Using 3-D Secure Transaction Signing to Drive Down Card Not Present (CNP) Fraud
Despite the fact that more and more purchases are being made online, the cost of remote purchase fraud — also called card not present (CNP) fraud — has decreased year over year for the past two years. (A 4 percent drop from 2019 to 2020 and a 7 percent drop from 2018 to 2019, according to the UK’s Ministry of Finance.)
This is not to say that CNP fraud does not remain a huge problem; indeed, it accounted for 79 percent of UK debit and credit card losses in 2020, dwarfing all other categories. Additionally, it is important to note that when you look at the total number of incidents, CNP fraud increased by 4 percent in 2020. However, the drop in overall financial loss (in euros) suggests that card issuers are doing a better job identifying fraudulent transactions early and stopping larger purchases.
Most of these scams begin with criminals stealing credit card numbers — either through 3rd party data breaches or phishing emails and texts — then using the stolen info to conduct online transactions. So how do financial institutions detect when genuine cardholders initiate a transaction without their physical cards, as is always the case online? Through transaction signing — which simply means that the person making a purchase “sign offs” on that transaction, much as they would in person, but using digital tools.
The most common way transactions are validated digitally is via a one-time password (OTP) delivered via SMS or an app. In this article, however, we’ll highlight a surprisingly user-friendly yet extremely secure method that is gaining traction within the financial industry: 3-D Secure.
3D-Secure: What It Is & How It Works
The name “3DS,” or “Three Domain Secure,” refers to a complex security protocol specifically designed to prevent fraudulent transactions online when using debit and credit cards. (Sometimes, this type of fraud is referred to as “card not present transactions.”) Visa, MasterCard and American Express have been using this protocol for years, and they have each given it a different commercial name — for example, American Express calls their product SafeKey®.
Whatever commercial name it is given, 3DS allows customers and merchants to gain easy, quick access to their information and accounts without having to worry about the vulnerabilities that are associated with lower security protocols. 3DS uses an in-session user verification window that requires a 2-factor authentication code that comes from the card itself — rather than from the merchant — transforming the transaction authorization from an institutional request into a more individual and personalized process.
As the name suggests, 3DS relies on three separate domains to authenticate users: merchant/inquirer domains, issuer domains, and interoperability domains. By tying these three systems together, 3DS weaves an intricate web of authenticity that is immensely difficult for potential predators to replicate. The interaction between these three separate entities ensures that sensitive information is carefully compartmentalized — and that it would be impossible for anyone attempting to steal the information to have access to everything they need to do so.
3DS has evolved alongside the threats that it’s designed to counter. When originally introduced, the 3DS user experience was considered less than desirable. These days, user experience is one of its major benefits. Security has always been paramount with 3DS, but the combination of high security and high usability explains why it is mentioned specifically in the EU’s official guidance on compliance with the Strong Customer Authentication (SCA) section of the Revised Payments Services Directive (PSD2).
3D-Secure Transaction Signing with HID® Approve™
HID Approve is an intuitive, multi-factor authentication solution that allows users to sign a transaction in seconds with just a simple swipe or by using a secure code. Beyond its value as a 3DS solution, it also provides end-to-end authentication and transaction signing throughout the customer journey.
Utilizing seamlessly built-in protection for eWallets and mobile payments, it validates transactions either through push notification with a public/private key signature, or OTP secure code authentication (offline authentication). HID Approve also allows institutions to use the device native biometrics (e.g. facial recognition or fingerprint) to approve transactions.
Deployed as either an off-the-shelf mobile application that is highly customizable or fully integrated in your already existing app with the software development kit (SDK), HID Approve allows organizations to meet the most stringent global security regulations while providing a seamless user experience.
Here’s a quick video demo of HID Approve in action >>
Caleb Wattles is a Senior Product Manager within the Identity and Access Management Solutions business area at HID Global. With 20 years of experience in IT Security and over 10 years in product management, he feels most in his element when solving customer problems, in particular those exploring the edge of better security and better user experience. Prior to HID, Caleb was with ActivIDentity, a company that was acquired by HID Global in 2010.