By Doriel Abrahams, Head of Risk, U.S.
I recently had the privilege of joining Karisse Hendrick for an episode on the Fraudology podcast, the industry’s go-to podcast for all the latest online fraud and fraud prevention trends. We discussed various topics – as fraud fighters, it’s impossible to resist the chance to dive into the details. But one topic that we ended up spending quite a bit of time on was 3DS.
This might seem surprising on a fraud podcast. But it got me thinking about why 3DS has been coming up lately in conversations with fraud analysts and leaders from companies across diverse industries.
The Payments Approach to 3DS is Changing
For years, “3DS” was like a dirty word in payments and fraud prevention. Many online companies felt burned by their experiences of 3DS1, the early, friction-filled version of Verified by Visa and SecureCode that broke up customers’ online checkout experience, added delay and confusion to the process and typically tanked conversion rates as a result.
Things have changed since then for four main reasons:
- 3DS2 is immeasurably better in terms of customer experience; there’s even a frictionless flow option, which applies when customers are making purchases that closely match ones they’ve legitimately made in the past. Even when friction is required, it’s a much smoother flow than with 3DS1.
- Many customers are more used to multi-factor authentication style processes, especially for expensive high-end items, and so adding in something that closely reflects those familiar experiences is less intrusive for many users than early forms of friction used to be.
- PSD2 in Europe meant merchants operating in that geographic area had to come to terms with 3DS for compliance reasons. The challenge was the opposite of elsewhere in the world; merchants had to dig into the 3DS possibilities to use 3DS intelligently, applying only when necessary and appropriate. The result has been that many payments professionals are starting to appreciate the value of 3DS when it’s applied judiciously, tailored to the transaction, the customer and the bank involved.
- Issuing banks have started investing time and effort into building network engagement and finding ways to collaborate with merchants to improve customer experience and approval rates. This new enthusiasm for collaboration can be made more powerful and more actionable by using the 3DS rails to share more trust and information with banks.
That’s the background from the payments perspective. What’s important to note is that all this directly impacts fraud fighters. Although 3DS is a vital part of the payments infrastructure, and in many companies, the conversation about 3DS begins with and is led by the payments department, fraud prevention is a critical component of the considerations and the conversation.
Any change to the payments flow impacts fraud prevention efforts in some way, but 3DS does so to a unique extent. As a form of authentication, 3DS can be valuable in helping prevent fraud when it’s combined effectively with other methods.
However, fraud fighters, experienced in balancing fraud prevention with approval rates, will also be sensitive to how 3DS may influence this crucial relationship — and the company’s bottom line.
Why Use 3DS — And Why Fraud Fighters Should Care
I’ll focus on the use case of 3DS outside Europe for this article since, within Europe, the compliance and exemptions angles make the discussion a little different.
Outside Europe, the impetus for 3DS is clear:
- 3DS authentication gives a powerful signal about the legitimacy of the customer.
- Using 3DS shifts the liability to the issuing bank so that if there is a chargeback, the bank is liable — not the merchant.
Now that 3DS can sometimes be frictionless and has reduced friction when required, it seems more obvious that it’s worth applying to your checkout. However, fraud fighters always look for the catch.
What’s the Catch?
The catch with 3DS is that banks and consumers don’t all treat 3DS the same way. If your payments team doesn’t take that into account, it can come back to bite the company where it hurts — conversions.
Some banks love 3DS. Others resent it for the liability shift. Still, others consider it a suspicious sign in a transaction. And some take a nuanced, tailored approach.
That means that even with frictionless 3DS, if you’re sending a transaction to a bank that dislikes 3DS or dislikes it for a transaction of this type, you’ll likely get a decline from the bank. It doesn’t matter how much liability you shift if the result is a declined transaction. That’s bad for approval rates, bad for the company’s revenues, and terrible for customer experience.
Similarly, some consumers have no trouble with 3DS and can easily handle the one-time password process. Others simply can’t manage it. For example, individuals who are less comfortable with technology often struggle to copy the code over in time. People with shared accounts fail to get the message in time because the code was sent to another person on the account. Sometimes there’s a timeout problem on the bank’s side that means the message doesn’t get sent, which causes some customers to simply retry and others to completely give up. And so on.
If your company sends the wrong customers through the 3DS process, you’re going to lose them. They may well not come back.
The good — and, to me, fascinating — news is that fraud teams represent the answer to this challenging problem.
Flipping the Funnel So Fraud Analysis Comes First
Traditionally, 3DS has taken place before fraud analysis of a transaction. This made sense historically; it meant the fraud team had the 3DS result to use in their decision-making and didn’t spend time or resources on transactions rejected by the bank.
Recently, however, a number of companies have started to shift their focus to pre-authorization fraud analysis. Sophisticated fraud prevention models and tools mean that decisions can often be made far more quickly, and banks’ new interest in network engagement has incentivized using the more sophisticated technology to share insights with banks before the authorization process.
For 3DS, that means that your fraud team can use your understanding to ensure that only the right transactions are sent to 3DS. Pre-authorization, you can use both the knowledge from your site and the insights you get from trusted partners who know about how users act on other sites and which banks have which preferences about 3DS. Those combined insights are exactly what’s needed.
You can use 3DS to rescue transactions you would otherwise have declined. You can ensure that customers who often struggle with 3DS are sent a different route. You can tell when frictionless 3DS will apply. And so on.
Some of this work will come from the payments professionals in your company, of course. But a lot of it will be grounded in the knowledge and experience of fraud teams – because no one in the company knows its customers better than the fraud fighters.
Extra Uplift: More Approvals, and Lower Fraud Rates
There’s an extra, very important reason to think about flipping the funnel and putting fraud analysis first. This isn’t connected to 3DS in the same way, but it’s part of the same picture, and the information can easily be sent using 3DS rails, so it’s worth mentioning in this context.
Banks make decisions about fraud. In fact, around 1-in-5 bank declines are due to suspected fraud. And of those, 2-in-5 bank fraud declines are legitimate customers. That’s a lot of transactions lost.
Why are banks’ false decline numbers so much worse than yours? Because banks have to make the same decision with far less information. Think of all the thousands, if not millions, of data points your system tracks, weighs and uses when making a fraud decision. And then think about what the bank gets: timestamp, card details, merchant details, amount, first five digits of the billing address, and perhaps the CVV number and shipping address. Of course, they have to err on the side of caution and reject when they can’t be sure. And, of course, they’re unsure a lot more often than your fraud team.
To put this in context, this means, in practice, that for every $100M in bank declines, $8M of those are false declines.
Now imagine if you could reclaim those transactions and have them authorized by the bank. Even if your fraud stats stay the same as they are now, your fraud rate would dive because your approvals would be up.
All you have to do for this is share more of your fraud analysis with banks. The more they can trust your fraud decisions and see what you’re seeing, the more they’ll be able to agree with your pre-auth fraud decision and approve more transactions. Working via a partner already trusted by banks for this purpose can speed up the process and make it even more effective.
Fraud Fighters Need to Be Part of 3DS Decisions
The point I was trying to make on Fraudology was that fraud fighters need to be a part of 3DS discussions and decisions that are happening across companies and industries as the payments landscape and approach shifts.
Fraud teams are dramatically affected by the inclusion of 3DS into the payments flow. They can also impact it positively by helping to tailor the process and improve bank authorization rates for improved approval rates and customer experience.
All this explains why a lot of fraud fighters are rethinking 3DS. If you’re considering it yourself, check out this white paper for an overview of different approaches to help clarify which might be most appropriate for you: Payment Optimization: Surfacing Simple Decisions to Unlock Millions in Revenue (& Improve Customer Experience.
