July 16, 2019
Online and mobile commerce has grown substantially over the past several years as consumers have come to rely on the ease and convenience of transacting digitally.
With this growth, it is becoming critical for those in the payment ecosystem to understand the true digital identity of the end customer.
During a typical online transaction, the merchant, the acquirer and the issuing bank lack the ability to know whether a user is in fact who they claim to be. Endless data breaches have enabled cybercriminals to effortlessly obtain stolen identity credentials from the dark web, equipping them with everything they need to masquerade as legitimate users. Meanwhile, in a digital world, success is predicated on delivering a frictionless checkout experience, making the need to balance effective risk management with customer experience an ongoing challenge.
The Security and Customer Experience Challenge
First deployed by Visa in the early 2000’s, 3D Secure (3DS) was intended to provide a more secure online payment experience across the three domains (acquirer, issuer, and interoperability). It attempted to replicate the level of security of a card-present transaction through real-time customer authentication for card-not-present transactions with the aim to reduce fraud, increase consumer confidence, and shift liability of disputed transactions from merchants to issuing banks.
Over the last 15 years, consumer shopping habits have evolved, particularly as mobile has become the leading way to browse and purchase. 3DS 2.0 has been introduced to address the shortcomings of 3DS 1.0 in the changing eCommerce landscape, with a view to enhancing security, supporting app-based authentication and improving the cardholder experience during the checkout process.
3DS 2.0 is a huge paradigm shift from the earlier protocols, as it enables the merchants to integrate the authentication process into their checkout experiences, for both app and browser-based implementations. It allows the issuing bank to perform risk-based decisions on the transaction authorization without requiring the customer to perform an additional authentication to the bank. It also enables non-payment customer authentication that allows services like Identification & Verification (ID&V) for mobile wallets and secure request of tokens for card-on-file.
Better Data for More Accurate Decisioning
The key to making good decisions is for all parties involved to have access to relevant information. 3DS 2.0 speeds up authentication and improves security by enabling merchants and issuers to exchange more data, (such as device, channel, identity and transaction information), to verify a cardholder’s identity in registration flows and to ensure that the true card holder is performing the transaction. By having access to more contextual information, issuers can authenticate more customers accurately during the frictionless flow (Areq/Ares).
3DS 2.0 levels the playing field by driving issuers and ACS providers to compete on customer experience, measured by approval rates, in an environment in which they maintain less control over top of wallet considerations and face pressure from EMVco to deliver high pass rates.
Issuers and ACS providers need “an edge”, as well as a holistic approach to making authentication decisions in real time. ThreatMetrix provides that edge by leveraging the Digital Identity Network that is built on shared intelligence from billions of transactions from some of the world’s leading businesses. The ability to attach historical context, even when the consumer is interacting with 3DS 2.0 for the first time, is critical for success.
3DS 2.0 is a huge paradigm shift from the earlier protocols, as it enables the merchants to integrate the authentication process into their checkout experiences.
To make this information available to gateway and ACS providers in real-time, ThreatMetrix has built a new 3DS Risk Engine API, especially for the 3DS 2.0 specification. This 3DS Session Query API works across mobile and web and allows gateway and ACS providers to obtain information relevant to transaction risk scoring with minimal transformation to the 3DS 2.0 aReq message.
This API can leverage ThreatMetrix Session ID or standard 3DS 2.0 Device Info fields to perform transaction scoring based on Digital Identity Intelligence from the Network. The ThreatMetrix Rules Engine can then perform an analysis of the user session and return detailed information to support real-time decisions on whether a session should be considered legitimate or fraudulent. Transaction information will be extracted from the aReq message for consideration in transaction risk scoring.
ThreatMetrix Mobile software development kit (SDK) can be integrated with mobile applications, detecting any breaches to the application itself and verifying the trustworthiness of the mobile device. At the same time the 3DS API endpoint can also work with data from any 3DS compliant SDK.
As merchants and issuers begin implementing 3DS 2.0, ThreatMetrix is already working with leading card networks, payment processors, merchants and many other global businesses, giving its customers a head-start.
The ability to attach historical context, even when the consumer is interacting with 3DS 2.0 for the first time, is critical for success.
Leveraging the Largest Repository of Digital Identity Intelligence
Knowing who your customers really are and how and when they transact, can detect suspicious behavior or compromised devices before accounts are infiltrated by cybercriminals. Built from crowdsourced intelligence from approximately 24 billion global transactions each year including logins, payments, and new account applications, ThreatMetrix Digital Identity Network provides a wealth of cross-industry intelligence related to devices, locations, identities and past behaviors.
Using this information, ThreatMetrix helps businesses understand the true identity of a transacting user by going beyond just device-based analysis, grouping various other entities based on complex associations formed between events.
- An Unparalleled Network: The ThreatMetrix Digital Identity Network protects 1.4 billion unique online accounts using intelligence harnessed from 2 billion monthly transactions.
- Privacy by Design: ThreatMetrix is unique in its ability to solve the challenge of providing dynamic risk assessment of identities while maintaining data privacy through the use of anonymization and encryption.
- An Integrated Approach to Authentication: Flexibly incorporate real-time event and session data, third-party signals and global intelligence into a single Smart Authentication framework, to deliver a consistent and low-friction experience with reduced challenge rates.
- Advanced Behavioral Analytics and A clear-box approach to Machine Learning: ThreatMetrix Smart Analytics analyzes dynamic user behavior to build more accurate, yet simpler, risk models. The result is a competitive edge in customer experience with reduced false positives, while maintaining the lowest possible fraud levels.