Balancing conversion and fraud risk with 3D Secure

3D Secure (3DS) offers an additional layer of security to reduce fraud in online card-not-present transactions, where the cardholder cannot offer a signature or chip & pin verification. The "3D" term refers to fact that all three domains of card payments are involved in the scheme: the merchant’s acquiring bank, the cardholder’s issuing bank and the card network (e.g. Visa or Mastercard) - read more about this here.

The first 3DS scheme (Verified by Visa) was set up by Visa US in 2001, soon followed by respective security protocols from Mastercard (SecureCode) and American Express (SafeKey). Visa and Mastercard’s 3DS schemes are deployed in over 100 countries and widely used in Europe and Asia-Pacific countries, where they are sometimes mandated. For example, 3DS is required in the online gaming industry in Japan, for ecommerce purchases in Italy, all Maestro debit cards across Europe and all ecommerce transactions in India. Although 3DS has its origins in the United States, adoption by US merchants is still in its infancy. This, however, is expected to change as US retailers begin their transition to EMV (chip & pin), shifting more fraud attempts to online channels.

3DS generally requires cardholders to enter a static password for authenticating an online card payment, although authentication methods vary between regions and card issuers and some require dynamic passwords or physical card readers. This offers an additional layer of security and evidence of identification.

For merchants, 3DS offers value by reducing chargebacks, and more importantly, shifting chargeback liability to the acquiring bank. Without 3DS, merchants risk losing the full payment, any goods delivered and a chargeback fee if a customer later claims that they did not make the purchase. However, should a card payment through 3DS prove fraudulent, the security protocol is considered to have failed the merchant and card issuers will generally issue a refund.

3D Secure: a conversion killer?

This liability shift comes at a cost: on top of the fees card issuers charge for additional authentication (and for picking up the bill when a chargeback comes through), 3DS represents an additional and highly taxing step in the checkout process that can lead to an increased number of shoppers abandoning potential purchases. Just try a quick search on Twitter for terms like "3D Secure" and "Verified by Visa" to get an idea of the frustration caused by usability issues and lack of customer education with 3DS.

Online retailers can reduce cart abandonment to some extent by advising customers that they will be asked to verify their card after checkout, with additional information for customers unaware of 3DS. Integrating 3DS into the checkout process instead of redirecting the customer to an unbranded (and unexpected) verification page can also reduce concerns over authenticity. However, these options are limited for mobile payments.

Some of the key factors that determine how 3DS will affect your conversion rate include:

• Consumer choice: customers will put up with 3DS if they have no choice but to buy on your platform and conversely, are more likely to abandon their cart and buy elsewhere if they have the choice. For example, in ticketing, 3DS has a significantly more negative impact on event ticket resale platforms than train ticket providers.
• Average transaction value (ATV): customers making a higher value purchase are less likely to turn away when asked to complete an additional step for security and 3DS can enhance the perceived trustworthiness of the merchant. Low-ATV sales are likely to see a negative impact on conversion from 3DS, as customers value convenience over security.
• Geography: the effects of 3DS on conversion vary greatly between markets. While only 16.6% of card-not-present transactions in Spain go through 3DS, this figure is as high as 81.8% in Belgium and customer awareness of 3DS varies similarly. 3DS has even showed a net positive result for conversion in Russia, India and the UK.
• Proportion of desktop to mobile purchases: 3DS functionality is still patchy at best across mobile devices and conversion rates are likely to suffer significantly when a large share of your transactions are made on mobile.

For more factors to consider when choosing to implement 3DS, see the chapter on choosing the right fraud prevention strategy for your business.

Dynamic 3D Secure

While merchants have traditionally held a binary view of 3DS, either adopting it across all transactions or not at all, a dynamic implementation where you enforce or skip 3DS on a case-by-case basis is usually the best way to find a balance between managing fraud risk and optimising conversion.

The most basic approach to dynamic 3DS is based on rules. Some merchants opt for a rules engine provided by their payment service provider (PSP), and others choose to build their own (see our guide to choosing a fraud solution for more about the merits of using your PSP for fraud protection). The most appropriate rule base will be unique to your business, but will likely include parameters such as the transaction value, transaction currency, billing and shipping country, match between billing and address data and card velocity (how many attempted payments are made in a day with a card). Many merchants also decide to only enforce 3DS on the first purchase made by a new customer and disable it on future purchases once they are confirmed as genuine.

The rules-based approach can be a good way to assess the impact of 3DS on your conversion before implementing more advanced tools. Although better than nothing, it is a simplistic way to reduce fraud risk that carries a high risk of turning away legitimate customers. Rules are also easy to figure out and this method is no match for today’s sophisticated fraudsters. A growing business that relies on card-not-present transactions will require a smarter scoring method.

The most effective use of 3DS is to automate 3DS for certain risk profiles, using a fraud-scoring system that can route certain users with a specified risk score through 3DS using an automated API callback.

Smarter fraud protection

Technically-leading fraud scoring engines (such as Ravelin) directly integrate with a client’s websites and applications to get a real-time feed of customer data. From this they monitor user behavior looking for patterns of known fraud, and provide the client with a probabilistic score of the likelihood of that customer being fraudulent. Ravelin has built machine learning models to provide these scores and a dashboard to explain on a per user basis how these scores were created.

The decision to accept, reject, or review a customer is determined by the client’s own risk thresholds. Using fraud scores, you can automate dynamic 3DS to block high risk transactions (e.g. above 50% fraud probability), while sending medium risk transactions (e.g. 10–50% fraud probability) through 3DS and removing unnecessary friction for low-risk customers. This decision to refer a user to 3DS is handled through an API callback and can be invoked in microseconds. This means only riskier clients are referred to an additional step and it is done with minimal interruption to the buying process. The conversion risk therefore is confined only to a small subset of customers and transactions.

To learn more about PSD2 and SCA visit our insights page.