3D SECURE 2.0: WHO S GOT IT? WHO GETS IT? An Outlook on Merchant Adoption BUSINESS-DRIVEN SECURITY SOLUTIONS
3D SECURE AUTHENTICATION 2.0: MERCHANTS WHO GOT IT ARE GETTING IT Online merchants whose experience with 3D Secure (3DS) tells them the protocol can deliver both fraud protection and a positive customer experience are eager to adopt version 2.0. Those who are concerned it may not offer what they need aren t so quick to get on board. That s the takeaway from the following findings of a 2017 survey of merchants conducted by Hanover Research and sponsored by RSA. Current 3D Secure Merchants Non-Users 2
3D SECURE AUTHENTICATION 2.0 SURVEY 1 USAGE AND ADOPTION 2 CUSTOMER EXPERIENCE 3 FRAUD REDUCTION of current 3DS merchants 70% of current 3DS report positive merchants plan to 87% experiences with the adopt 3DS 2.0 customer experience 82% of 3DS merchants report positively on fraud reduction of non-users report 15% of non-users plan concerns about the effect 55% to adopt 3DS 2.0 of 3DS on the customer 27% experience report fraud is a relatively small issue for their businesses All data in this e-book is from the survey conducted by Hanover Research and sponsored by RSA (unless otherwise noted). 3
WHERE DO CUSTOMER EXPERIENCE CONCERNS COME FROM? While 87% of current 3DS merchants in the survey report positively on the customer experience, more than half of non-users report concerns about the impact of 3DS on the customer experience. What gives? It s not so puzzling when you consider the original 3DS protocol wasn t always focused on delivering a great customer experience across e-commerce platforms. After all, it dates back to the early 2000s years before mobile devices, digital wallets and in-app purchases put the customer experience at the forefront. CONCERNS WITH USING 3D SECURE AMONG NON-USERS 55% 3D Secure 2.0 Top Concerns Among Non-3DS Merchants 27% Fraud is not big enough issue for our business to realize the benefits Given its history and origins, merchants who haven t adopted the protocol aren t necessarily wrong to be concerned about what kind 6% 12% of experience 3DS 2.0 will deliver across e-commerce platforms today. Merchants who are already current users have a little more faith. Seventy percent are currently Potential impact on customer experience Other Fear of shopping cart abandonment and/or abandoned transactions planning to adopt 3DS 2.0. The biggest concern among 3DS non-users is the potential impact on customer experience. 4
FEAR OF CYBER FRAUD: TOP 5 CONCERNS Of course, a good user experience is critical in e-commerce, especially when so many consumers are shopping on their mobile devices. But e-commerce merchants are also concerned about security and for good reason. Fraud is a costly proposition for online merchants, in terms of both the monetary costs from lost sales, chargebacks and potential fines for loss of personal data, and the risk of reputational damage. $660,000 Global Losses from E-commerce Fraud Every Hour Source: RSA Mind Blowing Cost of Cybercrime Every 60 Minutes CURRENT CONCERNS IN CYBER FRAUD 72% 65% 61% 59% 58% Loss of customer personal or account data Advanced malware New account fraud Card-not-present fraud Account takeover Merchants surveyed also expected the first two threats to be of more concern over the next three years than the rest of the threats on the list. 5
FIGHTING FRAUD WITH RISK-BASED AUTHENTICATION The 3D Secure 2.0 protocol is designed with risk-based authentication as a central mechanism for stopping fraud and improving the customer experience. But does it work? Data from RSA Adaptive Authentication for ecommerce, a risk-based authentication solution for issuers that supports 3DS, makes a strong case for this approach being at the heart of 3DS 2.0. The following chart illustrates a two-year period of steady growth in the percentage of attempted fraud detected by the solution, along with a consistently low intervention rate (averaging 5%). FRAUD DETECTION RATE Ongoing Investment In Model Improvement Pays Off 15H2 16H1 16H2 17H1 100% 90% 80% 70% 60% 50% 59% 67% 70% 70% 83% 92% 92% 91% 91% 95% 96% 97% 97% 99% 99% 99% 97% DETECTION 40% 30% 20% 5% 10% 0% 1% 3% 5% 7% Intervention Rate The RSA Risk Engine offers 97% fraud detection rates by intervening with only 5% of customers. INTERVENTION 6
