By Galit Shani-Michel, VP Payments, Forter
3DS is often a source of mystery for digital commerce companies and even for many payments professionals. The friction and frustrations of 3DS1 left many online merchants with a bad impression, which was not alleviated when 3DS2 was, to a great extent, swallowed up by the larger conversation around Europe’s adoption of PSD2.
The result is that many experienced payments experts still lack clarity around 3DS, how it works, and the impact it can have on online businesses. This matters because opting out of 3DS entirely can represent a huge missed opportunity for a business — while, on the other hand, implementing 3DS ineffectively can negatively impact issuer authorization and customer experience.
There are six key myths that cause the most confusion around 3DS. Once payments professionals understand the reality behind these myths, they can make informed decisions about what works best for their business.
Myth #1: 3DS authentication = Bank authorization
Payments professionals often think of transaction journeys as divided between pre-auth, auth, and post-auth. That’s a pragmatic division, but it obfuscates the layers. When 3DS is in use, both 3DS authentication and bank authorization happen within the auth stage, but they remain entirely separate processes.
Why does it matter? For two reasons:
- Combining the two processes means that payments teams often don’t know which transactions fail due to 3DS and which fail due to bank authorization issues. This is problematic because that information is vital for understanding your decline rate and for improving it.
- While authorization is fairly consistent between banks (each will check elements like whether the account exists, has enough money in it for the transaction, that the billing address matches the one on file, and so on), different banks have very different attitudes towards 3DS, which leads us to Myth #2.
Myth #2: Banks all treat 3DS the same way
The lack of consensus around 3DS isn’t limited to merchants. Banks have equally diverse opinions about it and how best to handle it.
- Some banks actively prefer transactions that use 3DS, viewing it as a reliable, legitimate indicator.
- Some banks actively penalize transactions that use 3DS on the logic that merchants wouldn’t be using 3DS in the first place if there weren’t something suspicious about the transaction to start with.
- Some banks are reluctant to accept transactions that use 3DS because of the liability shift involved; the fraud risk moves from the merchant to the issuing bank.
- Some banks have complex models or rules in place to adapt policies around 3DS to elements within the transaction.
It’s challenging for many merchants to accept the variety of bank responses — it isn’t a “one size fits all” scenario. The fact is, though, that tailoring your 3DS policy to the preferences and policies of the issuing bank involved can significantly impact increasing conversions.
Merchants who work through a trusted partner that tracks banks’ reactions to 3DS and tailor accordingly often find notable uplift at the bank authorization stage — something that has a measurable impact on the overall approval rate. That’s great for revenue and improving customer experience — which takes us to Myth #3.
Myth #3: Frictionless 3DS means no friction for customers
The old 3DS1 was notorious for friction. The little box of Verified by Visa or SecureCode, which popped up demanding an impossible-to-remember password, was the bane of smooth payments experiences for years. 3DS2 is a different story. There is a version that involves friction — typically in the form of a one-time password or code (OTP) — but there’s also a frictionless flow.
Frictionless 3DS comes into play when a known user — same card, same device, same details — is back at a merchant where they’ve shopped. Since all the factors are low risk, 3DS can bypass the authentication challenge, meaning the end-user doesn’t even know that 3DS was involved in the transaction.
But, since some banks actively dislike 3DS regardless of circumstances, some customers will unnecessarily be declined purely because the merchant opted for frictionless 3DS. There is no worse experience than the friction of a false decline.
Myth #4: You can flip a switch and safely send all transactions to 3DS
Frictionless 3DS sounds great for customer experience, which is why some merchants consider turning on 3DS as a default for all cases where 3DS can be frictionless. The logic is that liability can be shifted to the issuer, and the customer is never inconvenienced. Unfortunately, as we said in Myth 3, this is wrong. False declines are the hidden cost of this decision.
Merchants who confidently switch to full 3DS, including using the OTP option where the frictionless flow is unavailable, face even greater potential losses as a result. Some users are comfortable with the OTP flow, which has become familiar to many as education around multi-factor authentication has improved. Others just can’t cope.
Whether it’s an older customer struggling to copy/paste between apps quickly enough, a bank account with multiple users, only one of whom receives the code, or a case where the SMS simply arrives after the time window has already closed, or any other edge case scenario… it’s remarkable how these edge cases mount up. The fact is many users struggle to complete 3DS OTP successfully.
To use 3DS effectively, merchants need to track (either directly or through a trusted partner) which users breeze through the flow and which have difficulty — and ensure that no one in the latter group is sent to 3DS.
Myth #5: A customer who fails 3DS is a fraudster
This echoes what we said in Myth #4, but it’s worth calling out individually because it’s a common misconception around 3DS. For those of us who find the 3DS interaction intuitive and smooth, it’s hard to imagine that there are legitimate cases of customers who simply can’t handle it.
Suppose you work in a profession where you regularly need to access and protect multiple accounts, especially any with a connection to a business account. In that case, you’ve probably been using multi-factor authentication (MFA) for years. Similarly, if you ever work with cybersecurity folks or are interested in that industry, you’ll be aware of the risks and mitigation techniques much more than others.
It’s great to be informed and expert, but that expertise can make it hard to remember that many customers don’t have the same background and experiences as you do. Think of the older customer, the bank account with multiple users, or the customer with poor SMS reception that we mentioned in Myth #4. Additionally, many consumers have not set up MFA on their personal accounts, even the important ones, and have never used it for work.
Your payment flow needs to adapt itself to each consumer as they are. Some customers have no trouble with 3DS, which can be a valuable tool for them. Others struggle with it, which has nothing to do with how legitimate or otherwise they are as customers. It’s not fair to expect them to be able to adapt themselves to your company’s preferred payment flow. Payment flows must be personalized according to customers’ needs.
Myth #6: Merchants can’t impact the success of 3DS
3DS is often seen as a closed-box process. Merchants assume that they can choose to send transactions to 3DS or not, but that’s where their agency ends.
As we’ve seen, there are multiple ways for merchants to impact the success of the 3DS transactions by tailoring which transactions they send to 3DS. Here are some factors worth bearing in mind:
- Is frictionless 3DS available for this transaction?
- If not, does the customer have a history of struggling with OTP for 3DS?
- Would you decline this transaction unless you used 3DS? If so, then you might as well try it.
- What is this bank’s policy towards 3DS? If their reaction is negative, don’t send it.
- If this bank likes 3DS, is there any additional information that can be sent in the payload using the 3DS rails to increase the likelihood of approval?
Takeaway: Tailor 3DS For Success
3DS can seem like a blanket approach to transaction authentication. Still, as shown through this article, numerous nuances impact whether 3DS will succeed and whether 3DS is the right approach for a particular transaction.
The more payments professionals can tailor their approach to using 3DS, the greater their success will be in leveraging this potentially powerful tool to ensure an uplift in approvals and customer experience — without increasing the risk of false declines.
Want to learn more about different approaches merchants take to implementing 3DS successfully? Check out this white paper: Payment Optimization: Surfacing Simple Decisions to Unlock Millions in Revenue (& Improve Customer Experience.