Merchant Chargeback and Fraud Solutions
Fraud protection and prevention is a crucial concern for all parties involved in an ecommerce transaction – the online merchant, the card issuer, and the customer making the purchase. This has never been more true than in today’s online environment, where card-not-present transaction fraud is on the rise. In response to this increasing risk, the major card issuing companies have implemented an optional added layer of security for ecommerce transactions: EMV 3D Secure 2.0.
What is EMV 3D Secure 2.0?
The same major credit card issuers responsible for the development of the EMV chip have introduced a new authentication method to help merchants verify with greater certainty that the party making a purchase on their ecommerce store is the legitimate cardholder. EMV 3D Secure 2.0 allows for a rapid exchange of cardholder data between the merchant and card issuer, including device type and billing address, without additional input required from the customer. In cases where the card issuer requires an additional level of certainty, the customer may be asked to enter a one-time passcode sent to their phone, or similarly verify their identity. If all is well, the transaction is approved and all parties involved can feel secure.
Why 3DS 2.0?
The original 3D Secure system was implemented in 1999, before the age of smartphones and app-based ecommerce. As such, 3D Secure 1.0 was browser-based, requiring customers to enter a password in a pop-up window, and thus doesn’t interact well with today’s technology and many customers’ purchasing behavior. EMV 3D Secure 2.0 supports transactions on a wide variety of mobile devices and doesn’t require a password for every purchase, removing the risk that a customer will abandon their order in the cart because they can’t remember their password. EMV 3D Secure 2.0 shares substantially more cardholder information between the merchant and the issuer, compared to the original system, allowing more potential red flags to be discovered.
The Changing Fraud Environment and Shifting Liability
The widespread implementation of EMV chip technology has helped to reduce fraud in card-present transactions. However, criminals are not easily deterred, and the upswing in mobile transactions (now comprising almost half of all card-not-present transactions) has provided a new playground for fraudsters. Increased ecommerce fraud has prompted the development of 3D Secure 2.0, which brings an added benefit for online merchants. Liability for fraudulent transactions generally falls to the merchant who accepted the purchase, but for transactions authenticated through 3D Secure 2.0, that liability is assumed by the card issuer instead. In an economic environment that has seen an increase of over $1 billion in fraud over the past year, having the burden of risk removed from a merchant’s shoulders is a welcome relief.
Satisfying Regulatory Requirements – The European Market and PSD2
In 2015, the European Union passed the Second Payment Services Directive, which included a requirement for Strong Customer Authentication (SCA) on most electronic transactions. In simple terms, SCA requires verification based on at least two of the following three elements:
1) Customer Knowledge – a password or PIN
2) Customer Possession – a phone or hardware token
3) Customer Biometrics – facial recognition or fingerprint
The deadline for compliance with these new regulations is September 14, 2019, and the primary method of meeting these authentication standards is through the use of 3D Secure 2.0, which enables card issuers to request additional authentication information from a customer before approving the transaction. This authentication information can take the form of a single-use code sent to a phone, or a fingerprint scan. For any merchant doing business in European markets, 3D Secure 2.0 is the simplest way to ensure that you are in compliance with the new ecommerce regulations.
User-Friendliness – The Importance of the Customer Experience
The previous version of 3D Secure had a number of traits that made it cumbersome and unappealing to many users. The customer had to opt-in with their issuing bank, whereupon they were assigned a PIN that they had to enter every time they made an online purchase. To enter their PIN, they were redirected from the merchant’s checkout page to the credit card network website. This system utilized two of an online shopper’s least favorite things: having to remember a password, and added steps in the checkout process. Needless to say, these traits impacted the popularity of the original 3D Secure system, especially in countries like the US that prize a streamlined and convenient user experience.
How 3D Secure 2.0 Improves the Shopping Experience
3D Secure 2.0 fixes both of these issues, allowing merchants and card issuers to make informed decisions about risk assessment without putting up roadblocks in the customer’s shopping experience. The customer is no longer required to remember a PIN, and they are never redirected off of the merchant’s checkout page. A piece of coding on the merchant’s site sends the customer’s information to the card issuer, where the risk assessment is made and the transaction is approved or declined. The customer can then complete their transaction with confidence.
