How 3DS2 Grows E-Commerce Sales and Combats Fraud

With a global e-commerce market value nearing $5 trillion in 2021, online shopping is no longer a short-lived trend but the norm. The advance of widespread internet connectivity combined with the proliferation of mobile devices has increasingly driven consumers to shop online in recent years. Now, amplified by the need for safety in the wake of a global pandemic, retailers have seen an unprecedented surge in e-commerce sales with U.S. consumers spending $791.70 billion online in the U.S. in 2020, up an incredible 32.4% from $598.02 billion the prior year.

Get the print version
Read the full white paper anytime and anywhere.

However, this positive market growth also comes with increased rates of fraud. E-commerce fraud is expected to surpass $20 billion in 2021, a Juniper Research report found. Juniper Research report found. This loss would represent an 18% increase, compared to the $17.5 billion recorded last year.

Created as a response to online fraud, 3-D Secure (3DS) is a security protocol introduced by Visa over a decade ago for card-not-present transactions. This technology made it possible to authenticate cardholder identities in real time during the checkout process. With the advances in technology and fraudster tactics, however, the industry soon saw the need to update the original protocol and launched 3-D Secure 2.0 (3DS2).

The contents of this whitepaper look at the changing world of taking online payments and the cybersecurity risks involved. We will examine how 3DS2 improves upon 3DS, how the 2.0 version works, and the benefits it provides to merchants — including a reduced risk of chargebacks, an enhanced customer experience, and increased sales. But before we explore these concepts, it’s important to understand how e-commerce and payment technology are evolving.

The Changing World of E-Commerce

The founding of Compuserve in 1969 marked the official launch of the first e-commerce business. However, e-commerce, as we recognize it today, has been in existence since the early 1990s with the introduction of the World Wide Web and the first online purchase made on NetMarket.

To say e-commerce has grown since those days would be an understatement. A decade ago, e-commerce accounted for around 7% of total U.S. retail purchases. Today online sales represent nearly 20% of spending through all channels.

In addition to the recent pandemic, the massive growth of online sales can be attributed to other factors such as the increased usage of mobile devices and the creation of the digital wallet. In just a five-year period from 2016 to 2021, the number of smartphone users has increased by an incredible 73.9 %, while the number of consumers using digital wallets hit 2.8 billion at the end of 2020. And with convenience as a key benefit for shoppers, it’s estimated that 60% of the world’s population will use digital wallets by 2025.

Today’s consumers can easily browse e-commerce sites from a desktop or mobile device and then use their digital wallet to check out. Without the need to key-in credit card details, it’s much easier for consumers to make payments online – purchases can now be completed with only a few clicks. This reduction in “friction,” or barriers that would make a sale more difficult, is a trend many merchants are catering to in order to increase sales. In fact, research from Baymont suggests that just by improving the checkout design, the average large e-commerce site can gain a 35.26% increase in conversion rate.

These advancements in payment technology and the resulting changes to consumer behavior have created opportunities for other players beyond merchants. Online criminals have made it their mission to find vulnerabilities in the payment flow. While e-commerce sites, mobile devices, and mobile wallets offer many security benefits — such as tokenization, point-to-point encryption, and fraud filtering — online fraud continues to be a threat to the e-commerce ecosystem as attackers find new ways to defraud banks, businesses, and consumers.

The Growing Threat of Online Fraud

As e-commerce shopping grows in popularity, fraudsters are increasingly targeting these more vulnerable card-not-present (CNP) transactions. In the first four months of 2021, the United States saw a 25.07% increase in the number of digital fraud attempts, compared to the last four months of 2020. The same TransUnion report indicated that digital fraud attacks against financial services companies increased 109% in the United States during the same time, and globally the total was up 149%.

Without the presence of a physical card, these attackers aren’t bound by the security checks found when completing traditional in-person transactions, such as the EMV standard that authenticates cardholder identity based on a chip and PIN system. In the late 90’s, it was relatively easy to steal a credit card number and use it to buy whatever you wanted online. And even when additional data points were collected to authenticate transactions, such as CVV numbers and cardholder addresses, criminals still found methods to skirt the system. The industry addressed this concern by introducing 3DS — a security protocol developed specifically for e-commerce.

A History of 3-D Secured

3DS technology was first developed in 1999 by Arcot Systems (now CA Technologies, a Broadcom Company) as a way to prevent unauthorized credit card transactions made online. 3D stands for “three domains.” The first domain is the card issuer, the second is the retailer receiving the payment, and the third is the 3DS infrastructure platform that acts as a secure go-between for the consumer and the retailer.

