Ryan Wilk, vice president of customer success, NuData Security, a MasterCard company
Unmasking cybercriminals as they mingle with the online shopping crowds is one of the biggest challenges for online retailers during the holidays. Between 2018 and 2023 criminal data breaches will expose 146 billion records, growing at a rate of 22.5% per year according to Juniper Research. Every nugget of information is useful, every seemingly irrelevant data could open a treasure chest, whether it is via account takeover, identity theft or Frankenstein identities.
With a hefty payload in mind, cybercriminals have a great motivation to go through a variety of tasks; from testing newfound credentials with brute force attacks to opening new accounts and aging them so they blend in with legitimate accounts. Once they’ve done all their prep work, they are set to fleece as many merchants as possible.
The Holiday Hustle
Card-not-present (CNP) transactions are the main focus now that credit cards with EMV chips have closed off the card-present weakness gap. Nilson Research projects that CNP losses will reach $31 billion by 2020. Adding to this mayhem for merchants is this little thing called chargebacks, which happen when customers find unrecognized charges on their accounts and request merchants to refund those transactions.
When the merchant’s chargeback rate (the number of chargeback requests versus sales) starts to increase, merchants are penalized with higher payment processing fees. This means that all their transactions will be more expensive until their chargeback rate goes back to an acceptable threshold.
With professional imposters at the door, online retailers become more reticent about processing transactions that are suspicious. Similarly, banks who receive customer transaction requests through the merchants are also wary about authenticating them if they seem suspicious. It is this caution that leads to more false declines resulting in astronomical losses.
To be precise, in 2017 the false-decline rate alone accounted for $300 billion in losses in the U.S. according to the Aite Group. Merchants suffer additional damage; numbers from Javelin research show that 32% of falsely declined consumers stop shopping with that retailer.
So, online retailers are surrounded with customers and criminals, facing one dilemma: Who do you say yes to? who do you decline and how many sales will you lose if you decline a good transaction?
EMV 3DS – A New Path to Prosperity
In an effort to throw online retailers a life-line, credit card networks have come together to help with EMV 3DS (commonly known as 3DS 2.0), a protocol to authenticate CNP transactions. The protocol has been revamped and leaves behind the authentication complexity that had been a burden in the past. The consumer doesn’t have to do anything. They will notice a difference on how they are authenticated: Instead of receiving a request to insert a 4-digit pin or other type of code to confirm the purchase, they will either not be asked anything (90% of the times) or they will be asked to authenticate themselves with a thumb, facial scan or other biometric scan.
The new protocol collects more information around each transaction and merchants have the choice to share that additional information with the issuer—to help issuers make more accurate decisions and increase approvals. Online retailers have to connect to the 3DS API. They need to choose a vendor to do so. Vendors offer a variety of services, from the bare minimum connection to additional authentication services and managing options, to make life easier for merchants. NuData, for instance, offers access to 3DS as well as to passive biometrics at checkout, to help merchants decide how they want to process a transaction before it’s sent to the issuer.
With this enhanced protocol, 3DS features can be leveraged to meet regional compliance requirements as well as share more data elements. By choosing the right vendor for this protocol, merchants will have an easier time becoming compliant in their market. Additionally, they can see what 3DS transactions were frictionless and which ones weren’t. For example, if you travel to Tanzania and make a purchase from the hotel, that’s considered risky because it’s an unusual behavior for you (your card) —assuming that you don’t go to Tanzania often. In this case, you will be asked to authenticate yourself with some user-friendly tool such as a finger scan.
Ultimately, the issuer will decide if it wants to step up a user or not, but the additional data elements shared with the issuer will help make more accurate decisions, reducing false declines. A step up is an additional authentication request. Step up refers to an authentication step that is not normally there but is now kicking in because the system has detected some form of risk.
Mastercard estimates that 90% of transactions won’t require a step up, meaning that merchants will be able to offer seamless experiences to most of their customers. If there is a step up, the user simply has to follow the instructions they see to authenticate themselves. This authentication can be done biometrically, aligning to the new technologies.
Additionally, even if issuers don’t support 3DS 2.0, merchants can benefit from the liability shift on Mastercard transactions, as Mastercard is currently the only provider who will stand in to perform the authentication.
The liability shift means the merchant doesn’t have to face the monetary consequences of a chargeback; instead, the issuer will cover these costs—acting similar to insurance.
3DS 2.0 is a protocol designed to help merchants and other stakeholders provide better experiences to their customers while reaching their profit numbers without compromising security, which ultimately benefits everyone in the card-not-present industry.
Security beyond 3DS
Including seamless pre-transaction security enables merchants to make better decisions around which transactions should be sent through the 3DS path and which ones they should route outside of the protocol. By doing so, merchants have better control over the experience they want to offer to their customers.
Pre-transaction technologies based on passive biometrics and behavioral analytics, detect fraudulent activity inside of the environment without unnecessary friction on good users.
This technology, combined with 3DS, gives merchants the ability to create customized rules for each situation, ensuring fraud is blocked in real time. This hardened security at checkout helps merchants reduce the transactions that require a manual review, significantly cutting fraud and operational costs. Truly, a holiday gift for merchants.
NuData Security verifies online transactions by drawing on extensive data about individual consumers’ buying patterns and the devices.