According to the latest statistics from banking association APACS late last month, more than 25 million UK-issued credit and debit cards are registered with either Verified by Visa or MasterCard SecureCode,[From Merchants and punters cry foul over Verified by Visa • The Register]
I have to say that, personally, I’ve never bothered to register either of my credit cards, but plenty of people have. Here’s the issue, from my perspective as a rational consumer. I’m protected from fraud by my credit card issuer, so I have no incentive to use 3DS of any kind. Any 3DS means more hassle for me for no return. The people who do benefit from 3DS — merchants, since merchants are protected against fraud by offering me 3DS even if I don’t use it — don’t insist on it and, crucially in my opinion, don’t incentivise me to use it. If I got air miles for using 3DS, I’d use it.
MasterCard have put forward an interesting interim solution which responds to the dynamics of real-world card use and fraud. Basically, the idea is that if you use your debit card at a merchant and use SecureCode to authenticate yourself, then the next time you use it you don’t have to do the authentication again.
The Maestro Advance Registration Program™ enables select online merchants to accept Maestro cards for e-commerce transactions by using SecureCode™ to enroll the customer during the first transaction. Subsequent purchases the same customer makes at the merchant web site using the same Maestro account can now be processed without MasterCard SecureCode authentication, making repeat buying both convenient and fast.[From MasterCard Unlocks Maestro Debit Card Acceptance on the Internet with Maestro Advance Registration Program | MasterCard®]
This seems like a sensible compromise between nothing and insisting on authentication for every transactions and will help to protect cardholders and merchants, but it won’t by itself make much of a dent in the CNP figures. As long as it’s not compulsory, then the fraudsters will continue to use stolen card details online with impunity. And once it does become compulsory, then the criminals will phish for the 3D secure passwords, and the problem will continue to get worse. We have to get hardware into the loop…
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]