Visa was the first of the card brands to deploy 3DS technology, with the introduction of Verified by Visa in 2001. The other card brands followed suit, rolling out their own branded solutions like Mastercard SecureCode and American Express SafeKey. All of these solutions have improved e-commerce security by requiring more than just a credit card number, CVV, and address to make an online purchase. During the checkout process, the cardholder is redirected to the issuing bank’s website where they are asked to provide proof of identity by entering a unique password, an SMS code, or a temporary PIN. If the authentication process is successful, then the buyer is redirected back to the merchant’s site for payment confirmation.

Challenges Arise for 3-D Secure: An Impossible Balancing Act Between Security and Checkout Experience

While the original 3DS technology added extra security through its authentication process, it also introduced friction to the checkout experience. Payment flows that utilize 3DS often create a disjointed experience by redirecting the shopper to another website, potentially causing confusion or frustration. This protocol requires more time and interaction for the shopper that can result in shopping cart abandonment.

Additionally, since 3DS pre-dates the rise of mobile device usage, it was not designed with mobile payments in mind. In the United States, approximately 40.1% of consumers use their smartphones to make purchases, and 44% of Generation Z use mobile wallets as their preferred form of payment method. With 3DS, the necessary authentication pages or pop-up screens were not optimized for a mobile experience. The older security technology combined with new devices made for a frustrating shopping experience — including pop-ups that couldn’t be seen on smaller screens or the need to search for and input detailed card verification data. In some cases, the resulting fragmented experience left the shopper fearful that the authentication process itself was a scam attempt. And considering that nearly twice as many consumers abandon their cart on mobile devices compared to consumers shopping on a desktop, merchants were left in quite the quandary: how to balance security with convenience in order to avoid lost sales.

Payment Security for the New World of Card-Not-Present: Introducing 3-D Secure 2.0

With security and customer experience at odds with one another, a new security protocol was needed to address the inherent issues with 3DS, as well as the challenges that arose from the advent of mobile payments. A new and improved protocol was borne when EMVCo launched 3-D Secure 2.0 (3DS2) in

2016. 3DS2 embeds the authentication process and relies on a greater volume of data to verify cardholder identities in real-time — without the use of redirects that delay checkout.

3DS2 Improvements That Make The Difference

Several notable improvements were made to the original 3DS technology in order to better prevent fraud while reducing the rate of cart abandonment. 3DS2 collects and cross-references a greater number of data points, eliminates the need for pop-ups and redirects, and offers compatibility for mobile commerce. Let’s explore these improvements in more detail:

- Greater Number of Data Points For Authentication

The original 3DS security protocol didn’t pass along as many data points as the current version, which meant that the customer more often had to fill in the gaps and actively participate in the process. By collecting and cross-referencing 10x more data points, 3DS2 improves the reliability of authentication and limits the customer’s involvement.

- Embedded, Real-Time Authentication

With the original version of 3DS, customers were more likely to be redirected to a third-party authentication page. As consumers have come to expect a quick and easy checkout, this sort of delay can easily result in confusion and lost sales. With 3DS2, authentication is completed in real-time and embedded in the checkout so that customers won’t have to leave the merchant’s website to complete their purchase.

- Compatibility with Mobile Commerce

With more shoppers utilizing mobile, e-commerce merchants no longer have the luxury of deciding whether or not to design for mobile devices. Optimizing your e-commerce business for mobile sales is a must. As opposed to its predecessor, 3DS2 was designed with mobile devices in mind. By using software development kits (SDKs), merchants can integrate authentication screens within their desktop and mobile sites, mobile apps, or even smart TVs, watches, and gaming consoles. The resulting embedded authentication limits shopper participation during the checkout process and decreases friction for mobile shopping.

How 3DS2 Works

With 3DS2, authentication takes place behind the scenes — usually without the customer’s involvement. The payment gateway passes along customer- and transaction-specific data points to the cardholder’s issuing bank. If the bank successfully verifies the customer’s identity and decides that the transaction poses a low fraud risk, then they authorize the transaction. In the unlikely event that the bank is unable to authenticate the cardholder’s identity with the provided data points, the cardholder may be prompted to enter their preset password for verification purposes.

