"Who hates 3-D Secure more: fraudsters or your marketing team?"
3-D Secure (3DS) is a controversial security protocol designed to authenticate online ‘card-not-present’ transactions. While it allows merchants to reduce fraud and shift chargeback liability to the issuing bank, many have called it a conversion ‘killer’ since 3DS represents an additional, highly taxing (and often unexpected) step in the transaction process. Even customers used to it will likely not remember their password and many will have to reset it to complete a purchase. Just try a quick search on Twitter to get an idea of the frustration caused by 3DS schemes like Verified By Visa and Mastercard’s SecureCode:
Adoption and customer awareness of 3DS is highly patchy across markets. While 3DS is mandated to some extent in certain parts of the world including India, Italy and Japan, it is basically unheard of in the US where it first originated (although this is expected to change as US retailers begin their transition to EMV, shifting more fraud attempts to online channels). Authentication methods also vary between regions and issuers: 3DS generally requires cardholders to enter a static password for authenticating an online card payment but some issuers require dynamic passwords or even physical card readers. While it is becoming more reliable on desktop browsers, 3DS is still unreliable across mobile devices, especially for in-app purchases, and Ravelin therefore recommends that their clients turn off 3DS entirely on mobile devices.
With these risks in mind, an increasing number of merchants have looked to a dynamic implementation of 3DS as a way of finding a more acceptable balance between fraud risk and conversion.
Dynamic 3-D Secure
The most basic approach to dynamic 3DS involves using a rules engine (either provided by your PSP or built in-house) to enforce 3DS for high-risk transactions and skip it for transactions deemed to have a low risk of chargeback. The most appropriate rule base will be unique to your business, but will likely include parameters such as the transaction value, transaction currency, billing and shipping country, match between billing and address data and card velocity - see the Ravelin Fraud Academy for more information.
Although rules can be a good way to assess the impact of 3DS on your conversion before implementing more advanced tools, your decisions with dynamic 3DS will only be as good as the estimates of risk they are based on. Rules alone are both easy for today’s sophisticated fraudsters to figure out (resulting in false negatives) and carry a high risk of catching legitimate customers (resulting in false positives). A growing business that relies on card-not-present transactions will therefore need a smarter scoring method that gives you the full confidence to switch off 3DS for the majority of your transactions.
Smarter fraud protection
3DS is most effective when automated for certain risk profiles, using a fraud-scoring system that can route users with a specified risk score through 3DS using an automated API callback. Advanced fraud scoring engines (such as Ravelin) directly integrate with a client’s websites and applications to get a real-time feed of customer data. From this they monitor user behaviour looking for patterns of known fraud, and provide the client with a probabilistic score of the likelihood of that customer being fraudulent.
Ravelin uses a combination of machine learning algorithms, graph network analysis and business rules to provide a highly accurate score for each user, expressed as a percentage probability of that customer committing fraud. The decision to accept, reject, or review a customer is then determined by your own risk thresholds to find the most effective balance between fraud risk and conversion for your business.
This decision to refer a user to 3DS is handled through an API callback and can be invoked in milliseconds. This means only riskier clients are referred to an additional step and it is done with minimal interruption to the buying process. The conversion risk is therefore confined only to a small subset of customers and transactions.
For more tips, see the Ravelin Fraud Academy chapter on balancing conversion and fraud risk with 3-D Secure, or get in touch with one of our fraud experts today.