RSA Adaptive Authentication for eCommerce
3D Secure Authentication
Overview:
Prevent payment fraud and accelerate digital commerce with a fraud detection and risk-based authentication solution that supports the 3D Secure 2.0 protocol. RSA Adaptive Authentication for eCommerce:
- Detects up to 97 percent of fraudulent transactions
- Generates average monthly fraud savings of nearly $2 million
- Provides a seamless, secure payments experience for consumers
RSA Minimizes Fraud Losses
RSA Adaptive Authentication for eCommerce customers incur, on average, just $3.55 worth of fraud losses for every $10,000 they earn in legitimate transactions.
Features:
Invisible, Effective Authentication
Authenticates the vast majority of cardholder transactions silently, eliminating the 100 percent challenge rates, static passwords and cumbersome cardholder enrollment processes associated with earlier versions of the 3D Secure protocol.
Risk Engine
Analyzes more than 100 risk indicators including user behavior, device type and intelligence from the RSA eFraudNetwork to identify fraudulent transactions with a high degree of accuracy.
Global Fraud Network
Leverages the RSA eFraudNetwork, the industry’s first and largest international, cross-institutional and cross-platform network of confirmed fraud, to identify indicators linked to known and attempted fraud schemes across more than 150 countries.
Policy Manager
Allows credit card issuers to establish policies governing when step-up authentication is required for transactions based on the card issuer’s risk tolerance.
Analytics Applications
Provides card issuers with full visibility into their 3D Secure transaction data, including daily and monthly monitoring metrics, fraud detection rates and rule performance data.
Modern Authentication Methods
Supports a range of step-up authentication methods including biometrics, SMS, one-time passwords and more.
Benefits:
- Supports a secure, frictionless digital shopping experience for consumers by leveraging the 3D Secure 2.0 protocol.
- Provides an integrated solution for fraud detection and risk-based authentication to credit card issuers seeking to offer additional cardholder protection.
- Promotes secure transactions with fraud detection rates up to 97 percent, low customer intervention rates and a "genuine-to-fraud" ratio of two to one (i.e., only two legitimate transactions get challenges for every fraudulent transaction identified).
- Mitigates the risk of card issuers incurring chargeback losses from card-not-present fraud.
Solutions:
3D Secure 2.0 - Designed for Today's and Tomorrow's eCommerce Environment
EMVCo, the worldwide standards organization that develops technical specifications for payment technologies, released the 3D Secure 2.0 anti-fraud protocol in October 2016. The 2.0 protocol is a new specification designed to better support today’s ecommerce environment, with authentication of in-app payment transactions and digital wallet integration. Unlike the current 1.0.2 protocol which is limited to browser-based e-commerce sites, the new protocol is designed in a flexible way that will easily support enhancements and extensions as the technology industry and the boundaries of the ecommerce environment expand.
As an EMVCo Technical Associate, RSA was privileged to contribute to the development of the specifications and look forward to supporting the protocol once the card networks finalize their 3D Secure 2.0 commercial programs.
What's new in 3D Secure 2.0
The 3D Secure 2.0 protocol promotes a frictionless shopping experience for cardholders by leveraging risk-based authentication technologies. RSA is an industry leader in risk-based authentication and introduced a risk-based 3D Secure solution in 2008. Since that time, risk-based authentication within the 3D Secure ecosystem has been almost universally embraced.
To more fully support a risk-based approach, 3DS 2.0 will include new transactional attributes that will enhance the ability to distinguish genuine site users from fraudulent ones. New transactional attributes are expected to include key addresses (shipping, billing, home, email), merchant category codes, merchant risk probability, and many others.
The 2.0 protocol will also expand its scope from the current browser-based environment of 3DS 1.0.2 to a much wider set of devices, with specific attention to mobile applications. The protocol also addresses authentication needs of IoT devices such as smart watches, smart TV’s, and gaming consoles. Expanding the scope beyond the Web is imperative in today’s increasingly mobile transaction environment, and aligns with RSA’s multi-channel approach to fraud prevention.
Finally, EMVCo seeks to provide a smooth and intuitive user experience for those transactions still requiring active authentication by integrating it into the consumer shopping experience, and giving merchants complete control over the look and feel of the interaction. 3D Secure 2.0 will support various dynamic user interfaces, catered to the consumer device and channel being used. Balancing cardholder convenience with strong fraud protection is critical to grow adoption by merchants and is a foundational concept for RSA’s fraud prevention solutions. The protocol also supports non-transaction activities, such as authenticating a consumer when they add another payment option to an e-wallet.
3D Secure 2.0 and RSA Adaptive Authentication for eCommerce
If you are an existing RSA Adaptive Authentication for eCommerce customer, we do not anticipate that you will be required to actively manage the transition. Adaptive Authentication for eCommerce is a hosted solution, and we plan to roll out a 3D Secure 2.0-compliant solution in the same manner that we roll out all upgrades. However, customers may wish to deploy a custom user interface for non-browser based transactions (e.g. mobile applications) which would require some customization.
