User configurable security levels for 3-D Secure

Despite Curve claiming to implement 3DS properly, I’ve never once received a 3DS prompt during any of my many of online transactions; and I’m fairly sure that if someone got hold of my card info, they wouldn’t either.

It would be much more secure if the user could enable a setting to, for example, always require 3DS interactive confirmation for transactions over a certain amount, rather than only relying on whatever lax heuristic Curve is using currently.

Edit for clarity: This is assuming the transaction is 3DS enabled by the acquirer, of course, since this is a prerequisite for Curve doing 3DS authentication. Although there should also be an option to block non-3DS transactions completely.

No because it’s not Curve that sets when 3DS is presented to the end user so that setting would make absolutely no difference.

Here’s some reading material for you.

2 Likes

I know what 3DS 2.0 is. As far as I can see, nothing in the articles you linked support your claim that Curve doesn’t decide when a prompt is presented to the user. If I’ve missed something, please provide a direct quote to support your claim.

I have several cards issued by Swedish banks, all of them presents their 3DS prompt every time, for every transaction, for the same merchants for which Curve does not. Clearly, Curve is the differentiating factor here.

Also it wouldn’t make much sense if the merchant or payment processor decided when the user should be prompted, since it doesn’t have all the information, if any, to make that decision. Only the card issuer (Curve) has that.

Here is another link for you which should answer your questions on the issue.

Just in case you’re still confused.

Linking to articles without further context or explaination isn’t very productive. Please provide references to specific paragraphs to support your claim.

As far as I can tell, the articles you refer to seems to confirm my original understanding that it is in fact the card issuer (Curve) that decides weather to prompt the card holder and weather to authorize the transaction.

[…] the card issuer may make a risk-based decision to require authentication […]

[…] 3D Secure should be seen as an additional layer of protection provided by the card issuer.

Indeed. I’m looking forward to you posting a proper source for your remarkable claim that the card issuer doesn’t have a hand in deciding whether to display an authentication prompt or not. The links you’ve posted doesn’t claim that, in fact one claim the opposite.

It’s the online retailer who decides for the 3DS,and Curve now supports this. If Curve should not support 3DS and the online retailer asks for 3DS, the payment would always be declined.
Now when 3DS is supported by Curve, you decide to accept the payment.

Sorry to say, but you are wrong. Curve does not make the decision of 3DS at a online payment.

1 Like

Didn’t you say you didn’t want me to post. Confused much?

That’s not the same as.

Thank you very much!

1 Like

Closed for a short time just for things to calm down. Will reopen shortly.

Of course the online merchant has to request 3DS. It is then up to the issuer decide if they would like to prompt the customer (“user”) or not.
Most of my online purchases with my Amex show the 3DS prompt, but with a statement that further authentication is not required since the purchase matches my pattern.

If purchases at one single merchant results in the user ends up witha 3DS prompt with one card but not the other… what else would be suggestec? That the merchant deems Curve to be safer to do business with than a legacy bank? Don’t think so…

2 Likes

I have carefully read all of @niklas.holm posts in this topic and I don’t think he is claiming that Curve does take this decision in any of them.

1 Like

You misunderstand. The issue is not who/what decides if 3DS is used, the issue is whether an authentication prompt is displayed (by Curve) when it is.

1 Like

Huh? Well of course it would be…

I know for a fact that it isn’t. 3DS 2.0 explicitly allows for “frictionless” authentication without user interaction, i.e prompts.

2 Likes

Ah by Curve my mistake, no but Curve should display a prompt in app if that’s how Curve has designed it to work. (I’m not sure if they have or not.)

But does Curve support 3DS 2.0? I’m not so sure about it.

https://discover.curve.app/a/your-online-shopping-is-more-secure

You won’t have to authenticate every single online transaction. The prompt will just appear for purchases which we think need to be verified.

With 3DS 1.0, authentication was (almost) always interactive because the protocol was very limited in how much information was provided to the issuer. But 2.0 provides more detailed information, enabling “frictionless” automatic authentication, which Curve evidently has adopted.

Since we’re now (hopefully) talking about the same thing, the point is this: The user should have greater control when interactive authentication is required, because my experience is that Curve’s heuristic is way to lax to satisfy my security requirements.