Security in the third dimension

Abandoned shopping carts litter the internet, their wheels spinning in the air. That could be the result of a dramatic change in the online shopping experience, foisted on e-retailers by credit card companies. Over the next year, shoppers will be asked by each site they use to confirm their identity to their card issuer (credit and debit) before an online transaction is confirmed. This could scare off shoppers who have for years been warned to look out for phishing attacks.

The 3D Secure authentication process is already in use in the US. It’s branded as ‘Verified by Visa’ and ‘MasterCard SecureCode’ by the two major card operators. It adds an additional level of security by requiring customers to have not just possession of a credit or debit card, but to also have a password to authorise its use.

3D Secure inserts a new step between the customer confirming the order and the card issuer authorising the payment. Customers are taken out of the website’s transaction funnel so they can prove their identity to the card issuer, on its own website. The first time, this involves revealing personal information. For later transactions, entering the password set up first time will be enough.

Banks have so far done little to promote this, so it will come as a nasty surprise to customers as it is introduced at UK retailers. After training customers to ignore unexpected requests for personal information, banks will now butt in during the shopping process and expect customers to do the opposite.

As it stands, retailers will have little control over the process, which will break the branded experience customers have on their websites.

There are steps that businesses can take to limit the damage, though. First, they should co-brand the verification pages where possible to reassure customers that the authentication request is part of the process they’ve requested. They should also warn customers that this change is coming, so that they do not dismiss it as a phishing attempt when confronted with the authentication request. Using the ‘MasterCard SecureCode’ and ‘Verified by Visa’ branding will help to familiarise customers with the process in advance.

If the first contact customers have with 3D Secure is during order confirmation, we would expect many to abandon the sale. But by educating customers in advance, retailers can ensure that there are no nasty surprises.