The 3-D Secure protocol was first marketed by Arcot Systems jointly with Visa, as Verified By Visa in 2001 (read the historical announcement here). Its goal was to bring some form of cardholder verification into the eCommerce world while relying on standard browser capabilities only (some attempts with client-side devices were made before that but failed).
Other card schemes licensed the protocol and marketed it under different names. MasterCard called it SecureCode; American Express called it SafeKey. JCB launched it as J/Secure, and Discover as ProtectBuy. Later, the EMV consortium developed EMV 3DS 2.0, the next generation of the protocol.
The schemes pushed for the adoption of 3-D Secure since, despite some of its deficiencies, it helped reduce online fraud significantly. Besides combating fraudsters, 3-D Secure-authenticated transactions had a higher approval rate (or so the schemes claimed).
As an extra stimulus, schemes also added a liability shift. If a merchant performed a 3-D Secure authentication, the cardholder and the issuer could no longer submit a chargeback for that transaction, claiming it wasn’t authorized. The shift would even apply if the issuer wasn’t supporting the protocol or wasn’t available to handle the request.
However, there was a significant downside: cart abandonment rates for 3-D Secure-enabled checkout flows were in double digits. The numbers were particularly high in the United States. These drawbacks hindered protocol implementation and prevented it from becoming truly widespread.
The situation rapidly changed with the development of EMV 3DS and the introduction of European Payment Services Directive 2 (PSD2). Under the Strong Customer Authentication (SCA) mandate, the EMV 3DS authentication was made mandatory nearly always. The law accelerated the implementation of EMV 3DS in the EU and the United Kingdom to the point where it has completely supplanted the old 3-D Secure 1.0. You can read more about the old and the new 3D Secure protocols in my book.
And now, finally, 3-D Secure 1.0 will be sunset.
The schedule for it is below:
- 14 October 2022: American Express will decommission SafeKey 1.0, except in India and Bangladesh.
- 14 October 2022: Discover will decommission ProtectBuy 1.0.
- 15 October 2022: Visa will decommission Verified By Visa 1.0, except in India, Bangladesh, Bhutan, Maldives, Nepal, and Sri Lanka.
- 18 October 2022: Mastercard will decommission SecureCode 1.0, except in India and Bangladesh.
- 18 October 2022: JCB will decommission J/Secure 1.0.
The few remaining countries will have to wait another year:
- 3 October 2023: Mastercard will decommission SecureCode 1.0 in India and Bangladesh.
- 12 October 2023: Visa will decommission VbV in India, Bangladesh, Bhutan, Maldives, Nepal, and Sri Lanka.
- 13 October 2023: American Express will decommission SafeKey 1.0 in India and Bangladesh.
And so, exactly a year and a day from now, 3-D Secure 1.0 will finally be fully retired.