EMV 3DS: Why 2020 Is Different

eCommerce credit card dispute

“Never buy a couch without consulting your spouse.” It’s timeless advice, but PAAY Chief Technical Officer Adam Gluck told Karen Webster that a friend of his recently failed to heed it.

A new couch arrived, and the man’s wife took one look at it and told him to “get that ugly thing” off her porch and send it back to wherever it came from.

Gluck said that presented his friend with an interesting moral dilemma. If the man initiated a return, he was on the hook for a 20 percent restocking fee. But if the man called his card issuer and pretended the order was never his and that his card had been misused fraudulently, he wouldn’t owe the fee.

 

Gluck said his buddy probably didn’t see such potential “friendly fraud” as real fraud.

“In his mind, he wasn’t trying to steal the couch; he was trying to return it without incurring the restocking fee,” he said. “Now, is that bad behavior? Yes. Is it purposefully trying to steal a couch? Not quite. But it is a form of friendly fraud.”

The story neatly illustrates how tricky fighting friendly fraud can be for merchants, Gluck said, particularly those who’ve made massive pivots online because of the pandemic and are dealing with the problem for the first time.

He said friendly fraud is hard to spot, nearly impossible to predict and expensive for retailers not only in terms of lost goods and revenue but in terms of their merchant risk scores. Get too many chargebacks in a month, and merchants quickly find they’re treated “quite poorly” by acquirers and issuers until they get chargeback ratios under control, he said.

But Gluck said that while merchants had been hesitant to embrace 3D Secure (3DS) because of the friction early versions of the system added to eCommerce, the technology’s latest variation has solved a lot of those problems. He said 3DS can now create the friendly fraud firewall that the bulk of the digitizing marketplace needs, so it’s likely to become a standard part of the eCommerce ecosystem.

The Changing Landscape Of Need

Gluck said digitally-native firms that were already eCommerce-based pre-pandemic were generally well situated to deal with the great upswing in sales volume — and fraud attempts — that COVID-19 has brought. Such companies already had lots of fraud-fighting processes in place to repel the uptick in fraud attempts of all kinds, friendly included.

“If you are a merchant that does business with the same consumer set every week because you’re the local dry cleaner and you have the same consumers for over 20 years, it is very unlikely they are going to start running fraud scams on you,” he said. “[And] if you’re an Amazon or an Uber, you have some pretty sophisticated mechanisms in place to be sure of that customer. That leaves a pretty big sweet spot of mid- and smaller merchants that do need a tool to fend off friendly fraudsters.”

But two other groups need more help, Gluck said. The first are brick-and-mortar players that have made a big shift to either go online for the first time or have upgraded their digital services. The second group consists of B2B players that have suddenly seen their traditional sales channels hit hard — for example, because they supply struggling restaurants or hotels — and are attempting to sell direct to consumers instead.

Gluck said he sees 3DS as appealing to both.

The original version of 3DS didn’t work for many merchants because it was friction-filled and tended to encourage cart abandonment, he said. In this original version of 3DS, when a merchant looked to the issuer to confirm a consumer’s identity, the issuer sent a pop-up back to the consumer that removed them from the merchant page onto something that looked entirely different to answer identity confirming questions. Not only did that not make customers feel safer, it actually made lots of consumers think a fraudster had intercepted them and taken them off site.

But the new 3DS doesn’t do that, Gluck said. The issuer does all of the consumer verification steps on the back end and reports back to the merchant in a few seconds as to whether to authorize a transaction or not.

“It’s a way for a merchant to protect themselves against bad behavior by the consumer,” he said. “And I think for that reason, it’s a good tool. It’s also a practical way to offer the merchant protection. Additionally, the new version of 3DS provides more information, which enables issuers to authorize more good transactions.”

Moving Toward A Standard

Gluck said that modern 3DS is moving quickly toward adoption outside of the U.S. For instance, the European Union will require it by year’s end, while places like Australia are adopting it quickly as well.

He said he thinks that global pressure will also promote adoption in some U.S. segments that are currently lagging. For instance, large merchants who want to do business in Europe will have to start offering 3DS to take payments.

And as 3DS adoption moves forward, the system has the potential for changing the security dynamic and understanding of card present versus card not present transactions.

For instance, he noted that when American merchants adopted contactless chip systems, “they didn’t adopt chip and pin — it was signature and chip. Now it’s chip and not even signature, according to the big brand rules. That means as a merchant, you know that the card is a valid card, but you don’t know if that person who is using it is actually the person that’s allowed to use it. As you look to 3DS, there is the opportunity to also know the user. That means it is possible for there to be a shift for 3DS transactions to become the secure and safe method while face-to-face EMV without a pin becomes the questionable mechanism.”

Gluck said he doesn’t know how likely it is that we’ll see that shift in security perspective. But in a year that has seen so many sudden shifts — and in some cases unlikely ones — he said he wouldn’t count it out, either.