Kount: Meeting 3DS 2.0 standards should not replace a fraud prevention strategy

As the new EMVCo’s Three-Domain Secure protocol (3DS 2.0) implementation date nears and merchants work to implement the proper updates, now is the time for digital commerce companies to consider their holistic fraud prevention solution. Tricia Phillips, senior vice president of product and strategy at Kount, says that despite 3DS 2.0’s fraud prevention implications, relying on this protocol alone is not enough to protect merchants.

3DS 2.0 was established to give merchants and issuers a way to authenticate cardholders as they shop online. The latest updates to 3DS 2.0 specifications were released in December 2018, creating a relatively short turnaround for the implementation deadline of April 12 this year. Further, merchants must also be mindful of the regulatory obligations under the second Payment Services Directive (PSD2).

“PSD2 is actually causing a lot more anxiety than 3DS 2.0. PSD2 is closely aligned to 3DS 2.0 because PSD2 requires strong customer authentication, and 3DS 2.0 can bolster that in a payment event,” says Phillips.

Merchants need to ensure integration to the updated protocol is complete and that they are passing on all relevant information such as email addresses and device information. The volume of information required may surprise some merchants as well as issuers.

“Many merchants, particularly in the EU, don’t host their own payment page, and so they are reliant on their payment service provider (PSP) to perform that integration,” says Phillips. “The most important thing is for merchants to talk to their PSP and find out what their timeline is for supporting 3DS 2.0. Merchants need to determine where there may be gaps in the data that is available on the payment page and verify that the data that being requested is within 3DS 2.0 protocol.”

In a report published in December 2018, the European Council of Payments suggested 3DS as the first method for control and mitigation of payment fraud. However, according to Phillips, there has been an overreliance on 3DS 2.0 as a sole method of fraud prevention.

“Even within the card brands that are covered, 3DS 2.0 only applies to certain reason codes. A consumer can charge back a transaction which results in lost merchandise, lost revenue, and fines for a lot of different reasons,” said Phillips. She adds that the new protocol only applies to fraud reason codes, so if a consumer claims a chargeback because they say they didn’t receive an item when they did, that code isn’t captured.

In addition, relying fully on 3DS 2.0 does not stop chargebacks from counting against the merchant.  This can pose additional difficulties for merchants regarding Visa and Mastercard fraud monitoring programs.

“Visa and Mastercard have specific high fraud programs for merchants. If there is a merchant who is using 3DS 2.0, they may be under a fraud attack but because they are using 3D secure alone, they don’t know it,” says Phillips. “The issuer is taking those losses, those chargebacks are being suppressed, and the merchant has no idea that there is a problem until they get notifications from their acquirer that they have exceeded fraud thresholds. As a result, they are placed on a Visa or Mastercard high fraud rate program.”

Those types of programs can come with significant fines and can result in the merchant losing the ability to accept Visa or Mastercard as a payment method.

“If a merchant doesn’t have a fraud prevention system, they are completely blind to all the fraudulent activity that gets suppressed,” adds Phillips.

Further, merchants must also be aware of the potential fraud in other forms of payment. Phillips explains that 3DS 2.0 applies to major credit cards, but not to digital wallets, direct debits, and other emerging payment methods. These payment types could become even more attractive to fraudsters.

Fraud prevention solutions such as Kount can help merchants mitigate their risk of fraud and stop chargebacks. 3DS 2.0 and PSD2 potentially create more steps for consumers, so it becomes even more essential that fraud prevention solutions are frictionless and protect the customer experience. Passing up fraud prevention options altogether in favor of the new protocols alone leaves a merchant susceptible to negative consequences.

Related reading