FIGHTING FRAUD WITH RISK-BASED AUTHENTICATION But Back to the Customer Experience It is often a top question among both merchants and issuers: How many good customers do I have to interrupt to stop one incident of fraud? RSA boasts very low genuine to fraud ratios with just 2.4 genuine transactions singled out for every fraud attempt blocked, compared with industry ratios that often fall within the range of 10-20 interventions for every fraud blocked. $1.8 million Average savings per month in e-commerce fraud losses for an issuer using 3D Secure risk-based authentication Source: Global average among current RSA Adaptive Authentication for ecommerce customers 7
WHAT TO LOOK FOR IN A 3DS SOLUTION: 5 KEY QUESTIONS TO ASK AUTHENTICATION PROVIDERS 3 Fraud Detection: How advanced are their capabilities? Convenience: Can they simplify the consumer experience? 2 4 Mobile: Do they make mobile a priority? Choice: Do they offer consumers a variety of payment authentication choices? 1 5 Regulatory: How well do they comply? 8
THE BENEFITS OF 3D SECURE 2.0: SOMETHING FOR EVERYONE 3DS 2.0 benefits both card issuers and merchants in a variety of ways. Issuers continue to benefit from the positive customer experience and fraud prevention they ve already seen, along with improvements that include: Better fraud prevention as a result of richer data being available to assess transaction risk Expansion of customer base with the adoption of popular mobile services Single view of the customer, which can also support delivery of personalized offerings Compliance support with attention to regulatory requirements (e.g., PSD2 Strong Customer Authentication requirements) Merchants continue to see a liability shift for transactions that go through the 3DS process, as well as lower interchange fees and higher authorization rates from issuers. Improvements with 3DS 2.0 include: The ability to customize the look and feel of the customer experience Streamlined requirements for customers with no enrollment or passwords needed Less risk of cart abandonment due to reduced friction during authentication Improved customer experience and greater customer loyalty resulting from a consistent authentication experience across browser-based and mobile shopping environments 9
RSA 3D SECURE 2.0 SOLUTIONS FOR ISSUERS As an ACS provider for the 3DS 1.0.2 protocol, RSA Adaptive Authentication for ecommerce has already been delivering on many of the benefits of the 3D Secure 2.0 specification for nearly a decade. For example, the risk-based approach from RSA eliminates cardholder enrollment, static passwords and the 100% challenge rate to provide a largely frictionless experience. It supports biometrics, transaction signing and out-of-band authentication with SMS and push OTP, among other authentication methods. It works across web and mobile channels, bringing together information about behaviors, devices and known fraud to minimize losses from high-risk transactions. The RSA Risk Engine is at the heart of the service and analyzes more than 100 fraud indicators to assess transaction risk. Its risk scores are also informed by the RSA efraudnetwork TM, a repository of confirmed fraud data gleaned from the RSA research lab, ISPs, third-party contributors across the globe and the network of RSA customers. Because of the accuracy of the RSA Risk Engine, users of the service are seeing excellent results. In 2017, RSA Adaptive Authentication for ecommerce achieved the following: FRAUD DETECTION A 97% detection rate at a 5% intervention rate (the average intervention rate across the existing customer base) AVERAGE FRAUD RATE 0.035% (3.5 basis points), or just $3.55 loss for every $10,000 in genuine orders approved AVERAGE INTERVENTION RATIO (GENUINE:FRAUD) Just 2.4 genuine transactions singled out for every fraud attempt blocked, compared with industry ratios that often fall within the range of 10-20 interventions for every fraud blocked. 10
ABOUT RSA RSA, a Dell Technologies business, offers business-driven security solutions that uniquely link business context with security incidents to help organizations manage risk and protect what matters most. RSA solutions are designed to effectively detect and respond to advanced attacks; manage user identities and access; and reduce business risk, fraud and cybercrime. RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive in an uncertain, high-risk world. For more information, visit rsa.com. 2018 Dell Inc. or its subsidiaries. All rights reserved. RSA and the RSA logo, are registered trademarks or trademarks of Dell Inc. or its subsidiaries in the United States and other countries. All other trademarks are the property of their respective owners. RSA believes the information in this document is accurate. The information is subject to change without notice. 02/18, Ebook, H16983 11