[Dave Birch] The 3D Secure (3DS) schemes — Visa’s Verified by Visa and MasterCard’s SecureCode — have come in for a lot of criticism (from, eg, me) and it’s been getting worse recently. Card-not-present (CNP) fraud continues to climb

According to the latest statistics from banking association APACS late last month, more than 25 million UK-issued credit and debit cards are registered with either Verified by Visa or MasterCard SecureCode,

[From Merchants and punters cry foul over Verified by Visa • The Register]

I have to say that, personally, I’ve never bothered to register either of my credit cards, but plenty of people have. Here’s the issue, from my perspective as a rational consumer. I’m protected from fraud by my credit card issuer, so I have no incentive to use 3DS of any kind. Any 3DS means more hassle for me for no return. The people who do benefit from 3DS — merchants, since merchants are protected against fraud by offering me 3DS even if I don’t use it — don’t insist on it and, crucially in my opinion, don’t incentivise me to use it. If I got air miles for using 3DS, I’d use it.

MasterCard have put forward an interesting interim solution which responds to the dynamics of real-world card use and fraud. Basically, the idea is that if you use your debit card at a merchant and use SecureCode to authenticate yourself, then the next time you use it you don’t have to do the authentication again.

The Maestro Advance Registration Program™ enables select online merchants to accept Maestro cards for e-commerce transactions by using SecureCode™ to enroll the customer during the first transaction. Subsequent purchases the same customer makes at the merchant web site using the same Maestro account can now be processed without MasterCard SecureCode authentication, making repeat buying both convenient and fast.

[From MasterCard Unlocks Maestro Debit Card Acceptance on the Internet with Maestro Advance Registration Program | MasterCard®]

This seems like a sensible compromise between nothing and insisting on authentication for every transactions and will help to protect cardholders and merchants, but it won’t by itself make much of a dent in the CNP figures. As long as it’s not compulsory, then the fraudsters will continue to use stolen card details online with impunity. And once it does become compulsory, then the criminals will phish for the 3D secure passwords, and the problem will continue to get worse. We have to get hardware into the loop…

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

4 comments

  1. Well, I’m not a refusnik, just lazy. Both Visa and MasterCard are working to make 3DS a better experience and both are making progress. As for the Visa PIN card, I will blog that today.

  2. Increasingly, you have to register a 3DS password with the issuer whether you like it or not. Many issuers will ask you to register each time you try to pay. If you skip registration three times, then you can’t use the card for CNP! Sensible? No – I just bin the card and start using the next credit card in my wallet. But then I have a few.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: