Looming authentication deadline could put local merchants at risk

Almost a third of local transactions are still running on 3D Secure version 1 despite the looming 14 October deadline to “sunset” this version of the protocol. Merchants that have not made the transition to the new EMV 3D Secure version 2 protocol will not have their transactions authenticated by Visa, Mastercard and Amex from 15 October and will face additional risk.

The good news is that there are some quick actions that can save them undue risk.

It is surprising to see so many merchants still using the old version one protocol despite many deadline extensions. South African merchants are mandated to use the 3D Secure protocol and so time is up and action must be taken.

Come 15 October, merchants who send through transactions using the old protocol will receive an error message and authentication will not take place. Moreover, if fraud does take place on the transaction without the newest version of the 3D Secure protocol, merchants will carry the full liability for any losses, potentially putting them out of pocket. In addition, unauthenticated transactions attract a higher interchange rate, costing them more each time a transaction goes through.

Fraud remains a big area of concern in South Africa, and the latest numbers from Sabric show that e-commerce and card-not-present fraud account for 80% of credit card and 53% of debit card fraud. It’s therefore imperative that issuers and merchants work together to leverage the protection that 3D Secure protocols offer against fraud. But the latest version of the protocol will benefit all stakeholders in the ecosystem.

The 3D Secure authentication protocol was designed to give an added layer of security for online debit and credit card transactions. The latest version offers a more powerful form of authentication, making use of in-app approval, USSD and biometrics, rather than the SMS one-time passwords (OTPs) that many South Africans are used to.

User experience

The new 3D Secure version 2.2 is certainly more powerful, but it also has user experience as a key focus. The older version wasn’t able to support biometric authentication and was incompatible with some devices and mobile browsers. The poor user experience would often cause customer frustration and would frequently lead to cart abandonment.

The new version of 3D Secure, which includes risk-based authentication, means it offers a more seamless experience, which can only benefit merchants’ sales efforts.

By using risk-based authentication, 3D Secure version 2.2 makes use of a rich set of data about the cardholder and the transaction, which is sent to the card-issuing bank that processes the transaction. The data points enable the bank to make informed decisions about the potential risk factor of the transaction.

This increased data sharing will not only ensure safer, more frictionless payments, but can be used by banks to offer more personalised experiences for their cardholders, benefiting both customer and merchant.

Everyone transacts differently, and banks should be able to adapt the authentication experience for each transaction without adding additional friction for the customer. Great Access Control Service (ACS) providers are able to deliver personalised authentication experiences to help banks tailor the most appropriate experience for each of their customers without compromising their risk levels.

While action must be taken, the switch should not be too painful. Merchants still running 3D Secure version 1 can contact their payment service providers (PSPs) to help them make the transition. Many PSPs provide a no-code, seamless migration onto the new protocol. The only challenge could be where merchants have older websites with legacy integrations that might require a re-integration to get them onto the latest technology. This may take a little longer and is one of the reasons why no merchant should delay checking to see if they are ready for the switchover.

While the number of 3D Secure version 1 transactions have been steadily reducing by around 5-7% each month, this is still too slow to meet the looming deadline.

Merchants that choose to stay with 3D Secure version 1 will be at a real disadvantage. Their customers will have an inferior user experience, they will be at a higher risk of fraud, carry a greater liability risk, and will pay more for their transactions.

• The author, Jonathan van der Merwe, is product manager for payments at Entersekt