The 3D Secure protocols, one for each network, that connect ecommerce merchants to the cardholder’s issuer, has had a rough go. But after ten years, smarter application of the tool and, in particular, risk-based usage makes it more attractive to both issuers and merchants.
In this conversation with Mike Roche, VP of Consumer Authentication at Cardinal Commerce, we take a deep dive into these protocols, their implementation and continuing evolution, expectations of increased card not present fraud due to EMV’s US arrival, and the positive effect on merchant sales and issuer spend of using this approach.
Transcript below.
George: Welcome back to another Payments on Fire podcast. George Peabody here with Glenbrook Partners and today it is my pleasure to have Mike Roach who is VP of consumer authentication at Cardinal Commerce. Welcome, Mike. Good to have you here.
Mike: Thanks, George. Thanks for inviting me.
George: Mike’s being very patient. We had a recording failure on the last round, so he’s willing to do this a second time. Practice makes perfect. Mike, the reason we’re talking today is, from my point of view, Cardinal Commerce has really been carrying a lot of water around 3D Secure for a long time. That’s you’re role, you’re the manager of that line of business, is that correct?
Mike: Yes, that’s correct.
George: I can hear you arguing with me about Cardinal Commerce carrying a lot of effort around 3D Secure. Just so we can level set, can you briefly describe 3D Secure and how it works and who the beneficiaries are?
Mike: Sure. Just to make a differentiation here, 3D Secure is the 3D Secure Protocol, this is the protocol that was developed by Visa, adopted by MasterCard and all the other networks. What the protocol does is it allows for a financial institution to interject or participate in that actual consumer level transaction on a website, and soon to be on a mobile phone, so that they can partake in that and ultimately gage the risk of that transaction.
George: So we’re getting data from the consumer’s device as well as from the card the consumer is using, and this richer data flow, data message is going along with the standard authorization message to the issuer via this protocol, right?
Mike: Yeah, that’s correct. So what it also accounts for is new data elements which can be passed in the ISO 8583 authorizations and settlement messages which then historically limited and then remain to be limited, which gives proof that this authentication session or this authentication process did occur. So when an issuer receives an authorization, they get the proof that this did occur, the merchant facilitated it, and it was an end to end authenticated transaction.
George: What’s in it for the issuer and what’s in it for the merchant?
Mike: Well, I think the value proposition has changed significantly. Initially, these programs started out as what’s in it for a merchant is the same thing as what’s in it for any merchant who adopts EMV at the point of sale. The 3D Secure protocol, the newer versions of it are owned and operated by EMVCo. Everyone should think of 3D Secure in the programs that are offered verified by Visa, MasterCard, Secured Card, American Express Safe Key as the online equivalents of EMV.
George: That’s an interesting metaphor. Okay.
Mike: Correct, people should look at it in that way. What’s in it for the merchant is the same thing that’s in it for any point of sale merchant, its liability shift and reduced costs at the point of sale online. So, the same way the EMV provides blanket liability shift at the point of sale, merchants also get that blanket liability shift online.
George: The merchant has to be working with a gateway, a payment services provider, who understands 3D Secure like you guys. On the issuer side, issuers also have to participate as well. I’ve heard some horror stories, to me anyway, where some issuers will approve every e-commerce transaction that comes by them, just because they can charge back every one that looks funky. It’s pretty wretched, but it’s a cost avoidance strategy for the issuer. Now here’s the issuer giving liability back to the merchant, I mean taking it back on themselves. What’s in it for issuers?
Mike: That’s where kind of the value proposition has changed. Liability shift is great. Blanket liability from a merchant standpoint, but what’s in it for both parties is a new thing that has developed out of these programs has been an increase in sales. So what this gives an issuer, an issuer who participates in the program participates at the level which Visa and MasterCard want you to do that, means that the issuer is looking at the transaction using the 3D Secure Protocol, using their program, and they’re gaining additional intelligence on the transaction as the customer is shopping. What it gives them is additional intelligence to authorize more transactions. Everyone in the ecosystem, especially the payments ecosystem on both sides of the fence, merchants have all this data and they want issuers to authorize more of their transactions. Issuers don’t have any data, they’re trying to get more data from the merchants so they can authorize more transactions. I think things are starting to meet perfectly, and no longer it’s a fence, I think it’s a gate now.
George: You and I were both at the Cardnotpresent.com Expo this spring, one of the themes that I’ve heard there and that I’ve heard since is merchants really want, and I’m assuming it’s the same for issuers, is to quickly get to know good transactions as opposed to trying to find all the bad ones. Is that what you’re talking about, that’s where the source of increased approved transactions is coming from?
