3DSecure for ALL online/ecommerce/CNP transactions

I believe the answer is yes, although I don’t think this will give the cardholder any choice - it’ll be something for the banks and merchants.

1 Like

Yes. You can read more about the work @arthur-ceccotti and the team did (along with a good technical overview of 3DSv2) here. :point_down:

All done (though we continue to tweak and improve things). :white_check_mark:

The realities are far more complex, as PSD2 SCA only applies to merchants in the EEA and United Kingdom. SCA exemptions can also be requested by the merchant.

We could technically offer users an opt-out of the frictionless flow and the option to ignore requested exemptions, but I suspect from experience that take-up would be minimal and merchants/acquirers would not like us for it.

6 Likes

Does some of the exemptions rest in the fraud rate % of the issuer or acquirer overall though?

Why, when this is a tool for the bank and store to reduce its own respective risk?

The risk to you when your card is used fraudulently, is zero, because it will be refunded.

My question is, do you continue to shop at e-commerce stores which don’t use 3D?

1 Like

Yes, I accept that the risk to the cardholder is zero financially, the hassle/inconvenience when fraud does happen is costly from a time and effort point of view. Yes, I would avoid merchants that did not support 3DS. I am seeing more emerging market banks starting to demand SCA (or some form of 2FA for all transactions). Visa/MC are out of step with the needs of the poor here.

2 Likes

Catching up on this thread now. Just a comment that as of September 2021, every single ecommerce transaction needs to go through 3DS, or else we must decline it as per SCA regulation. This date has been pushed back about 3 times by now… :unamused:

This is not 100% true, since we may choose not to challenge the customer based on low transaction value and/or low fraud risk.

If you really want to get technical, feel free to read this document from the European Banking Authority. My team’s job was turning this into code.

6 Likes

So yeah - don’t worry, from that date onwards everyone must be on 3DSv2.
We are ready now, just waiting for everyone to catch-up.

I guarantee you not everyone will be ready by then though.

5 Likes

Amazon for e.g. still don’t seem to do it at all!

This is always true with any change, hopefully this time it will be considered a final date and not pushed again.

If anything, with people shopping online more than ever, this change can’t come soon enough!

Well done to you and the team at Monzo on getting the process fully compliant and prepared for Monzo customers though.

1 Like

Looks like Amazon do have the infrastructure for this as they have a help article for it :thinking: maybe it just hasn’t been pushed to all users.

https://www.amazon.co.uk/gp/help/customer/display.html?nodeId=GVVYMGYFHWPU7MFD

One thing I did notice is that when I pay using my credit card, without fail I’ll get a loading screen with a spinning circle on it. It completes the order after a few seconds, but I don’t have this when I use my monzo card :man_shrugging:

1 Like

Maybe they’re doing a gradual release to find/fix problems. Perhaps whether a transaction goes through method A or B is based on if some digit of the catd number is above a threshold value.

1 Like

You say that, but I have a meeting with Amazon’s Head of UK Payments next week, as they are interested on testing 3DSv2 and SCA rules with us.

They have already been testing with other issuers.

Also, I predict Amazon will not be happy with the SCA changes. Say goodbye to “one-click buy”

7 Likes

Yeah it’s a pain but I can see why it’s there

Amex let you add websites to a whitelist which is pretty nice

1 Like

Will one-click buy still be possible if it is either the low-value reputable retailer exemption or added to a whitelist?

I personally would like everyone to adopt the Amex whitelist approach too.

Yeah, there are a few tricks we can apply, which we will definitely explore in the future.

With 3DSv1 we do this. If you shop at a site, we won’t challenge you on that site again (apart from a few exceptions/rules).

Unfortunately we are not allowed to do it with 3DSv2 for SCA purposes. I’m not sure how Amex does it right now and we’ll have to revisit the regulations to see if we could do something like that again

7 Likes

From my perspective as a user with Amex, it appears to work on a kind of pre-authorisation system.

Once you have shopped at a retailer once, you will see it as an option to add to your Express List. I don’t know how it works from a legal perspective, but if you do this your purchases are never checked through the Amex Safekey flow again - it seems they are automatically approved. I suppose this is on the basis that you have made prior approval for any and all transactions at the retailer, so you accept the risk of authorisation?

I am not sure how it affects liability shift rules or what exactly would happen with Amex if you later, coincidentally, suffered an incidence of fraud at the retailer on the Express List. I expect the onus would be on Amex as having approved the transaction and so a chargeback might not be possible, and you as a customer may even have to end up paying as you have, in a sense, accepted the risk?

I expect Amex would be generous about this, though, if it clearly wasn’t you.

A concern if the meeting is next week to talk about testing when the implementation deadline is the end of the month!

I think @arthur-ceccotti said September 2021.

3 Likes

Easily confused, with the pandemic ongoing, who knows what year it is any more?!

1 Like

I used to work on the payment system at Amex, btw. :slight_smile:

So, Amex is SUPER relaxed with its risk/fraud rules. What do I mean? They will go around approving transactions like there is no tomorrow and skipping authentication when possible.

Why?

  • Because it’s a credit card - which means higher interchange fees (specially in the US), which means more revenue from transactions. So they have the motivation to push forward as many transactions as possible.
  • A lot of the Amex demographics are quite wealthy and not necessarily patient having to go through additional steps to make payments. When payments are of high value, Amex doesn’t want to miss that chance

In terms of fraud liability, if Amex doesn’t challenge the customer, it takes all the liability. That means if someone steals your Amex card and buys a helicopter without being challenged, it’s all paid by Amex. I suppose they have gathered the liability payouts is smaller than interchange fees from challenging too often

8 Likes