The 3-D Secure 2.0 Authentication Process

The customer initiates a transaction online
The payment gateway passes key data points along to the cardholder’s issuing bank so that they can evaluate risk.
If the issuing bank successfully authenticates the customer’s identity and decides that the transaction poses a low fraud risk, then the transaction is authorized. This is the case with the majority of 3-D Secure transactions. Note: when this occurs, the merchant is not held liable if the transaction turns out to be fraudulent; the issuer would be liable instead.
If the issuing bank was unable to authenticate the cardholder’s identity per the above steps, the cardholder will be prompted to provide more information. The issuing bank will then choose whether or not to authenticate the transaction.

Reducing Fraud, Minimizing Chargebacks, and Growing Sales with 3DS2

By utilizing 3DS2 technology, merchants no longer have to choose between safeguarding cardholder data and a frictionless checkout process. 3DS2 technology reduces fraud and chargebacks without compromising on the customer’s experience. By using behind-the-scenes identity verification, authentication can typically be completed without the customer’s involvement. Merchants who implement this technology stand to reap multiple benefits, including:

Fraud Prevention	Authenticating the identity of the cardholder during the transaction process helps to filter out fraudulent purchases and verify the consumer's active participation in the transaction. As compared to the previous security protocol, ten times more data points are used as a means of determining if the transaction should be approved or if it cannot be verified as authentic — increasing the reliability of the authentication process as a whole.
Chargeback Protection	In the unlikely event that an authenticated transaction turns out to be fraudulent, the bank issuing the transaction authorization is responsible — not the merchant who accepted the payment. Plus, 3DS2 protocol also helps to protect against "friendly" fraud chargebacks — or chargeback disputes that occur because the consumer wants their money back on a legitimate purchase.
Improved Checkout Experience for Consumers	If authentication is needed, the technology offers a frictionless, customer-friendly approach. The data exchanged within the 3DS2 servers reduces the odds that a customer will need to verify their identity in order for the transaction to go through. It enables merchants to embed the authentication process into the payment flow instead of through the bank's website.
Increased Sales	By improving the customer’s experience while simultaneously filtering out fraud and authorizing more authentic transactions, merchants can benefit from a reduced rate of shopping cart abandonment and ultimately increase sales.

Getting Started with 3DS2

The benefits of 3DS2 are clear for merchants and consumers alike, and the adoption of 3DS2 is picking up steam in the payment and retail spaces. Now’s the time to start supporting this advanced technology!

If you’re a merchant or developer who’s looking to get started with 3DS2 technology, know that Cardknox offers the easiest and most cutting-edge path. Choose from our payment gateway integrations for e-commerce sites, or use the PaymentSITE hosted checkout form for a sleek checkout flow that requires zero development work.

The Role of Cardknox in 3DS2 Authentication

As a payment gateway, Cardknox supports the technical infrastructure and the relationships required for the secure processing of payment data. The gateway operates as a facilitator between the cardholder’s bank and the merchant’s issuing bank. This central role allows Cardknox to gather and pass along key data points to the card brand for authentication.

Cardknox E-Commerce Integrations

Cardknox is a leader in developer-friendly payment gateway integrations for accepting payments online, in-store, and through mobile devices. Our support for 3DS2 allows you to streamline e-commerce and mobile payment flows to ensure customer satisfaction while safeguarding cardholder data.

The Cardknox payment gateway was created by developers for developers. Many Cardknox integrations can be completed with just a few lines of code. To ensure that integration is hassle-free, our white-glove integrations support team is available to assist.

Choose between a full integration of our payment gateway for your website using our powerful API, plugins for popular shopping carts, or a quick migration from an existing solution using our gateway emulators:

Custom Integrations: Our comprehensive SDK provides the tools you need to integrate faster, including a full-stack API that enables deep integration and a custom payment flow.

Plugins for Popular Shopping Carts: Cardknox provides easy-to-use plugins for WooCommerce Magento, and other leading online shopping carts. Using our proprietary iFields solution, sensitive card data completely bypasses the host server, significantly reducing your PCI scope and liability.

Gateway Emulators: Our gateway emulators will translate your existing gateway’s API into Cardknox API so that transactions can be routed through your gateway to Cardknox — without the need for a full integration. Simply change the gateway URL to the Cardknox endpoint and get up and running fast.

PaymentSITE Hosted Payment Form

Start accepting secure payments online without writing a line of code or dealing with security and hosting challenges. Cardknox’s hosted payment form tool, PaymentSITE, makes it easy to build customizable forms for accepting payments. PaymentSITE streamlines payment requests for donations, deposits, and invoices by giving you the capability to email your payment form, share it using a unique URL, or embed it into your webpage. Features of PaymentSITE include the ability to:

Customize required fields for billing, shipping, and transaction info
Support mobile wallets for one-click mobile commerce
Curb fraud and simplify PCI compliance using robust data tokenization
Prompt consumers to opt-in to recurring payments
Create consistent branding with a logo upload tool

Even More Benefits of Cardknox E-Commerce Solutions

In addition to industry-leading 3DS2 security, you’ll enjoy access to many added features and benefits to help you streamline invoicing, improve customer satisfaction, and lower costs.