Mike: Correct. Issuers now are able to get consumer level data out of the transaction through 3D Secure Protocol and their programs, in order for them to justify accepting more transactions. An issuer using risk based off of that occasion is the way that Visa, MasterCard want every issuer to do this, will look at the device that they’re checking out on. They’ll apply all the same analytics that they would for online banking sessions and they’ll look at that. They may have a consumer who’s never purchased online before all of the sudden show up on PayPal or Walmart or something like that and make a purchase. This may be a risky transaction for them, since they’ve never seen them shop online, but they have seen them come through on online banking. They have a known device, and if they can see that consumer come through, there’s going to be on question in their mind that they’re going to not accept that transaction, if it gets through the 3D Secure program and their 3D Secure checks.
George: Merchants have been taking on a lot of that device ID, device fingerprinting burden for a long time in the e-commerce world. Now what I’m kind of hearing is, using the 3D Secure Protocol, issuers are starting to get the same data that the merchants have been using all along.
Mike: Exactly. So a lot of people have been explaining the problem within the payment supply chain that’s existing in card not present is it’s very outdated and not enough information is being shared to issuers, which causes issuers to decline too many transactions. Issuers in general will decline; their acceptance rates are 10% less online than they are at the point of sale. That’s a big problem for everybody, not just merchants, but also issuers and also Visa and MasterCard. This kind of closes the gap. So, issuers can get enough intelligence to positively identify their consumers through this 3D Secure authentication session in order to increase their amount of site acceptance.
George: Great. Now we get it. What else is happening? You used a term a moment ago, risk based authentication. When 3D Secure first came out, merchants loathed it and they chose not to use it because it was frequently popping up the online banking credential screen. I’m doing business with Bob Stormdoors and I’m only going to order with him once online, and then suddenly on that same screen I’m looking at my banking credentials. That made everyone nervous, never mind it made a lot of friction: “what’s my password?”. So shopping cart abandonment was pretty brutal with 3D Secure when it first came out. What’s different now?
Mike: That’s old 3D Secure, and unfortunately I’ve spent my career around that.
George: You’re getting really tired of answering that question, aren’t you?
Mike: Yes. Over 10 years now I’ve been handling that objection. Now the objection is kind of going away, because issuers are moving away from that approach. Everyone agrees that at the time of its conception it was like, okay maybe this is the way that the industry will go. No, it doesn’t work. Forcing someone to enroll at the point of sale when checking out doesn’t work; also, asking them to remember another password doesn’t work either. Issuers, with the guidance of Visa and MasterCard, have started to adopt risk based authentication, and what they do is, instead of challenging every single consumer, they use that 3D Secure authentication session, just the front screen. So, they’re able to apply the same type of analytics that a merchant would, but what an issuer has at their disposal is they have their own neural network, so they can see that consumer shopping behavior. Things like if a card is stolen and being used at multiple gas stations all over the place, and now someone is checking out online, that’s kind of a more in depth fraud that an issuer could have. That’s how it’s changed. So instead of challenging every consumer or merchant, issuers have moved to this risk based approach, and they only challenge high risk transactions that they may not authorize. There’s also issuers out there who don’t challenge anything from consumers. They simply give a yes or no back to the merchant, which a lot of our merchants really like. The end stages of this and where this gets you is that issuers are able to accept more transactions and likewise, we talked about this, this just came out in our Amtrak case study, merchants are able to use this issuer interpretation if you know that they’re doing risk based authentication, and they are responding positively with an authentication, you can add that into your existing acceptance policies. That gives you a new powerful tool that merchants have never had before. For the first time ever, we have merchants getting issuer risk assessments on transactions before authorization. It’s totally kind of changed the way that merchants are accepting transactions and the same thing how issuers are accepting transactions. This was evident in the Amtrak case study. They had almost a 10% lift in acceptance rates, internally they had a 5% bump which we pointed out there. That’s just how they were able to use issuers to improve their own internal systems. These aren’t things that have gone out for authorization, these are transactions, these are orders that they’re dropping on the floor even going out for authorization. We’ve just created a whole new base of customer to shop online that haven’t been able to go there before and who were turned off by maybe a bad experience like that.
George: Transportation is one vertical I see every time I book a flight on United with my United Chase card, I see the 3D Secure box pop up. I would imagine that big box retailers for electronics would be a pretty big customer for this approach.
