9 secrets of online payments. Part 1: Configure 3-D Secure

The Russian e-commerce market lives in a crisis, now is the time when one of the key tasks for successful “survival” is setting up all the “cogs” of the mechanism of your site. One of these "cogs" is a service for receiving online payments on the site. With the right approach, it can be a success factor, and if used incorrectly, it can lead to serious problems. In this release, the first of the 9 Secrets of Online Payments series, containing eight years of PayOnline team experience , we will share the 3-D Secure protocol settings for successful payment processing on your site.




Part 1. Setting up 3D Secure
Part 2. Recurring payments
Part 3. Payment selection page
Part 4. Payment Form
Part 5. Mobile payments
Part 6. Payment in one click
Part 7. Fraud monitoring system
Part 8. Returns and how to avoid them.
Part 9. Payment service settings for the type of business
')

A brief history of the issue

The creator of the protocol 3-D Secure (3DS) is the international payment system Visa (Verified by Visa program). 3DS is supported by key global payment systems: MasterCard SecureCode and J / Secure from JCB International.

The main objective of 3DS is to protect payers and businesses from fraudsters. Support for the 3DS protocol virtually eliminates the risk of fraudulent transactions using a bank card, as it is another way to confirm the identity of the payer.

Why is 3-D Secure so called? Three domains (3D) participate in payment processing using the 3DS protocol, on which transactions (payment transactions with bank cards) are created and verified: the acquirer domain, the issuer domain and the interaction domain.

How it works?

80% of bank cards in Russia are subscribed to the 3-D Secure protocol. 30 million Russians shop online. It means that more than 24 million Russians at least once went through the process of authorizing a payment using 3DS. How does this happen from the point of view of the payer?

A person places an order on the website, clicks "Pay" and, having filled out a payment form, goes to a page located on the domain of the issuing bank (the bank that issued the card) to enter a unique verification code.

The code in most cases comes in the form of SMS, sometimes other mechanisms are used (a set of codes on the card, a code clarification by phone in the bank, etc.). All that the payer needs to do is to enter the code in the appropriate field and complete the payment procedure.

From the point of view of the online store, everything is not so simple. Not all bank cards in Russia are subscribed to 3DS: a number of banks simply do not support the protocol; in some banks, the payer takes the decision to connect the 3DS authorization service. Such cards - about 20% of the total. Russia has been issued more than 220 million cards, one and a half cards per person. Of course, it should be borne in mind that people who make purchases on the Internet are trying to protect themselves, and cards without 3DS are mainly issued as part of payroll, retirement, scholarship projects.

But, nevertheless, in the audience of each commercial site there are customers with maps not subscribed to 3DS (their share depends on the type of business of the company, the geography of its work and other factors). You need to make a decision on how to work with these clients, how to configure the 3-D Secure protocol.

It is here that the online store is faced with the issue of security and the need for risk assessment. To skip all transactions in a row is a risky step, you can “run into” scammers, get chargebacks and lose a significant part of the profits. On the other hand, rejecting payments on cards that are not subscribed to 3DS means losing loyal customers and your own profit.

The trade-off between security and conversion

Setting up 3D-Secure on the site is a delicate matter. It requires an understanding of the level of risk in the segment of the Internet business in which the company operates.

There are three basic types of 3DS protocol settings:

1. Minimum 3DS;
2. FULL 3DS;
3. Two-step 3DS.

More on setting up the 3-D Secure protocol will be described later. We note immediately that later we will talk about setting up the acceptance of payments by cards subscribed to Verified by Visa or MasterCard SecureCode.

Full 3DS

Full (full) 3DS is a basic setting of the 3DS protocol recommended by international payment systems. This setting minimizes the risk of fraudulent transactions and, accordingly, the probability of chargebacks and financial risks for the company.

How it works? Very simple. Payments are approved only after passing authorization using the 3DS protocol. Valid for all cards without exception. All transactions pass through the 3DS protocol.

If the 3DS check on the issuer’s side does not work or the card is not subscribed to 3DS, the transaction will take place only with the consent of the issuer, otherwise it will be rejected.

This protocol setting complies with international safety standards and minimizes the risk of fraudulent transactions. As part of our basic boxed payment solution, Pay-Start (the solution is designed for sites with a turnover of up to 30 thousand rubles a day), using only the basic, Full, setting of the 3DS protocol. This provides small companies with almost complete security when accepting payments. The payment service is responsible for the security of payments and will never recommend the client to “put himself at risk” by fraudsters.

