The more you sell online, the more opportunities there are for fraudsters. Luckily, there are measures you can take to protect your customers and secure your revenue. One of these measures is 3DS2, but 3DS2 is not without limitations. In this article, we explain why supplementing 3DS2 with an additional, highly specialized fraud tool helps reduce fraud while at the same time boosts the revenue of online sales.
Numbers don’t lie
The most recent numbers from the European Central Bank reveal that in 2016, a staggering €1.8 billion was lost to fraud. A 2019 report by the European Payments Council (2019) detailing the major threats in the industry, highlighted that while businesses and financial institutions implement more anti-fraud measures, fraudsters are making moves of their own.
In the digital world that is e-commerce, fraudulent transactions are a very tangible problem. The results of the 2019 Merchant Risk Council’s global fraud survey underline this fact. In Europe, 20% of e-commerce orders are manually screened for potential fraud, of which 50% are declined after manual review.
On average, European companies lose approximately 2% of annual e-commerce revenue due to payment fraud. In some verticals, this figure is as high as 2.8%.
Global overview – Fraud KPIs (Merchant Risk Council, 2019)
Though we’re currently witnessing the rise of new fraud techniques such as attacks on contactless cards and mobile wallets, in the short term, lost and stolen card fraud, counterfeiting and card not present fraud will continue to be the predominant drivers for payment fraud.
Chargebacks, in particular, can be very costly to merchants. A chargeback is when a credit card payment is reversed by the owner of the card. A high percentage of chargebacks can lead to the blocking of the payment method in question.
3D Secure: the solution to fraud?
The rise in online fraud necessitated the launch of countermeasures by the payment industry. One such countermeasure that has proven effective and gained international adoption is 3D Secure.
First introduced in 2001 by EMV, 3D Secure, known by its acronym 3DS quickly became the standard anti-fraud measure in the industry. Since its launch, major card companies have launched their own, branded versions of 3DS under names like Verified-by-Visa, Visa Secure, American Express SafeKey, Mastercard SecureCode and Mastercard Identity Check.
So how does 3DS work? Whenever customers initiate a purchase on the web, they are redirected to a secure page on their card provider’s website. Here, they are prompted to either enter a password or an authentication code that is sent to their mobile phone. Once the information is verified, the payment is approved and customers are redirected to the merchant’s website.
The problem with 3DS
By adding a security layer to online transactions, 3D Secure made it a lot harder for fraudsters to steal, it lowered transaction costs, increased trust among online customers shifted liability away from merchants. And yet, it also had various drawbacks that only became worse in time.
For the average consumer, being redirected to a separate website and asked for a code turned out to be less straightforward than expected. This leads to abandoned carts and lost revenue. Moreover, when it was introduced in 2001, mobile commerce was non-existent. As e-commerce expanded into the mobile arena, it became apparent that a newer system was needed; one that would take into account UX/UI issues like load times and responsive layouts as well as take better advantage of the available technology.
What is 3DS2 exactly?
The follow-up to the original 3D Secure brings much-needed improvements to security and user-friendliness. To grasp these changes, we need to understand what 3DS2 is meant to accomplish. The new standard, 3DS2, has been developed in line with the regulations outlined in the European Union’s Revised Payment Services Directive (PSD2).
PSD2 outlines the rules and regulations by which all players within the European payments industry must abide by in order to protect consumers, secure payments and foster healthy competition within the market.
One of the practical results of the Revised Payment Services Directive is the development of Secure Customer Authentication (SCA) as a European regulatory requirement.
For transactions to comply with SCA, customers are required to identify themselves using multi-factor authentication. In other words, they must present two out of three of the following identifiers:
- Knowledge (Something they know, e.g. password/PIN)
- Possession (Something they own, e.g. mobile phone, token)
- Inherence (Something they are, e.g. biometrics, voice/facial recognition)
In other words, 3DS2, the new version of 3D Secure, is meant to be SCA compliant. Being SCA compliant has many benefits that go beyond fraud prevention. With 3DS2, issuing banks are provided with over 100 data points that help them identify users and authenticate payments.
Learn more about this topic:
Explained: 3D Secure 2 (3DS2)
Where 3DS2 falls short: adoption, compatibility & user experience
Even though 3DS2 provides many benefits, it’s not without problems. There are many credit cards, issued both within and outside the EU, that either do not have 3DS codes enabled or lack SCA compliance on mobile devices.
