The payment card industry is constantly evolving to upgrade its security measures to further protect both customers as well as merchants. This is critical, with ‘trust’ being the operative word, especially as ecommerce fraud attacks continue to rise in the wake of the pandemic and the boom of card-not-present (CNP) transactions where the cardholder is not physically present to offer verification via their own identification.
The first evolution was to shift from a signature to a chip-and-pin protocol, where the latter requires the cardholder to punch in a four-digit number (PIN) that only they know into the payment terminal. In this method, the customer provides two forms of distinct confirmation – the physical card and the PIN – to verify the payment, labeled under the banner term of two factor authentication (2FA). But how would this work for CNP transactions?
One common technique of the near-past has been the card security code (CSC) – or CVC or CVV – which in its simplest form is a three or four-digit number on the backside of the credit card that a customer types into an ecommerce portal alongside all the other details on the frontside (card number, full name and expiry date). The rationale for this method is that a criminal may be able to scan the entirety of the frontside – gaining visibility in person or by using a camera – to use in fraudulent CNP transactions but never both the front and the back. Still, though, protection via this method was never absolute.
Enter three domain server or three-dimensional security (3DS) as the most advanced form of 2FA to date, which follows similar systems already in use for online banking and other related services by incorporating the customer’s phone or registered email address as a means of verifying the payment. With 3DS, the payer gets an email or text message (SMS) with a security code to enter into the ecommerce portal while they are completing the transaction. So, while a fraudster may gain access to a credit card’s full details (and even the CSC), they are far less likely to also have the cardholder’s phone in their possession to receive the email or SMS security code.
Each major credit card processor has its own unique form of 3DS, but the core practice is the same. Once a cardholder is enrolled in the 3DS program, within the merchant’s ecommerce portal, the customer is redirected to the credit card provider’s secure website where they are asked to enter the security code. Upon success of this step, the customer is then redirected back to the merchant’s ecommerce website to complete the CNP transaction.
Straightforward and elegant, what’s important for you, the merchant, to take note of is that this heightened level of payment security helps to minimize your chances of losing the payment amount as a result of a refund issued from a chargeback dispute. With 3DS, the chargeback liability – in terms of providing express proof that the cardholder authorized the transaction – is shifted from the merchant to the credit card processor or issuing bank.
As most businesses are now incurring direct losses of 1% to 5% of all payments due to chargebacks – and not to mention all the indirect costs – 3DS can help you maintain profitability by preventing this type of attrition. Given its significance to the industry, TransForm has prioritized the incorporation of 3DS into its functionality, so expect this feature as a product standard in the coming months!