3DS2 Helps Merchants Shift Chargeback Liability

For merchants who until 2020 were mostly conducting business in the physical world, online fraud wasn’t a top-of-mind concern.

But with the digital shift that has happened at a warp speed over the last year or so, companies in various verticals have had to learn on the fly that fraud is a massive issue, as they are liable for it when sales happen online.

The education has been a tough one, and the solution is addressable with the right technology. As PAAY CEO Yitz Mendlowitz told Karen Webster, it’s an issue that requires hitting the right balance between growing an online business and what he sees as a growing number of merchants seeing an increase in declined transactions.

“As soon as they pivot to online, even if everything about the transaction stays the same, it’s the same merchant accounts, selling the same items, to the same card holder, using the same card,” Mendlowitz said. “The only difference was instead of it being an in-store card, the present transaction now shifted to eCommerce, and those conversion rates can drop by 20 percent.”

But loosening up to let more transactions through is unappealing to merchants who on balance are more focused on preventing fraud than protecting conversions, he said. As top of mind as conversions are to every merchant, fraud can end up costing them staggering amounts at best, and it can risk their merchant accounts being shut down if they log too many chargebacks at worst.

These problems are addressable with the right tools, he said, notably the multifactor authentication protocol 3D Secure, V.2 (3DS2). But helping merchants trust it enough to invest in it after a less-than-stellar experience with 3DS V.1 has been a tough sell.

“There’s a lot of education for a lot of merchants, especially with the original version of 3DS,” Mendlowitz explained. “It caused a ton of friction at checkout. There is some reeducation that’s required. But what our goal is now is to try to push the adoption of this and educate merchants that there are tools out there that they could use to really level the playing field.”

Building Modern Rails

The problem with card-not-present (CNP) rails, Mendlowitz said, is that payment rails built 50 or 60 years ago weren’t really made to accommodate them. There was no reason to integrate them as CNP transactions represented a small percentage of the total. The digital age and the era of online shopping changed that, but for all intents and purposes, the rails the funds were running didn’t adapt along with the times.

“The authorization rails that are being used are — let’s call it for lack of a better term — ‘dumb rails,’” he said. “There’s not a whole lot of information you could pass through on them in a transaction. We’re doing payments in environments we never could have imagined 50, 60 years ago. Card-not-present is going to surpass card present. Instead of trying to fit a square peg into a round hole, let’s create a new infrastructure for remote commerce.”

3DS2 creates smarter rails for eCommerce payments that make it possible for merchants to pass data to issuers. The issuers, in turn, can make more informed decisions in terms of whether to approve the payment or not. It makes it possible to take identification, device location and IP address to do device fingerprinting. The more information the merchant shares, Mendolowitz said, the more the issuers’ authentication traits will rise until “eventually the only ones they are stopping are the bad actors.”

Moreover, he said, by handing liability off to the issuers, merchants get out of the unpleasant world of chargeback disputes, which according to PYMNTS data, leaves 27 percent of consumers with a negative perception of the merchant regardless of the outcome.

The eventual goal, he said, is that issuers armed with data can start pushing back on the friendly fraud side, observing that the contested transaction was bought from a familiar merchant on an associated device with an often-used card. With enough of a digital profile on a card holder, there is a lot issuers can do to stop friendly fraud from happening.

New Integrations Required

The change-over toward the more future-oriented rails isn’t going to happen overnight, Mendolwitz said, although it might be better if it did. It was in September that issuers were forced to adopt 3DS2, meaning from here on out, it is going to be about bringing merchants on. The integration process isn’t incredibly complex, but it will require merchants integrated with a 3DS server. PAAY’s server is JavaScript SDK, which allows for the passing of information to the issuer in real time.

The move to 3DS2, he said, is taking place in the context of a wider shift to remote commerce of all kinds. It’s a shift that was already happening long before there was a global pandemic. Everything merchants are being moved to do today is something they were likely going to have to do someday anyway. It’s just that with the advent of COVID-19, someday showed up much faster than anyone was anticipating a year ago.

“It’s not going to be quick, but COVID has changed a lot of things,” he said. “But for as long as we’re doing way more in the contactless environment and merchants are scrambling to stay a step ahead of fraud, I do think we’ll see a nice jump on it. I think this has become the norm. And it forced a lot of merchants who would have eventually had to do it anyway to just accelerate that time for them to do it.”