Good news! The fight against fraud seems to pay off. For 2 years, the amount of frauds has been mitigating in France (source: Observatory for Payment Card Security). Amongst the preeminent tools in this fight, 3-D Secure (3DS) is at the forefront. The famous security protocol, developed by Visa, Mastercard and AmEx (SafeKey), reinforces the authentication of customers paying online.
Consumers are more and more educated about this practice, which began in 2008. Nevertheless, this additional step in the purchase funnel still impacts conversion from 10% to 15% in average (source: Be2bill’s internal study).
As the European Banking Authority is willing to regulate payments authentication, through the PSD2 (Payments Service Directive), let’s sort out facts from misconception about fraud and 3DS.
Belief #1: Apply 3DS on every transaction is the most efficient defense
TRUE BUT...
Indeed, 3DS is going to eliminate almost every fraud… but it can also generates false positives: genuine cardholders who cannot pay due to a fail in the 3DS process.
For each payment, the internet user must proceed to an additional step, whom duration and convenience may vary. 3DS can imply multiple actions depending on customers’ bank: enter the birth date, a “code calculator” card, or a code received on a phone… This last case is the most common: the consumer has to ensure his phone is next to him, has good network coverage and is charged enough … Each of these conditions represent a risk of authentication failure. That’s why 3DS applied to all transactions can cause a turnover drop from 10% to 15% for e-merchants.
Belief #2: For some product categories, it’s useless to set up a 3DS policy
TRUE
Depending on products put up for sale, fraud risks are not the same. For example, a company specialised in water heaters, that sells the equipment and settles it at home, will not experience lost or stolen card fraud. No need then to bother customers with 3DS.
Belief #3: 3DS eliminates every chargeback and fraud
FALSE
A successful 3DS authentication doesn’t necessarily mean that the transaction will never be chargebacked:
- Business cards often don’t lead to the liability shift normally induced by 3DS: chargebacks can occur, and the merchant won’t be protected.
- Identity theft remains possible: fraudsters steal the card credentials as well as the phone number. They ask the operator for a new SIM card, so they can directly receive the texts on their phone… and make purchases with 3DS authentication. The victims endure two damages: stolen money on their banking account, and a phone that doesn’t work anymore! And this type of fraud is growing significantly…
It’s important to note that some cards are not enrolled in the 3DS system. In that case, there are some ways to block transactions or to tag them for manual review by the merchant.
Belief #4: Apply 3DS on the most expensive carts is the key to avoid the biggest frauds
TRUE & FALSE
High-amount carts are of course vital for merchants. Nevertheless there are more subtle and appropriate methods to use 3DS against fraud, and avoid conversion mitigation at the same time.
With a pragmatic approach, based on data collection and analysis, fraudulent transactions can be tackled and false positives avoided.
Amongst important criteria, that have to be crossed with the amount of the carts: velocity (several transactions conducted in a short time in remote areas), delivery address, type of products, e-reputation, etc. Every signal leading to an anomaly compared to usual purchase behaviour has to be detected. They reveal risky profiles.
Belief #5: A good configuration of my 3DS is protecting me for 6 months
FALSE
On the opposite, it is wise to change the settings of the 3DS depending on several indicators:
- Seasonality, especially during sales, when amounts of purchases skyrocket
- Chargeback reviews, which can lead the merchant to adopt a continuous improvement approach: analysis, implementation, adjustment of the transaction criteria.
The most important thing to remember: fraud is constantly changing. Fraudsters are continuously making tests and they adapt their methods if rules are simple. If the rule is based on cart amounts, fraudsters will discover it very fast, and of course multiply purchases with an amount just under the threshold that triggers 3DS.
Focus on a risk-based approach: the “smart 3DS”, or dynamic 3DS
To deploy a successful 3DS strategy, the Be2bill’s fraud experts implement a smart 3DS (or dynamic 3DS) policy. It means the team triggers 3DS only for transactions that were detected as risky by our anti-fraud engine. This is a risk-based approach, as recommended by the MRC (Merchant Risk Council). With this pragmatic – and not dogmatic – approach, 98.5% of frauds are stopped in real time.
Concretely, smart 3DS results from a sophisticated rule engine combining Be2bill’s expertise – in particular data analysis – with the client’s experience. He’s obviously legit when it comes to identifying the specifics linked to his activity.
This flexible and collaborative approach is designed to make continuous adjustments at any time, and even to determine several scenarios for triggering 3DS (for example linked to seasonality). The merchant manage and control when it is actually triggered.
The Be2bill team makes sure the rules are always relevant, and continuously adapts the rule engine to find the best balance between conversion and security.