Gain Greater Control and Efficiency with Split Capture: Rather than having to capture the total authorization amount when shipping out orders, merchants who use Split Capture are able to capture multiple portions of a prior authorization.
Make Payments Predictable with Recurring Payments: Set up automatic payments with the ability to customize amounts and frequencies.
Support a Wide Range of Payment Methods: Cardknox supports credit and debit cards (EMV, contactless, magstripe), mobile wallets, ACH, EBT, and more.
Provide a Frictionless Checkout with Digital Wallets: It’s easy to make websites mobile-friendly with Cardknox’s support for digital wallets like Apple Pay and Google Pay.
Reduce Costs with Interchange Qualification Monitoring (IQM): Cardknox performs over a dozen checks and routes transactions to minimize fees for merchants.
Safeguard Your Business with Advanced Security: 3DS2 is just one of Cardknox’s many security features. We also offer true tokenization that assigns a unique ID for each transaction, as well as fraud filtering that stops fraud in its tracks.
Simplify PCI Compliance: With Cardknox, your system never touches actual credit card data, making PCI compliance that much easier.

Adapting to the New Era of e-Commerce

Technology has transformed the way merchants do business and how consumers make purchases. Accepting payments online and through mobile devices has created limitless opportunities for buyers and sellers to connect all over the globe. With this opportunity comes the need to not only protect your business but also the responsibility to safeguard customer data from online criminals — criminals in constant search of ways to exploit vulnerabilities in e-commerce payment processes.

With previous security protocols, this meant sacrificing an optimal checkout experience and in turn, losing out on sales. Today, 3DS2 technology helps to create a frictionless payment experience for consumers without compromising on security.

Cardknox makes it possible for developers and merchants to implement this advanced, card-not-present technology through integrating with our powerful payment gateway and utilizing our suite of e-commerce solutions. Ultimately, Cardknox’s support for 3DS2 technology gives our clients the ability to reduce fraud and chargebacks, increase customer satisfaction, and grow online sales. To learn more, visit www.cardknox.com/3d-secure.

Are You a Developer?

Experience the difference of advanced technology designed for maximum scalability along with industry-leading customer support and competitive residuals. Help your customers prepare for the new world of payments, while reaping the benefits of a partnership that puts you and your business first. Learn more at www.cardknox.com/partner-program.

Are You a Merchant?

Experience payments designed to work seamlessly with your in-store, online, and mobile platforms. Cardknox’s solutions are designed with both customer and merchant in mind, and offer affordable pricing, advanced security, and customized support. Learn more at www.cardknox.com/merchants.

Get the print version
Read the full white paper anytime and anywhere.

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
ep201	30 minutes	This cookie is set by Wufoo for load balancing, site traffic and preventing site abuse.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
OptanonConsent	5 months 27 days	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_L91N7MKDFX	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_53045244_1	1 minute	Set by Google to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
handl_landing_page	1 month	Understand which page was the first webpage a user visited.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
pi_opt_in1055213	7 days	The cookie is used by SalesForce/Pardot to store privacy preferences.
utm_campaign	past	Google Ad Services sets this cookie to store session campaign value if present.
utm_content	past	This cookie is used for storing the session content value if present.
utm_source	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
utm_term	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
visitor_id*	past	Pardot sets this cookie to store a unique user ID.
visitor_id*-hash	past	Pardot sets this cookie to store a unique user ID.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
utm_medium	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.

Cookie	Duration	Description
__wpdm_client	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_splunk_rum_sid	15 minutes	No description
AnalyticsSyncHistory	1 month	No description
AWSALBTG	7 days	No description available.
AWSALBTGCORS	7 days	No description available.
email	past	No description available.
experiments-fingerprint	6 months	No description
experiments-raw	6 months	No description
gclid	past	Used by Google to track conversions,
handl_ip	1 month	No description available.
handl_original_ref	1 month	No description available.
handl_ref	1 month	No description available.
handl_url	1 month	No description available.
li_gc	5 months 27 days	No description
TESTCOOKIESENABLED	1 minute	Description is currently not available.
username	past	No description available.

How 3DS2 Grows E-Commerce Sales and Combats Fraud