I would like the ability to choose to have to 3DSecure approve ALL eCommerce transactions. This would give me a greater degree of confidence over my other banks!
It requires the merchant implementing 3DSecure, not something Monzo can control sadly.
This is correct, both sides have to support 3D Secure.
The merchant needs to request the 3D Secure authorisation before attempting the actual payment, then send us the token we gave them as part of that authorisation in the payment itself to link the two.
The good news is that the EU’s Payment Services Directive 2: Strong Customer Authentication requires merchants in the EU to support a technology like 3D Secure to “strongly authenticate” online payments. The deadline on this got pushed back a couple of times but we are seeing support for 3D Secure on the sharp rise already over the last year!
That’s true for 3DS V1 but this changes in 3DS V2 which gives the Issuing Bank the decision on whether to follow the Friction-less or Challenge flow. PSD2 SCA further reinforces this requirement.
Has Monzo implemented 3DSecure V2 yet? PSD2 SCA? Once done this ought to allow the cardholder to choose to have every transaction challenged.
I believe the answer is yes, although I don’t think this will give the cardholder any choice - it’ll be something for the banks and merchants.
Yes. You can read more about the work @arthur-ceccotti and the team did (along with a good technical overview of 3DSv2) here.
All done (though we continue to tweak and improve things).
The realities are far more complex, as PSD2 SCA only applies to merchants in the EEA and United Kingdom. SCA exemptions can also be requested by the merchant.
We could technically offer users an opt-out of the frictionless flow and the option to ignore requested exemptions, but I suspect from experience that take-up would be minimal and merchants/acquirers would not like us for it.
Does some of the exemptions rest in the fraud rate % of the issuer or acquirer overall though?
Why, when this is a tool for the bank and store to reduce its own respective risk?
The risk to you when your card is used fraudulently, is zero, because it will be refunded.
My question is, do you continue to shop at e-commerce stores which don’t use 3D?
Yes, I accept that the risk to the cardholder is zero financially, the hassle/inconvenience when fraud does happen is costly from a time and effort point of view. Yes, I would avoid merchants that did not support 3DS. I am seeing more emerging market banks starting to demand SCA (or some form of 2FA for all transactions). Visa/MC are out of step with the needs of the poor here.
Catching up on this thread now. Just a comment that as of September 2021, every single ecommerce transaction needs to go through 3DS, or else we must decline it as per SCA regulation. This date has been pushed back about 3 times by now…
This is not 100% true, since we may choose not to challenge the customer based on low transaction value and/or low fraud risk.
If you really want to get technical, feel free to read this document from the European Banking Authority. My team’s job was turning this into code.
So yeah - don’t worry, from that date onwards everyone must be on 3DSv2.
We are ready now, just waiting for everyone to catch-up.
I guarantee you not everyone will be ready by then though.
Amazon for e.g. still don’t seem to do it at all!
This is always true with any change, hopefully this time it will be considered a final date and not pushed again.
If anything, with people shopping online more than ever, this change can’t come soon enough!
Well done to you and the team at Monzo on getting the process fully compliant and prepared for Monzo customers though.
Looks like Amazon do have the infrastructure for this as they have a help article for it maybe it just hasn’t been pushed to all users.
One thing I did notice is that when I pay using my credit card, without fail I’ll get a loading screen with a spinning circle on it. It completes the order after a few seconds, but I don’t have this when I use my monzo card
Maybe they’re doing a gradual release to find/fix problems. Perhaps whether a transaction goes through method A or B is based on if some digit of the catd number is above a threshold value.
You say that, but I have a meeting with Amazon’s Head of UK Payments next week, as they are interested on testing 3DSv2 and SCA rules with us.
They have already been testing with other issuers.
Also, I predict Amazon will not be happy with the SCA changes. Say goodbye to “one-click buy”
Yeah it’s a pain but I can see why it’s there
Amex let you add websites to a whitelist which is pretty nice
Will one-click buy still be possible if it is either the low-value reputable retailer exemption or added to a whitelist?
I personally would like everyone to adopt the Amex whitelist approach too.
Yeah, there are a few tricks we can apply, which we will definitely explore in the future.
With 3DSv1 we do this. If you shop at a site, we won’t challenge you on that site again (apart from a few exceptions/rules).
Unfortunately we are not allowed to do it with 3DSv2 for SCA purposes. I’m not sure how Amex does it right now and we’ll have to revisit the regulations to see if we could do something like that again
From my perspective as a user with Amex, it appears to work on a kind of pre-authorisation system.
Once you have shopped at a retailer once, you will see it as an option to add to your Express List. I don’t know how it works from a legal perspective, but if you do this your purchases are never checked through the Amex Safekey flow again - it seems they are automatically approved. I suppose this is on the basis that you have made prior approval for any and all transactions at the retailer, so you accept the risk of authorisation?
I am not sure how it affects liability shift rules or what exactly would happen with Amex if you later, coincidentally, suffered an incidence of fraud at the retailer on the Express List. I expect the onus would be on Amex as having approved the transaction and so a chargeback might not be possible, and you as a customer may even have to end up paying as you have, in a sense, accepted the risk?
I expect Amex would be generous about this, though, if it clearly wasn’t you.