Mike: Correct. Traditionally it’s been people who have smaller margins or they’re high fraud rates, which we see on the travel industry, it’s very lucrative on same day travel. Fraud is very rampant out there in consumer electronics, but what we’re seeing now is because of this sales lift, the liability shift and the interchange rates were great and made a lot of sense, but what getting everyone to jump onboard is what we pointed out in this Amtrak case study, which I think applies to all merchants. They’re able to get in at what Amtrak saw as a 2-1/2% increase in authorization rates with issuers and on their side, their own internal acceptance was able to go up. Now everybody is looking to adopt this because we no longer have the bad consumer experience, in fact we have no consumer experience. We have the liability shift and the interchange break and now on top of that, we have issuers accepting more transactions and merchants who are able to use the issuer authentication response to justify or even remove their manual review processes in some scenarios when we have a respace issue.
George: I should probably be saluting by now, that’s so powerful. Each of the card networks, God bless them, has their own version of 3D Secure: MasterCard secure code, Verified by Visa. How much of a headache is that for everyone?
Mike: I think, you know, if you are working with a service provider who specializes in this, like Cardinal. We’re not a payment processor, we’re not a fraud screening provider, we strictly specialize in authentication. If you have a provider that does that, they’ll be able to consolidate this new single solution, where you’ll be able to get those individually, you should be able to have a provider who’s going to homogenize them so they all feel and operate in sync.
George: Is that an issuer concern, or is it a headache for merchants too?
Mike: I think it’s a headache for merchants integrating different types of authentication tools is always going to be a headache and expensive. We’ve obviously made our business out of that. It’s very tough to do when you’re bringing 3 parties into 1 single transaction millions of times a day. That’s kind of our business model, that’s where we thought we would provide value. That’s where we’ve gone after.
George: So, Mike, you mentioned mobile. I get how a merchant with a mobile website would take advantage of this. It should more or less look like an e-commerce transaction. What about from within a mobile app? What have you done for that?
Mike: That’s a good question, and that’s a question that’s on the top of everyone’s mind as a lot of people are looking to adopt an EMV com. What’s coming out, there’s not a lot of public press releases about this, is that there’s a new revolution of the 3D Secure Protocol called 3DS 2.0, which is specifically tailored for the app channels, the mobile purchases that are not done through a browser. There’s a whole new world that’s coming out. We’re just improving on all the positive. Finally, after 10 years, we’ve got so far the 1.0 protocol and all these positive things that have risen to the top, we’re taking these positive things and now we’re expanding upon them in 2.0. Cardinal is very involved in EMVCo.
George: Where is that in terms of its development?
Mike; I think we’ll be able to start the launch next year. It’s materializing throughout this year, and I think later, about this time next year, we’ll start to see our first merchant adopters.
George: Drafts of the 2.0 spec have been released at this point?
Mike: They’ll be released at the end of this summer by EMVCo. So we’ll be providing some correspondence to our merchant community and also to Glenbrook and yourself and other places to provide as much information as we can based on the spec. That’s going to be published.
George: EMVCo has gotten busy in the past couple of years.
Mike: Yeah, they have. They’ve literally, in the past 2 to 3 years, come out of nowhere. With, obviously, EMV coming to the United States, their network tokenization specs, which I think is brilliant, EMV tokenization online and now the 3D Secure 2.0 Protocol, they’re really hemming up some serious holes in the dam that have been present in the industry for a while. It’s great to be a part of that group.
George: It’s good to see the payments industry itself looking after its own security problems. Let’s wrap up with this, Mike. You’ve mentioned that EMV is coming to the US, the liability shift at the point of sale is starting in October of this year. What’s your forecast for the shift over to card not present fraud we’ve seen in every other market?
Mike: You know, I think it’s going to occur. I don’t think it’s going to be as dramatic as we saw within the UK, but it is going to happen. Naturally, if you think about someone who has access to a credit card, they’re doing 2 things: they’re printing a counterfeit card they’re going to sell physically to someone, and if they can’t do that, the first thing they’re going to do is try to go online to buy the same gift cards they wanted to buy in store. Logically, they’re going to be stopped on printing these cards because of EMV and they’re first reaction is going to go online. I think we’re going to see that move occur and it’s definitely there is going to be an uptake in fraud. I don’t think it’s going to be as dramatic, because I think the US market has much more sophisticated fraud screening tools on the merchant side.
George: Oh, yeah. We’re 10 years on from the UK experience. The merchants have been employing a whole raft of new tools that didn’t exist 10 years ago. I’m with you. I think that the overall fraud number will rise, but it might track pretty closely overall to the card not present offline transactions that we’re already seeing. Visa reports that 3 out of 10 of its transactions today are card not present in the US. That’s pretty astounding and should mean good market for you. Well, Mike, thanks very much for having the conversation today. I’m glad to get this insight into where 3D Secure is and actually, I’m really excited about where it might be going next.
Mike: For sure. Thanks, George.