A Credit Union’s Guide to 3D Secure 2.0

Unlike a rose, 3D Secure by any other name might not smell as sweet.

Verified by VISA (VBV), Mastercard SecureCode, American Express SafeKey, Discover ProtectBuy, Secure Online Transactions (SOT), EMV 3-D Secure, and Mastercard Identity Check are just a few of the monikers this security protocol has worn since its inception in 1999.

The protocol first came into being before in-app purchases grew into a $37 billion channel, before devices like Amazon Alexa learned to do consumers’ shopping before them, before mobile commerce existed at all. Heck, 1999 – that’s even before the smartphone itself. 20 years later, it’s only natural that a new and improved protocol would be needed.

Enter 3D Secure 2.0.

This, according to PSCU Senior Fraud Product Manager David Ver Eecke, will finally empower credit unions and other issuers to strike the balance between security and convenience – a Holy Grail among any and all in the payments space. With 3D Secure 2.0 on their side, Ver Eecke says credit unions now have a fresh opportunity to make their way to the top of customers’ wallets – and stay there.

What is 3D Secure?

One of the biggest misconceptions about the original 3D Secure (and its many monikers) is that it covers all types of eCommerce transactions. But, being conceived before mobile and voice transactions, how could it? That’s why 3D Secure 2.0 was (and is) so needed today.

At its most basic level, 3D Secure stands for “Three Domain Secure,” which refers to the three parties involved in any secure payment: the issuer, the acquirer, and the network processing the transaction. Visa was the first to develop and introduce the standards. Later, other major global networks also adopted them to support effective security and authentication in the growing eCommerce space.

3D Secure 1.0 relied on features like static passwords, pop-up boxes, and user registration to verify and authenticate cardholders. However, this created barriers for legitimate customers, leading to frustration and cart abandonment. Credit unions and banks ramped up their fraud strategies, but this led to higher rates of false declines, which only added to customer frustration.

It also didn’t stop the fraudsters. Sometimes, these criminals even had enough information (and patience) to impersonate a member and complete the 3D Secure registration – which is more than we can say about many of the members themselves.

What makes 2.0 different?

3D Secure 2.0 does away with these onerous user requirements. Say goodbye to pop-ups and hello to Risk Based Authentication. Static security keys are being swapped out for one-time passwords (OTPs). And no longer will legitimate customers bear the burden of registering their card with Visa or MasterCard to receive the benefits of the security protocol.

Another key difference with the new version is the amount of data behind each decision. 3D Secure 2.0 pulls information like IP address, shipping address, device information, and more info about customers themselves, allowing issuers to improve risk scores and make better authentication decisions.

This, in turn, reduces transaction friction for valid members. A friction-free member is a happy member, and in today’s market, a happy member is more than half the battle.

As 3D Secure 2.0 continues adding features, the user experience will no doubt become even more seamless and secure, driving top-of-wallet status for credit unions and issuers who choose to participate. The real question is: Why wouldn’t they?

Key takeaways for credit unions

According to Ver Eecke, there are two important takeaways that credit unions can glean from the 3D Secure 2.0 conversation. Here’s his advice – and it’s a simple one-two hit:

Make sure your credit union is participating in the 3D Secure solution. With the growth of digital commerce has come growth in digital fraud, and as EMV matures in the U.S., the market follows the same path as other global markets that went there first. Fraud has largely shifted to CNP, driving increased losses for merchants. On the flip side, customers are not so quick to abandon their carts now that the 3D Secure registration requirements are gone, so merchants are more willing and eager to send transactions via 3D Secure.
Focus on the member experience. It is important to mitigate fraud losses, yes, but don’t neglect your credit union’s brand reputation. It may be tempting to crank up fraud strategies to deal with CNP fraud, but this can make the problem worse instead of better by increasing false decline rates – and with them, customer frustration. Today’s consumers and members expect seamless experiences everywhere they go. If the card issued by their local credit union doesn’t work in CNP settings, or leaves them vulnerable in some way, it will not take long for another card to replace it as the top-of-wallet choice.

Credit unions aren’t bank issuers. Bank issuers deal with cardholders; credit union people deal with members. There’s a much closer and more personal relationship, and it’s one that Ver Eecke believes can be enhanced and strengthened by the adoption of 3D Secure 2.0. The new protocol lets credit unions offer seamless security – the best of both worlds – the payments Holy Grail.

Other considerations

Not convinced yet? Ver Eecke noted a few other reasons it’s worth getting into the 3D Secure game now that 2.0 has arrived.

Making up for increased dark web vulnerability: Not all stolen card credentials can be bought or sold on the dark web for the same price. There’s always a premium for, say, the American Express Black Card – but did you know that the pricing also varies at the other end of the spectrum? Because credit unions are smaller banks, fraudsters may assume they don’t have the same protective tools in place. This makes them (and their members) more vulnerable.
Increasing agility to respond to new fraud threats: It’s always a catch-22 making things easier for cardholders because it also tends to create new opportunities for bad guys to poke holes in the system. But the smaller size of credit unions makes them more agile and able to respond to evolving attacks. Keeping the fundamentals covered with 3D Secure 2.0 allows institutions to focus on countering those new attacks rather than plugging holes in a sinking ship.
Empowering members: Without 3D Secure 2.0 in place, credit union members who experience a false decline must call the credit union to resolve the issue. With it, they become empowered to self-resolve that problem. This excellent customer experience can contribute to helping credit unions stay competitive.
Satisfying new requirements: While 3D Secure 2.0 is not required in the European Union, there is a lot of pressure to adopt it because it helps financial institutions meet many of the new rules and regulations around security and data protection. It does this by tokenizing transactions all the way through the channel. There’s even less pressure to adopt outside of the EU – but that doesn’t mean it’s a bad idea to follow their lead today instead of playing catch-up tomorrow.

In conclusion, said Ver Eecke, “I’m excited for 3D secure 2.0 because it’s really going to help improve the checkout experience for members, but will also help protect our credit unions in ways that we can’t with the current protocol.”

Subscribe to our podcast via: