EMV 3DS: Closing The Card Present/Card-Not-Present Auth Rate Gap

Selling an EMV 3DS (also referred to as 3DS 2.0) product to merchants hasn’t always been smooth sailing. When PAAY, a software-as-a-service  company that protects merchants from fraud and increases authorization rates first started offering EMV 3DS, it had to do a lot in educating potential clients in the face of many saying: “We don’t want to hear about this.” But Co-Founder and CEO Yitz Mendlowitz told Karen Webster in a recent conversation on 3-D Secure 2.0 that’s not the case much anymore.

After all, COVID-19 brought digital commerce to the forefront and forced almost every merchant on earth to pursue a digital-first strategy to stay alive.

“Prior to COVID-19, we were telling people that over the next five years, remote-commerce, card-not-present transactions will exceed in-store, card-present transactions,” Mendlowitz said. But the pandemic has accelerated that shift “by several years easily.”

For instance, Mendlowitz noted that Mastercard said on its recent earnings call that more than 50 percent of April transactions were card not present (CNP) or contactless — a 40 percent increase from the year earlier.

He said such transactions had been growing by single-digit percentages before but suddenly accelerated as consumers jumped online and on mobile to run their lives and merchants that had been entirely or nearly entirely brick-and-mortar reconfigured their offerings.

However, retailers also suddenly found that fighting off fraudsters in the digital CNP space isn’t quite the same as fighting loss in physical stores. But Mendlowitz said with 3DS 2.0, the odds of beating the bad guys are moving in retailers’ favor.

“I think we’ll finally start seeing merchants winning out on this,” he said. “The onus for them will be that they won’t have to worry about paying and spending significantly on trying to prevent fraud and instead can focus on building out their business [and] all the other things that they typically would have to invest in. Fraud prevention should never be a problem that the merchants have to worry about.”

The Challenge With Card-Not-Present Transactions 

Mendlowitz said that when card networks were originally creating security protocols and rules of the road for liability and card use, CNP transactions were barely part of the equation. The goal was mostly to discourage merchants from doing CNP at all — with higher interchange rates and full liability for all fraudulent transactions.

But then the era of eCommerce rolled around and CNP became much less of a rarity. Still, merchants found they faced two problems.

First, they were wholly liable for all CNP chargebacks. Second, retailers’ acceptance rates plummeted from about 98 percent in-store to as low as 85 or 90 percent online.

Mendlowitz said that’s because card-payment rails weren’t originally intended for an eCommerce world. The original version of 3DS was an attempt to solve some of those fraud woes, and helped make the first liability shift.

However, he noted, that didn’t do anything to fix the authorization problem even as the digital commerce playing field grew to include a whole host of new and very different players.

He said eCommerce “has expanded to mobile, to voice-activated transactions to the Internet of Things. There are so many different types of card-not-present environments that merchants and consumers are using for payments that we’ve realized we have to rethink about how we power all of this.”

Instead of trying to rebuild all of the authorization rails, 3DS 2.0 is a new way to facilitate passing all of the information issuers need to determine in real time if a transaction is legitimate. Perhaps more importantly, the historically “not-so-smart” authorization process is designed to recognize that a 3DS 2.0 transaction has happened and increase the authorization rates accordingly, Mendlowitz said.

And the liability shift is the big win for merchants — especially against things like friendly fraud that retailers are almost powerless to challenge without 3DS 2.0. The trouble with friendly fraud, Mendlowitz explained, is that at the merchant level, it is nearly impossible to spot friendly fraud ahead of time because there is nothing wrong with the transaction. It requires an issuer to be able to push back when a consumer falsely reports they didn’t make a charge, and with 3DS 2.0 data they can do exactly that.

“If you can give issuers better tools to combat friendly fraud, it would take away a huge burden and cost for merchants. For some of these merchants’ friendly fraud can ultimately end up costing them a crazy amount. I’ve seen said where it can be as high as 20 to 30 percent of their bottom line,” he said.

The Path Forward  

Mendlowitz does not doubt that EMV 3DS will become an industry standard. It’s already a requirement of the E.U.’s Payment Service Directive 2 (PSD2), meaning any merchant who wants to transact in the European Union needs to be ready with EMV 3DS by Jan. 1, 2021. The card networks have also confirmed that 3DS 2.0 will be mandatory worldwide on their networks for issuers this fall.

But he said the gateways and processors still have work to do in getting 3DS 2.0 certified and ready. That means there’s still some integration work to come.

But come it will, even if specific deadline dates are still liable to change as an effect of COVID-19. Mendlowitz expects the E.U. to push back PSD2’s Jan. 1 deadline by about six months as a result of the pandemic, but the rule will eventually go into effect — and bring lots of change.

He said firms that trade on fighting fraud for merchants (and insuring them against losses in cases where they fail) would likely turn their attention to issuers. More generally, 3DS 2.0 is just a piece of a lot of innovations pushed forward of late, Mendlowitz said.

Taken together, the changes indicate that digital commerce and the mobile frontier aren’t the eCommerce Wild West, nor an ad hoc extension of physical commerce.

“I think the landscape is changing a lot with the creation of a lot of different protocols — 3DS 2.0, secure remote commerce, click to pay, tokenization,” Mendlowitz said. “It is similar to how back in the brick-and-mortar world, the industry [built] around card-present terminals. We’re finally starting to have great protocols around the infrastructure for remote commerce — and that will change and improve the landscape tremendously.”