Prof. Alexiei Dingli
Picture Republic Street on a July afternoon. A German cruise passenger dips into a souvenir shop, grabs a triton-blue glass bowl, taps her phone on the terminal and walks out before her tour guide has finished counting heads. Moments later, a sixth-form student tops up his Tallinja card inside a boiling bus shelter, meets the biometric prompt on his screen with a quick thumb-press and hears the familiar beep of a successful load. Neither buyer sees a text message. Neither waits for a one-time password that may never arrive. Behind both transactions lies the quiet upgrade known as EMV 3-D Secure 2.3, the latest safety net the card schemes have rolled out to tell real shoppers from fraudsters without killing the checkout queue.
Maltese merchants know the pain of earlier versions. The first 3-D Secure felt like a trapdoor: a pop-up box demanded a long-forgotten static password, and many holidaymakers abandoned the basket. Version 2.1 removed some friction but still asked visitors to plough through redirects that looked like phishing pages. Version 2.2 reduced challenge rates, but it often rejected legitimate cards due to the issuing bank’s lack of context. Was the cardholder truly in Żebbuġ, or did a scammer in Kiev copy the number? The new 2.3 build tips the balance at last. It lets the shop’s payment gateway pass richer clues, such as device ID, previous spend patterns, and whether the customer used Face ID at the start of the session, straight to the bank in the background. With those extra crumbs, the bank can wave through low-risk sales inside half a second and reserve the heavy checks for the dodgy ones. When extra proof is still needed, the protocol keeps the shopper in the same window and leans on the phone’s built-in fingerprint or face reader, so the screen never jumps and roaming charges never block an SMS.
Early pilots of 2.3 in Spain and the Netherlands show challenge rates falling for domestic and cross-border card processing. That matters because fraud in Malta exceeds the EU average. Every notch of extra trust means fewer chargebacks and, over time, lower processing fees that filter back into menu prices. The gains are not just for bricks-and-mortar tills. Try booking an online lesson on your phone. In the past, you hit “pay now” and waited for a bank code that might arrive after you lost signal. Under 2.3, the merchant can flag the transaction as “decoupled”, collecting your details on Monday but asking the bank to authorise only when the deposit is due on Wednesday. You enjoy a clean booking flow; the bank still gets time to weigh the risk. Small-ticket buys improve as well. The spec supports a ‘data-only’ flow that lets merchants share extra data with the issuer without full authentication. The merchant sends a risk profile to the bank, which checks it in the background. If either party detects a problem, the payment is stopped before any funds leave the account, preventing later disputes.
Switching to the new system should be relatively easy. In fact, for most local shops, it boils down to four quick checks. First, call your payment provider or bank and ask: “Does our till already send the extra fraud-fighting clues to card issuers?” Those clues include little things like whether the customer checked out as a guest, how old the shipping address is, and if a loyalty card was used. They’re free to pass on and provide the bank with the missing context that prevents good sales from being blocked. Second, update the payment plug-in inside your app or website. The latest version recognises the phone’s fingerprint or face reader, allowing customers to stay on the same screen without being redirected to a potentially suspicious pop-up. Third, make sure there’s a safety net. If a tourist’s bank or an older handset can’t handle 2.3 yet, the transaction should quietly fall back to the previous version rather than fail outright. Finally, brief your team. A card terminal might now ask for a thumbprint and display a prompt. A simple line, “Just place your finger on your phone, please”, will keep the queue moving and the smiles flowing.
What of privacy? More data points change hands, but each travels inside a cryptogram and never lands on the merchant’s server. Under the GDPR, your gateway must display a brief notice indicating that device information aids in the fight against fraud. Most shoppers skim and tap “agree” because the benefit is clear: they have a lower risk of their card being copied and a lower chance of their holiday purchase being declined. Still, a merchant who stashes raw card numbers on a back-office computer should stop immediately. Modern payment tools store only a scrambled stand-in for the card, so even if someone hacks your computer, they find nothing they can spend.
Will the upgrade end fraud entirely? Of course not. Card thieves will hunt weaker links such as mule accounts and fake identities. Yet by making genuine purchases almost invisible to the customer, 2.3 shrinks the space for criminals. The protocol is global, so a stolen French card that fails in Valletta today helps block a similar attempt in Vienna tomorrow. For the man on the street, the change feels almost boring: the payment simply works. And that is the point. Technology should protect, not pester.
So, whether you run a stall at Marsaxlokk market or a boutique hotel in Mdina, tick four boxes: confirm your gateway speaks 2.3, pass every safe data crumb you can, enable biometric prompts, and coach your staff. Do that and you will greet the coming tourist rush with shorter queues, happier guests, and a budget that shrinks instead of swelling. For everyone else, the result is straightforward. Tap. Pay. Done. Then get on with the real summer business; an extra scoop of helwa tat-turk ice-cream, perhaps, or another quick dip at St Peter’s Pool, without a single thought for the invisible shield guarding your card along the way.
Prof. Alexiei Dingli is Professor of Artificial Intelligence
