The 3-D Secure challenge in payments fraud

As merchants in North America continue to cherry pick which transactions they submit for 3-D Secure (3DS) authentication, there has been a steep uptick in card-not-present (CNP) fraud. However, issuers could be taking the lead in helping U.S. merchants overcome their outdated perception bias and understand that the use of the protocol will reduce fraud, with a minimal impact on friction. In fact, the U.K. experience shows that North American merchants could be saving money while boosting customer experience.

Datos Insights estimates that U.S. CNP fraud losses will approach nearly US$13 billion by 2026. This growth has been spurred on by several factors, but there can be no doubt that fraudsters have homed in on countries where strong authentication is not always required on e-commerce transactions.

The numbers also show that U.S. merchants are needlessly giving away profit margin, with U.S. e-commerce sales averaging an annual increase of 19% over the past six years, while CNP fraud losses have grown at an accelerated rate of 21% over the same period.

More use, better outcomes

In the U.K., where 3DS has been used for many years, and where it is now mandatory, CNP fraud has been declining. However, the Datos numbers show that in unregulated markets, like North America, 3DS usage averages just 2.7% of all CNP transactions.

The Datos report further shows that fraud is nearly six times higher across that 2.7% because the majority of merchants in said markets push only high-risk transactions across the 3DS rails. This means issuers are forced to use outdated authentication responses, resulting in more declines.

Many U.S. merchants are therefore choosing to absorb current fraud costs to avoid the misguided concerns they have about 3DS reducing transaction success rates. However, according to the Merchant Risk Council’s latest report, merchants estimate that 3.1% of their total e-commerce revenue is lost to fraud each year. And, as fraudsters become increasingly advanced, their customers remain at greater risk than ever before.

Another big challenge is that many merchants in North America make decisions about 3-D Secure based on their experiences with version 1.0, which was marked by high rates of cart abandonment and false declines. This perception bias is holding US merchants back from upscaling CNP fraud-fighting measures. They are building a pattern of unreliable risk assessments, and they are actually missing out on advances in customer experience that are possible with 3DS version 2.0.

However, the role of the issuers in changing the current merchant perception cannot be underestimated. More importantly, ACS providers should be seizing the opportunity to offer the most effective, accurate fraud detection risk data and advice tools, while taking advantage of the latest innovations to remove friction from the cardholder experience. It is only when the entire payment ecosystem works together that meaningful change can be affected.

Lower risk, better experience

Issuers can also play a role in educating merchants on the significant differences between 3DS versions 1 and 2. These include a more powerful form of authentication and making use of in-app approval and biometrics rather than passwords, which was one of the main reasons customers weren’t enamored with the first version.

Customer authentication also happens in real-time, with no additional action needed for many transactions. A more seamless experience that now offers risk-based authentication is delivering lower cart abandonment with a better risk profile, all of which means more conversions and less churn.

Version 2 also makes use of a rich set of data about the cardholder and the transaction, which enables banks to make informed decisions about transactional risk, reducing false positives – and the need for a challenge – giving customers a better experience.

While version 2 is clearly more advanced, there are mechanisms that can further improve the experience for customers and offer banks a real competitive advantage.

Personalizing authentication

Everyone transacts differently, and banks should be able to adapt the authentication experience for each transaction without adding additional friction for the customer. A robust Access Control Server solution, combined with risk intelligence capabilities, allows banks to deliver personalized authentication experiences and tailor the most appropriate experience for each of their customers without compromising their risk levels. Context aware authentication strips what remaining friction there is from the 3-D Secure process. Products like Mexico’s Plata Card are enjoying growing support because of this.

Looking ahead, the financial ecosystem continues to work together to find ways to remove friction from the transaction experience. For instance, EMVCo has said it will also review developments within the FIDO Alliance related to passkeys. Passkeys allow FIDO credentials created on one device to be used across multiple supported devices. They’re expected to fully replace passwords, further lowering user friction.

The various industry bodies and organizations, including issuers, payment service providers (PSPs), and card networks are continuously engaging to find ways of keeping financial institutions, merchants and customers protected against sophisticated and constantly evolving fraud. But issuers are in the most important position to ensure they are sufficiently future proofing their 3DS offerings to effectively assess risk and ensure the lowest friction customer experiences possible. If they don’t, merchants will continue to resist change that could be delivering a significantly safer and improved customer experience – a situation where everyone loses.