It’s no secret, many online merchants were reluctant to enroll with the original 3D Secure (3DS) 1.0 protocol due to unnecessary friction and the risk of card issuers/Access Control Servers (ACS) turning down legitimate transactions (false positives). Though merchants and card issuers share the same basic interest of allowing legitimate transactions with as little friction as possible while blocking fraudulent transactions, there is a gap of information which can potentially cause a merchant and a card issuer to reach conflicting decisions regarding the same transaction.
Take for example Alice and Bob. Alice likes taking care of her beloved dog, Charlie, and Bob likes running his pet store. Alice purchases Charlie’s food (the good kind!) from Bob’s store website once a month. She always buys the same brand, same size bag, delivered to the same address and pays with the same card. Bob knows Alice’s orderand Alice’s card issuer, Great Bank, is happy to accept the charge. For months Alice, Bob and Great Bank enjoy trouble-free transactions while Charlie enjoys top-quality chow.
One day Alice gets an offer she can’t refuse and applies for a new card from Greater Bank. When Charlie’s food runs out, she logs on to Bob’s website to order a new bag, this time using her new, shiny card. But to her dismay, the transaction is declined! The next morning she calls Greater Bank, establishes that it was really her who tried making the purchase and then proceeds to try again. This time, successfully (to (Read more...)
*** This is a Security Bloggers Network syndicated blog from RSA Blog authored by Rei Maoz. Read the original post at: http://www.rsa.com/en-us/blog/2018-04/3-d-secure-2-what-the-protocol-means-for-merchants.html