The Current Perks & Pitfalls of 3DS2 Adoption: How are Things Going?
Even after years of effort from card issuers, payment processors, businesses, and regulatory authorities, the problem of card-not-present fraud keeps getting worse.
From 2022 to 2023, CNP fraud grew by nearly 10%. Although CNP transactions are still just a fraction of overall card purchases, nearly three-quarters of all credit card fraud in 2023 occurred in the CNP environment.
Many solutions have been proposed over the years to try and tackle this problem. The latest upgrade to combat this issue, a protocol called 3-D Secure 2.0, or simply 3DS2, aimed to stop fraud by more precisely identifying users.
Now that 3DS2 has become mandatory in the EU, however, and is more commonly used in other places, some retailers are discovering a snag. The added security of 3DS2 might be a plus, but it also creates more hurdles for customers. In short, 3DS2 changes the equation, but doesn't necessarily solve the age-old dilemma of balancing security with the convenience that online businesses constantly grapple with.
Recommended reading
- What is Geolocation? A Key Anti-Fraud Tool for 2024
- What are Velocity Checks? How Do They Stop Fraud Attacks?
- ECI Indicators: How to Understand 3DS Response Codes
- Proxy Piercing: How Merchants Can Use it to Prevent Fraud
- The Top 10 Fraud Detection Tools You Need to Have in 2024
- Card Verification Values: What Are CVVs & How Do They Work?
Why Comply With 3DS2?
3DS2 is a robust set of security standards designed for strong customer authentication. The standards represent an update of older, preexisting 3-D Secure protocols.
Learn more about 3-D SecureCompliance with 3DS2 is an important part of the European payment security regulations known as PSD2. The intention is twofold; not only does it curtail fraud, it also smoothes out the customer experience, which was sometimes clunky and frustrating with the first version of 3DS.
The purpose of 3DS2 is to introduce real-time authentication steps for transactions that are considered risky by issuers. These measures often include biometrics, like facial recognition or fingerprint scanning, or codes sent through SMS or email. For businesses, an added perk of implementing 3DS2 is reducing chargeback liability for those particular transactions.
Improved Success Rates Since Adoption
The latest version of 3-D Secure authentication for online payments has seen a substantial uptick in global adoption. This is according to the newly-released Global Payment Regulation Report from Ravelin.
The report paints a promising picture, showcasing generally favorable authentication success rates. This is a marked improvement over previous versions of 3DS technology.
Additional updates to 3DS2 since the main rollout have further refined processes and removed friction. The report found that merchants in the UK and Ireland experienced 81% and 82% success rates with 3DS versions 2.1 and 2.2, respectively. Similarly high authentication rates have been observed around the world wherever 3DS2 has been introduced.
Merchants are Anxious About 3DS2
That all sounds great. However, there's a flip side that we need to consider as well.
A significant number of merchants remain skeptical about entering a new age of smoother authentication. The report cited above went on to state that many merchants voice “serious concerns” over the potential impact of the SCA protocol on conversion rates.
In the UK and Australia, 89% of respondents said they were “slightly concerned,” “concerned,” or “very concerned” about the influence of 3DS2 on conversion. This figure rises 93% in the US, and a whopping 97% in Germany and Spain.
Yet despite these worries, Ravelin's findings highlight consistent success in authenticating transactions via 3DS 2.1 and 2.2 worldwide. Moreover, over half of the transactions (climbing to over 60% in Europe) are described as frictionless. In other words, they’re authenticated without the customer needing to do anything directly.
The fact that 3DS authentication is now “on by default” for all online transactions in Europe puts pressure on companies. If European firms offer a subpar authentication experience, they run the risk of losing business.
Other Challenges Associated With 3DS2 Adoption
While 3DS2 aims to simplify secure transactions, it hasn't been without hitches. These hiccups directly affect businesses and customers. Sony PlayStation's website, for example, has a page dedicated to addressing authentication obstacles and payment declines. This page suggests a direct, yet highly inconvenient solution: contacting banks or card issuers.
Some luxury brands are also grappling with customer experience (CX) challenges. High-value orders often trigger additional authentication steps, sometimes leading to false declines. Luxury consumers, expecting perfection, are unforgiving and ready to take their business elsewhere if disappointed.
According to ClearSale's recent survey, 43% of shoppers spending over $400 monthly online on luxury goods had faced declines. Among them, 57% said they would avoid the website in question in the future. 61% would publicly criticize the experience. Higher than-average figures signify potential massive losses for upscale retailers.
3DS2 has further muddied international travel and hospitality payments. Adoption varies across countries, with different interpretations by businesses, banks, and card brands. This led to reservation issues and in-trip payment problems for travelers; a highly stressful scenario.
Other businesses face obstacles in deploying and using 3DS2. For instance, managing additional acquirers that can work with the protocols and dealing with missed authentication codes or challenge requests, like the issue PlayStation customers faced.
Lastly, 3DS2 isn't a foolproof defense against fraud. If criminals gain access to a victim's phone or email through account takeover fraud or a SIM swap, they can intercept 3DS2 verification codes. This would render 3DS2 verifications useless.
Best Practices Going Forward
3DS2 is a significant weapon against CNP fraud. However, it should not be one’s only line of defense. It should also not be deployed in every single case.
There are other strategies businesses can employ to mitigate risks while ensuring a superior customer experience (or “CX”). Examples include:
Ongoing Evaluation is Needed
Regardless of the measures you choose, regularly monitoring fraud and false decline statistics is essential.
To that end, regular analysis can spotlight evolving fraud patterns and pinpoint areas ripe for enhancement in fraud prevention and CX. This will pave the way for a system that steadily diminishes chargebacks and continually refines the customer experience.
3DS2 has been available for some time, but we’re still in the early stages of adoption. As time passes, it will be crucial to continue evaluating, and attempting to detect and address new roadblocks as they become apparent.