However, in the case of big business, the issue of increasing conversion becomes so critical that it can force an entrepreneur to make concessions in terms of security. In this situation, part or all of the bank card payments are processed without verification using 3DS. This applies to the minimum and two-step protocol settings.

Minimum 3DS

The minimum settings of the 3DS protocol allow you to check cards signed for 3DS, and skip the rest without checking (more precisely, checking - but using other security system tools, so-called security filters).

So, when choosing the minimum settings 3DS:

• If the card is not subscribed to 3DS, the transaction passes without 3DS.
• If the card is subscribed to the Verified by Visa or Mastercard SecureCode program, the transaction passes through 3DS.
• If for some reason 3DS verification on the issuer’s side (the bank that issued the card) does not work, the decision on the fate of the transaction is made in accordance with a predetermined algorithm.

Two-step 3DS

This 3DS protocol setting is similar to the minimum, but it has one significant difference. In this case, all requests for approval of transactions are sent to the issuing bank via the 3DS protocol. And the issuing bank makes a decision about the possibility of conducting a transaction if the payer's card is not subscribed to the 3DS protocol. If the bank rejects the transaction, it is sent for verification again, but not using the 3DS protocol.

You can go further and choose one of the three possible options by setting 3-D Secure even “thinner”, considering the type of business and the geography of the countries in which the interests of the company are represented. For example, enable 3DS for certain countries or a specific type of card, as well as depending on various payment parameters - amounts, payer's geography, etc.

It should be noted once again that the minimal and two-step 3DS with unprofessional use can increase the level of risk of fraudulent transactions and, accordingly, financial losses. In general, the 3DS setting is not a toy at all.

Before changing the protocol settings, a joint analysis of the audience and the specifics of the company's business is conducted (the average “at the hospital” level of risks in this segment, the geography of payment acceptance, the size of the average check, etc.) The analysis is carried out by specialists of the payment service with the participation of representatives of the client’s company. According to the results of the analysis, recommendations are given on the possibility of changing the settings and the level of risks associated with them. The final decision is made by the client, as he takes responsibility for the possibility of fraudulent transactions. It is worth noting that changes are most often implemented in the event that there are no serious concerns about fraud.

What to do?

Here the question arises, according to which scheme is it more convenient, more profitable and safer to operate an online store or another service that accepts payments online?

The only weakness of Full 3DS is obvious - payments on cards that are not subscribed to 3DS (in Russia there are about 20% and their number is constantly decreasing) will be rejected. Such cards are usually issued by banks that are not in the TOP-50, often regional. The main advantage is almost complete security: in accordance with the rules established by international payment systems, the responsibility for operations processed under the 3DS protocol is borne by the issuing bank (the bank that issued the card).

Choosing a two-step or minimum 3DS, the online store assumes the risks associated with the possibility of fraud (fraudulent transactions). However, with professional risk analysis and fine-tuning of fraud monitoring on the payment partner side, the proportion of successful transactions increases significantly, sometimes by tens of percent.

From theory to practice

Consider the case of one of our clients, the Pososhok airline ticket agency (pososhok.ru). The company's turnover in 2013 amounted to 4.5 billion rubles, today the company boasts one and a half million served passengers.

In March 2014, the company faced a problem: authorization of customers using the 3-D Secure protocol gave a high degree of protection, but the company was faced with the task of increasing the conversion in payments: only 79% of transactions were approved.

At that time, a two-step payment authorization was used. The first stage of authorization was carried out according to the 3D-Secure protocol. If the payment was made from a card that was not subscribed to 3DS, at the second stage of authorization, the check was performed by the PayOnline fraudulent monitoring system (it will be discussed in more detail in the next articles) based on its filter settings.

After analyzing the audience of buyers whose core was Russians, Pososhka specialists, together with the PayOnline consultant, decided to change the security settings for payments from Russia made by cards issued in Russia. For such payment transactions, authorization via the 3DS protocol was disabled. They were checked by PayOnline fraudulent monitoring system, each of 154 filters, which was configured according to the specifics of Pososhk business. For other types of transactions, 3DS authorization continued to be applied.

The result was not long in coming: after six months, the conversion “took off” to 91%, and continued to grow.

At the same time, the number of “clean” operations, rejected by the monitoring system during this period, can be counted on fingers - and all of them were subsequently identified and carried out manually. And thanks to the professionalism of the specialists involved in setting up the 3DS protocol, the changes did not affect the security level.

In the next issue, we will tell you how to tie a client to your service with regular payments, what it is, what questions you may have during the connection stage, and payers during the use process, and what “profit” is expected as a result. If you want to connect and set up payments, contact our experts will help you with this.