JOHANNESBURG | Due to the increase in Card Not Present (CNP) fraud in South Africa, the Payment Association of South Africa (PASA) mandates the implementation of 3D Secure for all South-African e-commerce merchants. The deadline for this implementation has been set at 28 February 2014. E-commerce merchants that do not implement 3D Secure could face increased chargebacks on non-authenticated transactions.
About 3D Secure
3D Secure is the collective term used for various authentication services, as supported by the card schemes (e.g. MasterCard, Visa, Amex), which should prevent unauthorised usage of credit cards for online purchases. Probably well-know to the online payment industry and online merchants are the 3D Secure 'products' by MasterCard and Visa, respectively MasterCard SecureCode and Verified by Visa. Safekey (American Express), J-Secure (JCB) and ProtectBuy (Discover/Diners) are the ones less known.
3D Secure checkout process
Upon checkout and after entering their card credentials like card number, expiry date and their 3 digit security code (CVC2, CVV2), online shoppers receive an (in-frame) pop-up requesting them to enter their personal passcode (which could be a static code known by heart, or a dynamic one-time code generated by a device issued by their bank). Only the legitimate cardholder is supposed to generate that unique security code. The code is verified in real-time with the bank of the cardholder and based upon the verification result, the bank approves or declines the transaction (note that they could still decline the transaction for reasons like 'not enough limit' or ' exceeding the permitted amount').
PASA looks after 3D Secure implementation
According to PASA, they have a mandate to “organise, manage and regulate the South African National Payment Systems (NPS), and therefore PASA has the responsibility to ensure the safety and efficiency of the NPS.” Therefore PASA has clearly instructed the South-African banks to follow the right processes to ensure cardholders can transact in a 3D secure manner. First of all, all banks need to activate and register their cards for 3D secure usage with the applicable card schemes. Secondly, and probably the most difficult part, banks need to ensure their cardholders are informed, know how they can activate their card for 3D Secure usage and what to expect when shopping online at a 3D Secure merchant.
3D Secure enrolment process is key success factor
Banks can either choose to pre-enroll cardholders for 3D Secure (cardholders would only need to pick their security code or receive a token to generate a unique code) or choose for what is called 'activation during shopping'. This means the cardholder is immediately requested to activate their card for 3D Secure usage as they perform their first transaction at a 3D Secure enabled merchant. From past experiences, the latter enrolment process is assumed to lower conversion rates due to the fact that shoppers might be reluctant to enter sensitive personal details in an 'unexpected' new screen or in-frame pop-up. Especially when they are not properly informed by their issuing bank what to expect when transacting online with their pre-activated 3D Secure card.
3D Secure implementation for online merchants
Only if merchants have implemented 3D Secure in their payment checkout, they can challenge their online shoppers to authenticate using their 3D Secure passcode. Only then there could be the so-called 'liability shift'. This liability shift means that in case of fraud the merchant is not financially liable and the issuing bank needs to absorb the losses. In most instances, whether the consumer purchased with or without a 3D Secure passcode, the merchant receives protection for fraud related chargebacks and payment guarantee. 3D Secure technology is often supported by the Payment Service Provider or Payment Gateway that routes and processes transactions on behalf of the merchant.
3D-secure for Transactions via Mobile Devices and in-App get another 6 months
With regards to mobile transactions, PASA has extended the deadline by 6 months for e-commerce transactions that are concluded on a mobi site or native application, due to the broad and more complex nature of the mobile environment.
Excerpts taken from PaymentsAfrika, February 14, 2014