An End to Chargebacks? Liability Shift & 3D secure 2.0
Because 3D Secure 2.0 is so rigorous in ensuring that the person initiating the transaction is actually the legitimate cardholder, verification of a transaction is taken to mean that the cardholder is aware of that purchase, and the Chargeback Liability is shifted to the Card Issuing bank, instead of the merchant. As such, customers who make purchases that are verified by 3D Secure 2.0, cannot later contact their card issuer and claim that they don’t recognize or didn’t authorize the transaction.
Of all chargeback reason codes, “Not Authorized” is perhaps the most frustrating for ecommerce merchants. Whether it’s caused by actual fraud committed by identity thieves, a forgetful or confused customer, or what the industry refers to as “friendly fraud” – when a customer knows full well that they authorized that purchase but decides they don’t want to pay for it – the merchant has very little recourse but to accept the chargeback and its associated penalties. 3D Secure 2.0 almost completely removes this frustration from a merchant’s professional life.
Of course, chargebacks can be issued for other reasons, which do not enjoy this protection from 3D Secure 2.0. If a customer calls their bank to dispute a charge because they were dissatisfied with their purchase or their customer service experience, those disputes will still need to be resolved in the usual way. In addition, if your business offers subscriptions or recurring billing, the chargeback exemption provided by 3D Secure 2.0 applies only to the first transaction (and the first recurring transaction, if you offer a trial period). Moreover, the customer’s issuing back must be 3D Secure enabled in order for the customer’s transactions to be verified and for the chargeback protection to apply. Despite these caveats, most merchants can expect to see a 70 percent reduction in Not-Authorized coded chargebacks.
Bottom Line – The Cost of 3D Secure 2.0
There is an additional cost to verification with 3D Secure 2.0, but the per-transaction charge varies depending on your provider, and based on your transaction volume. The more verified transactions you have each month, the lower the cost for each one. You can expect the per-transaction rate to range between $0.20 and $0.25. However, the savings from helping eliminate Friendly Fraud, and the profits earned via allowing more sales through your eCommerce channels, will more than ensure EMV 3DS pays for itself.
3D Secure 2.0 FAQs
3-D Secure is a fraud prevention protocol that was created by Visa and Mastercard to authenticate e-commerce transactions. The protocol sits on the merchant payment form between the payment page and the gateway verifying transactions in real time.
Which chargeback codes are protected by 3-D Secure?
10.4 – Other fraud – Card absent environment
4837 – No cardholder authorization
4863 – Cardholder does not recognize – Potential fraud
What happens if my transaction doesn’t get authenticated?
If the transaction is not authenticated, 3ds 2.0 will close out the authentication request and the transaction will continue as normal. There will be no impact on the customer experience, however the liability shift will not occur.
What percentage of transactions are authenticated?
Currently, about 65-75% of transactions are authenticated and qualify for a liability shift. There are ways to optimize your payment page to increase the number of authenticated transactions. For more information on how to optimize your payment page please contact [email protected]. By April 2019 (Deadline for issuing banks to start utilizing 2.0) authentication rates should spike to up to 95%.
When the liability shift does occur, and there is a chargeback, what happens?
As a merchant, you will not know when a chargeback occurs. That’s the beauty of 3DS. There’s no dispute, and it doesn’t impact your ratios. Instead of going back to the merchant, the issuing bank will refund the customer on their credit card or they will send it to the fraud department for further investigation. The merchant is never involved.
There’s a lot of hype around 3DS 2.0, what does this mean for merchants?
The new specification reflects current and future market requirements for:
- Risk based authentication (Up to 95% authentication rate)
- Acceptance of tokens (Pass tokens instead of the full credit card number)
- Out of band authentication (not bound to browser)
- App based authentication
- Fewer steps for authentication
- Frictionless customer experience
- Biometric authentication
- Integration with digital wallets
- Recurring transactions
- PSD2 Compliant