In many situations, 3DS2 is also an unnecessary burden on the consumer. Every consumer is required to undergo the exact same extra security checks, while every consumer and every purchase can be different.
Therefore, by protecting your revenue with these anti-fraud measures, you are also turning away potential customers in the worst way: by disappointing them at checkout.
As a merchant, you need to keep in mind that though the fraud(risk) is reduced, you’re also lowering conversion rates and limiting your overall revenue. In many cases, the loss of potential revenue is higher than the total cost of fraud and chargebacks combined.
When to avoid 3DS2
Soon, SCA will become mandatory for all online payments within the EU, but this doesn’t have to lead to fewer happy customers and less revenue. The peace of mind provided by SCA means that in many cases payments can be completely frictionless. Yet, we have noticed that many merchants are unaware of the exemptions allowed under SCA. In fact, by making smart use of these exemptions, merchants can boost their conversion rates and revenue significantly.
Examples of exemptions are low-value transactions of €30 or less, recurring payments with a fixed amount and orders made by mail and phone. The most relevant SCA exemptions are listed below:
- Low-risk payments: Based on risk analysis performed by the payment processor.
- Payments under €30: Under 5 payments and under the total amount of 100 euros.
- Subscriptions / Recurring payments: SCA verification is only done for the first payment.
- Payments initiated from the retailer: The first payment requires SCA verification. For future payments, the customer’s bank decides whether SCA is necessary or not.
- Trusted beneficiaries: Consumers can whitelist companies after an initial payment. Thereafter, SCA is no longer necessary for this webshop.
- Interregional transactions: Payments that involve a merchant or consumer-based outside the EU are not covered by the PSD2 regulations.
When it comes to fraud, rules are not meant to be broken, but exemptions are definitely meant to be followed. If you disregard the exemptions and apply the strict SCA rules and implement 3DS2 uniformly to all your customers and markets, you’re undoubtedly hurting your revenue.
Recap & additional insight
In the rapidly evolving world of digital payments, it's crucial to stay ahead of the curve. To combat payment fraud without losing revenue, one must understand the nuances of payment service providers and the role they play. These payment providers facilitate secure transactions, but they face significant challenges.
One such challenge is implementing strong customer authentication (SCA). SCA is mandated to ensure that the person initiating the transaction is indeed the cardholder. However, the introduction of static passwords and other traditional methods have proven insufficient. Therefore, payment providers are now focusing on more advanced techniques, such as transaction risk analysis. This approach evaluates the risk associated with each transaction in real time, thereby providing an extra layer of security.
Moreover, payment systems are becoming more complex with the advent of mobile payments. This method offers convenience but also necessitates robust security measures. An access control server is often used in conjunction with major card networks to verify transactions and authorise payments. This ensures that only legitimate transactions are processed.
For businesses, especially those handling debit card payments, the integration of payment processing systems that support SCA is vital. These systems often require additional data to verify the identity of the user, which can sometimes be a cumbersome process but is essential for security.
Lately, card issuer banks have also stepped up their game by adopting advanced security protocols. They work closely with payment service providers to ensure seamless and secure transactions. The collaboration between these entities and the utilisation of state-of-the-art technology is paving the way for safer transactions in the realm of digital payments.
In summary, understanding the interplay between payment service providers, strong customer authentication, transaction risk analysis, and the use of an access control server with major card networks is crucial. As the industry continues to evolve, embracing these technologies will help in reducing fraud and in enhancing the overall payment experience for users.
Protectmaxx: A better alternative to 3D Secure
In this article, we’ve described what 3D Secure is and why it is important in the fight against payment fraud. We’ve also outlined a few of the disadvantages of 3D Secure and how its implementation can negatively impact your revenue when applied to all transactions.
The question that remains is:
“if not 3D Secure, what else is there? How do we make use of the exemptions, while at the same time improve security and boost revenue?”
The bottom line is this. In order to maximize your revenue, you need to identify which of the SCA/3DS2 exemptions apply to your business, and protect these transactions with a fraud tool that is able to:
- examine every transaction and every consumer individually.
- learn from every transaction and improve itself through machine learning/AI
- guarantee the payment of transactions
- eliminate the costs of chargebacks
- be available to everyone and not limited to select consumers, and
- maximize conversion, rather than hurt it.
At Alphacomm we’ve developed Protectmaxx, an anti-fraud solution that meets all the criteria and is considered the best in the business for SCA/3DS2-exempted transactions. Protectmaxx also includes a management reporting portal that provides actionable insights that help you make decisions that improve your business.