Our expectation is that we will be authenticating both 3D Secure 1.0.2 and 2.0 transactions until the card networks declare end-of-life support for the 1.0.2 protocol.
As noted above, the 2.0 protocol is risk-based and designed to eliminate the onerous 100% “challenge all” approach with the static password that exists in the original protocol. The direction of the industry, as reflected in the new protocol, is toward smart and dynamic authentication methods that do not add friction to the consumer experience, and away from static methods that are more easily compromised.
Adaptive Authentication for eCommerce is a risk-based deployment of the 1.0.2 protocol and offers the frictionless cardholder experience that the new protocol is designed to facilitate. Therefore, cardholders enrolled by their issuers in Adaptive Authentication for eCommerce will be very similar for both 1.0.2 and 2.0 transactions.
As a global leader of card issuer protection for 3DS transactions and an innovator in the space, RSA will support the 2.0 protocol in our Adaptive Authentication for eCommerce solution. Once the card schemes release the details of their commercial 3D Secure 2.0 programs, we will have a better sense of when we can begin offering parallel support for 3D Secure 1.0.2 and 2.0 transactions.
Regardless of when these programs are released, RSA is committed to ensuring that our customers are fully aware of and prepared for the changes. RSA will continue to innovate around the 3D Secure ecosystem to ensure that issuers are afforded the strongest fraud prevention, while merchants are able to provide cardholders with a convenient online experience. This in turn will benefit issuers, merchants, and cardholders alike.
3D Secure 2.0 for Issuers Currently Not Participating
If you are an issuer and not a current Adaptive Authentication for eCommerce customer, now is an ideal time to leverage RSA’s risk-based authentication for 3D Secure transactions. Adaptive Authentication for eCommerce eliminates the 100% challenge rate, static passwords, and cardholder enrollment to provide a consumer experience more aligned with the goals of the 2.0 protocol. 3D Secure 2.0 was developed to overcome these challenges, to support today’s card-not-present environment including non-browser initiated transactions, such as those coming from mobile applications, and to deliver a smooth cardholder experience for merchants. We anticipate that this will significantly increase merchant participation in 3D Secure.
Increased merchant adoption presents an opportunity for issuers as well as a potential challenge. More 3D Secure transactions means that more cardholders will be protected, while enjoying a smoother shopping experience, which will increase brand loyalty for participating issuers. On the other hand, issuers who do not participate in the 3D Secure ecosystem could be liable for an increasing number of chargebacks, as more unprotected transactions flow through the ecosystem and shift the liability to non-participating issuers.
Adaptive Authentication for eCommerce - Industry Leading Fraud Prevention with Low Intervention and False Positives
The RSA Risk Engine is at the core of the Adaptive Authentication for eCommerce solution, enabling a vast majority of cardholder transactions to be authenticated silently. The Risk Engine’s high level of accuracy drives a very high fraud detection rate along with very low false positive rate. The graph below shows the average fraud detection rate over time for Adaptive Authentication for eCommerce - over 92% with a low genuine-to-confirmed fraud ratios (i.e., number of genuine transactions challenged for each confirmed fraudulent transaction).
RSA Adaptive Authentication for eCommerce allows issuing banks to provide Verified by Visa (VbV), MasterCard SecureCode, MasterCard IdentityCheck, and American Express SafeKey support without adding friction to their cardholders’ shopping experiences. Using the RSA Risk Engine, Adaptive Authentication for eCommerce transparently evaluates each transaction in real-time and determines the probability that the transaction is fraudulent. Only cardholders engaging in transactions determined to be high-risk will be challenged to authenticate. Based on the average threshold set by existing customers, approximately 95% of transactions from participating merchants are unimpeded by the 3D Secure verification process.
In addition, because of the transparent layer of authentication, cardholders are not required to go through a VbV, SecureCode, IdentityCheck, or SafeKey enrollment process (the issuer enrolls entire BIN ranges) or remember a password (a range of step up authentication methods including OTP and customer-defined methods such as biometrics are available).
3D Secure 2.0 - Risk-Based Authentication Promotes a Positive User Experience
The 3D Secure 2.0 protocol promotes a positive user experience for cardholders by leveraging risk-based authentication technology - an approach pioneered by RSA in 2008. As an EMVCo Technical Associate, we were privileged to contribute to the development of the specifications, and we believe that the new risk-based protocol will increase both fraud prevention and merchant participation rates.
RSA looks forward to enabling the new functionality within our platform, and we will continue to work directly with our customers and EMVCo on initiatives as we move towards a new age of password-free authentication.
Documentation:
Download the RSA Adaptive Authentication for eCommerce Datasheet (.PDF)