’s a hugely popular merchant that I would consider, just based on my knowledge and my experience with them historically, a leader in the merchant risk management space. And we’re also hearing stories from our own merchants, that are part of Glenbrook’s Merchant Payments Roundtable, tell us about rethinking their strategies around utilizing 3-D Secure. Really hitting on some of the points we made earlier about finding that like focus point as to where they should apply it, being a little bit more laser focused on its application, and using it a little bit smarter than maybe historically that they’ve been.

So I want to close us out today just to think about, what are some of the key points, we’ve hit on some of them, maybe it’s a good time to just come full circle. What are some of the key things that merchants in non-regulated geographies can do to optimize their 3-D Secure usage? Whether they’re using it already today, or whether they’re starting to reexamine sort of their overall strategy. And also I want to keep in mind, which is a common question I think we get is, how does this sort of play in conjunction with existing risk strategies or risk tools? These are the things that we’re hearing from merchants. So we’d love to hear what you guys are hearing. Dewald, maybe we’ll start with you on that.

Dewald Nolte: Yeah. If we look at the rail, again right, I think 3-D Secure perhaps has had a bad rap in terms of reputation, right, in the past. However, I do believe that a lot of that has been addressed in the newest latest versions that there are. And so I do believe that the rails to share the right amount of data certainly now is there to get the right results.

And so I really, I think if you look at some of what we’re seeing in some of the unregulated markets, we’re starting to kind of see, well, okay, so practically, if you are a merchant and you’re afraid at this stage that, okay, if I’m going to send 3-D Secure data, the issuer is just going to decline all of it and then I lose the revenue, the fact that there are now, for example, these data-only or information-only capabilities, immediately takes away that risk where you can start to share the data to start to train the issuer that, hey, I’m not just sending bad ones, right?

So you’re sending that, and the data-only kind of capability at this stage informs the issuer, but they don’t challenge, right? So that fear that maybe was there for a merchant because there’s almost that barrier to entry that if you’re the first one to move, you might be the one that kind of gets the declines.

And so it’s been addressed in the way to say, well, the ability to share the data without the risk of mass declines is now there, and we’re starting to see that. We’re starting to see more of the information-only data being shared that helps to train the issues to go, oh okay, these ones, we’re learning about more of the transactions. We can see better of what good looks like, not just the bad. So that’s certainly one.

I think some of the other things that we’re seeing is, I always talk about green signal sharing, right? Where you see some of the bigger merchants actually being able to register certain tokens, for example, with an issuer to say, all right, if you get this signal from me, this is a trusted device. And so when I send you proof of this signal as part of the transaction, don’t challenge it because, I’ve already done it, for example, right?

And so we’re seeing some of those strategies. It goes by different names and different geographies, but that sending of certain, strong green signals as part of the risk strategy is certainly something that we’re seeing that some of the unregulated markets are using very well.

And then I think there are also some new things coming into play, like secure payment confirmation, right, where you can actually go and enable things like biometric authentication, where a merchant can use their own tokens and register that with an issuer to actually do full authentication. But they still control the UX, right, the user experience there. And so I think some of these things are definitely coming into play where we can really enhance the user experience and kind of balance the old, risk versus user experience equation with some of these new tools.

Chris Uriarte: Yeah, for sure. I think a whole other episode is due on some of these emerging authentication types that we’re starting to see here. I’ve seen Stripe do some good research on Secure Payment Authentication in the past as well. But that’s for another episode. But Amandeep, we’ll turn to you to bring us home here. What’s, your perspective on this?

Amandeep Batra: I think my perspective is, as we work with so many businesses in the regulated markets who really want to benefit from 3-D Secure and build their fraud optimization strategies effectively, the one consistent message we tell to them is you can’t lift and shift your strategies across regions, so you have to have a laser focused regional strategy when it comes to, let’s say, a non-regulated market. So effective use of 3DS, as opposed to naively requesting 3DS has worked in favor. And that is where I’d say we have many stories from various different businesses who are using 3DS in the markets like US have a good return of investment they’re put on it as a merchant.

To the point of the future state, I totally agree with Dewald on the various points that he shared, that effective data sharing across the ecosystem, I think, is the way forward. That is how we sort of solve the problem in Europe and the UK, even though the mandate was a push behind it, but it was the ecosystem coming together. And the same is required right now for markets like US, for the ecosystem to come together. So Stripe from an acquiring perspective, as well as an issuer, because Stripe is an issuer as well, is investing heavily into our kind of authentication capabilities, because we are a firm believer that 3-D Secure is a net positive thing for the businesses.

And to the point of emerging technologies. Yes, like we have already done a lot of work with web authentication and SPC and we were probably the first acquirer who brought in delegated authentication in Europe, which was all passwordless biometrics authentication using FIDO. We will continue to invest on that as well. And lastly, I would say that learning from the decisions in the past, which is building optimization, which is potentially machine learning based optimization, is also a way forward.

So whoever is listening, I think they should have those capabilities built in as a merchant or as an acquirer, or as an issuer, or as an ACS, these are really helpful strategies. And the last point, which I would say is, there are more and more markets that are now looking towards mandating authentication in some sort. So effectively, I think that is the point which should be looked at by the markets like US, for example. 3-D Secure now will be mandated in the matter of months, I guess, in Japan. So effectively more and more geographies are talking about it. Fighting fraud is the biggest, let’s say, pain point of the payments industry and all the means to fight that in an efficient way is continue to stay as a theme, I suppose, and 3-D Secure is playing a pivotal role in that.

Chris Uriarte: Fantastic.

Bryan Derman: To adapt an old phrase, you can get more done with a kind word and a mandate than you can with a kind word.

Chris Uriarte: Yeah, for sure.

Bryan Derman: Guys, we’re sort of out of time for today, but by no means done with this topic. It’s going to keep evolving. I’m sure we’d like to have you back again to talk about the future stages of this. Thank you so much for your time today. And we’ll look forward to tracking the space and getting back with you as things develop. Thanks again for joining us.

And to all of you listening out there in payments universe, thanks again for joining us. Keep up the good work that you do and fighting the good fight and we’ll see you next time.