3DS2 Enhances Transaction Security, Creates More CX Challenges

Despite years of work by card issuers, payment processors, businesses and regulators, card-not-present (CNP) fraud continues to grow. CNP fraud increased by 8.5 percent from 2022 to 2023, and it’s projected to represent 73 percent of card fraud losses this year. The most recent version of the 3D Secure protocol, 3DS2, was intended to fight this problem by identifying users more accurately.

However, with 3DS2 now mandatory in the EU and increasingly in use elsewhere, some retailers are finding that the additional security offered by 3DS2 comes with additional friction for customers. The result is that 3DS2 changes, but may not eliminate, the security vs. convenience balancing act that online businesses must manage. This article examines some of the growing pains that retailers are facing as they implement 3DS2, the potential impact on customer experience and loyalty, and potential solutions for these challenges.

3DS2 is a set of strong customer authentication (SCA) security standards that was built by Visa and adopted by other card brands to meet European payment security requirements known as PSD2. The goal of 3DS2 is to add authentication steps in real time for transactions that issuers deem risky. Typically these challenges are biometrics (face or fingerprint) or codes sent via SMS or email.

The goal of 3DS2 is to reduce CNP fraud and improve the high-friction customer experience created by the first version of 3DS. Businesses using 3DS2 also see their chargeback liability reduced for those transactions.

General and Vertical-Specific 3DS2 Challenges

Despite the goal of making secure transactions easier, 3DS2 implementation hasn’t been free of issues that have affected businesses and their customers. For example, Sony PlayStation’s website has a page devoted to addressing authentication roadblocks and payment declines that some customers have experienced. Its recommendation is for declined customers to contact their bank or card issuer directly to resolve the issue – a necessary but extremely high-friction solution to their customer experience problem.

Luxury brands may also face CX issues related to 3DS2 because their customers tend to place high-value orders that trigger extra authentication steps that may lead to false declines. Unfortunately, the luxury consumer demographic expects flawless experiences and will take their business elsewhere if those expectations aren’t met.

In ClearSale’s most recent global survey of consumer attitudes on e-commerce, fraud and CX, 43 percent of shoppers who spent more than $400 online each month and spent at least 20 percent of that money on luxury goods had experienced a decline in the past 12 months. Fifty-seven percent of declined customers in that demographic will boycott the website, and 61 percent will make a negative post about the experience. Those numbers are higher than average and represent large potential losses for luxury retailers.

3DS2 often complicates international travel and hospitality payments because its adoption varies among countries and its application varies by card brand and bank, and different businesses may interpret the rules differently. As a result, many travelers may have a hard time making reservations on international sites before their trip. They may also encounter problems paying for things while traveling, a high-stress, high-friction scenario.

Other businesses may run into challenges in implementing and using 3DS2. For example, they may need to add and manage additional acquirers that can handle 3DS2 protocols. If customers don’t receive the authentication codes or challenge requests sent by 3DS2 — one of the problems PlayStation customers encountered — the business will miss out on those orders. Finally, 3DS2 isn’t a cure-all for fraud. If criminals have access to a victim’s phone or email account through account takeover fraud or a SIM swap, they can intercept and use 3DS2 verification codes to complete purchases.

Best Practices for Improving Fraud Prevention and CX

Businesses that opt to use 3DS2, or are required to do so, may be able to request exemptions in specific scenarios. These include, but aren’t limited to:

• Recurring transactions after the initial transaction through SCA: By performing authentication on the first transaction under SCA, or by migrating existing recurring transactions to exempt status, businesses can avoid the need for 3DS2 protocols on subsequent transactions.
• Low-value transactions: In the EU, orders totaling less than €30 can be exempted from 3DS2 requirements if the business flags the authentication or authorization message for the transaction. However, if the same customer places more than five low-value orders, or if they place a series of low-value orders whose value exceeds €100, 3DS2 requirements kick in again. In addition, the low-value transaction exemption also means the seller is liable in case of a chargeback.

Other exemptions may be available based on the business’ fraud rate, trusted beneficiary status with customers, and corporate card status.

Of course, 3DS2 isn’t the only tool for fighting CNP fraud. Businesses can reduce their fraud risk and maintain high-quality CX by taking a few key steps:

1. Send potentially fraudulent orders to expert review. Real-time advanced analysis can separate actual fraud from cases in which a good customer’s behavior raises flags, such as ordering an expensive gift while traveling or making a high-value cross-border purchase from a new store. This step prevents fraud and avoids false declines.
2. Keep customers updated on expert reviews. If an order requires an advanced review that will take longer than a few minutes, it’s possible to notify the customer that they’re order is pending so they don’t think the order got lost somehow. This can reduce the risk of order cancellation and customer churn while protecting against fraud.
3. Feed expert review results into fraud prevention machine learning. The more “edge cases” the antifraud algorithm has to learn from, the more accurate its pattern recognition becomes. Over time, this can reduce the number of orders that require expert review and improve confidence in fraud flagging.

Regardless of what specific steps a business takes to prevent fraud and improve CX, it’s wise to track fraud and false decline metrics. Ongoing review and analysis of fraud and decline data can help identify fraud attack trends and areas for improvement in fraud detection and CX. The result is a fraud program that reduces chargebacks and enhances CX over time.

Bruno Farinelli is an expert in biometrics and browsing behavior, and serves as senior director of operations and analytics at ClearSale, a fraud management and chargeback protection services company.