Love it or hate it: Here’s how security protocol 3DSv2 impacts you

The laws are changing. From 14 September, merchants will be required to validate their customers through two forms of authentication (2FA) – it can be something the customer has like a phone, something they know such as a password, or something like their biometric fingerprint. This is called Strong Customer Authentication (SCA) and it’s expected to play a big part in reducing the fraud that riddles the online gaming sector.

Wiping out card theft, trojan attacks or identity theft sounds like a dream for gaming operators who lose millions in revenue each year to these various breeds of fraud – along with other niche challenges that are unique to this sector. But those who have been in the game a while might have second thoughts about SCA when they hear about the easiest way to comply with this regulation: 3D Secure version two. Let me explain.

3D Secure has failed you in the past

In general, the gambling industry has a “love-hate” relationship with the original 3DS (3DSv1). When it was initially rolled out in 2001, it wasn’t adopted by all issuing (cardholder) banks, meaning it failed to be standardised for all transactions or see full geographical coverage.

Concern also stemmed from the negative customer experience associated with the extra authentication required at the checkout. Needing more details and passwords at the point of payment elongates the process and, unfortunately for merchants, this meant a surge in abandoned payments. Gaming operators felt the impact of this more heavily than other industries, too, since regulation that enforces KYC (know your customer) requirements already make checkouts somewhat longer than for other ecommerce players.

Already struggling to win over the public, 3DSv1 took another hit once consumers started embracing mobile shopping. When 3DSv2 was developed mobile shopping was never really an option so it wasn’t built for these small touchscreens. Now that the majority of customers in Western Europe interact with sportsbooks through their mobile phones, it adds another challenge for the pop-up protocol.

Adding more layers to the loss, if the cumbersome checkout loses the merchant their customer, then these lower conversion rates can also cause reduction in affiliate traffic, resulting in lower customer growth for the operator. It’s easy to see why there’s apprehension surrounding September’s law changes. But times are changing – and 3DS has had an upgrade.

Reasons to love 3DSv2

The main advantage of 3DSv2 is that it will facilitate mobile commerce in a way 3DSv1 was not designed to do. Instead of having to remember a password when using new websites, 2FA enables the use of a one-time password sent via SMS or email to the cardholder’s registered email or mobile.

This new development requires the actual cardholder to authenticate the transaction – an alert will be sent to them, meaning they are active in the checkout process, know that the transaction is taking place, and on which website it is happening. This will help relieve a major issue for gaming operators: bonus abuse.

Bonus abuse happens when operators run promotions – like increasing odds or enhancing stakes – around major sporting events to draw in new customers, and older customers want to take advantage of these freebies. Bonus abusers are already signed up to gaming websites but create more accounts using family and friend’s payment details to benefit from the bonus offers – sometimes without their knowledge.

3DSv2 will stop gamblers from “borrowing” cards without permission, resulting in less fraudulent chargebacks. These extra steps also make it more difficult for customers to make false claims to get money back on bets they’ve regretted, also known as gambler’s remorse.

As many gaming operators will know, customers will occasionally try to get their money back on bets they’ve lost by claiming that the transaction wasn’t authorised or that they were not protected from placing excessive stakes. This can be for a standard customer who has bet too much after becoming overconfident with the money they’re risking, or more worryingly, a problem gambler using a family member’s card.

Extra authentication means extra hurdles for problem gamblers, or a warning to family members that bets are being made from their cards – it’s also a good way to show regulators that a merchant is in support of responsible gambling.

By capturing more data, like what device is being used or the IP address where the transaction is taking place, 3DSv2 is not only set to further protect operators from gamblers using cards from same households, but more data helps merchants defend themselves from invalid chargebacks – they can prove that the transaction was authorised by the user and went through multiple rounds of authentication to do so.

Reasons to loathe 3DSv2

One of the main challenges that we see with 3DSv2 is also prevalent in online banking. People either change their phone numbers or have two phones for work and personal use so they can’t receive the one-time password on their device that is registered with their account.

Any additional steps the customer must face tends to kill the checkout experience; it’s a lot of effort for them to phone their bank and have their number updated, then wait for the update to go live, and try again with the gaming operator. By this point, they’re likely to have had their attention pulled elsewhere. It’s far from ideal for customers looking for an in-game bet.

That being said, the reality of this situation is that this should only happen for the minority of transactions. So, do the benefits outweigh the costs?

The verdict

There are real benefits to SCA and 3DSv2 that can be leveraged by the gaming industry, especially in combating bonus abuse. But, as with many new initiatives (especially around fraud), the verdict will only really be clear when some time has passed, and the new processes are in full effect.

Initial feedback from gaming customers is that they are keen to leverage the advantages of the new security protocol, but we expect 2020 to be when we really see how useful it has been for gaming operators and the wider ecommerce community.

Matt Harrod has almost 15 years’ experience in the payment and fintech space, working for major European brands, including Lloyds Banking Group, Median and Ingenico. An expert in the gaming sector, he offers considerable insight into the impact of Europe’s uncertain political climate on egaming operators in the region.