3DSecure for ALL online/ecommerce/CNP transactions

A concern if the meeting is next week to talk about testing when the implementation deadline is the end of the month!

I think @arthur-ceccotti said September 2021.


Easily confused, with the pandemic ongoing, who knows what year it is any more?!

1 Like

I used to work on the payment system at Amex, btw. :slight_smile:

So, Amex is SUPER relaxed with its risk/fraud rules. What do I mean? They will go around approving transactions like there is no tomorrow and skipping authentication when possible.


  • Because it’s a credit card - which means higher interchange fees (specially in the US), which means more revenue from transactions. So they have the motivation to push forward as many transactions as possible.
  • A lot of the Amex demographics are quite wealthy and not necessarily patient having to go through additional steps to make payments. When payments are of high value, Amex doesn’t want to miss that chance

In terms of fraud liability, if Amex doesn’t challenge the customer, it takes all the liability. That means if someone steals your Amex card and buys a helicopter without being challenged, it’s all paid by Amex. I suppose they have gathered the liability payouts is smaller than interchange fees from challenging too often


That game doesn’t play with the same demographics we have.

As a UK debit card, interchange fees aren’t amazing (and in fact are capped in the EU).

Our risk appetite is smaller (ie, we don’t have the capital to go payout helicopters because we didn’t challenge a customer), unlike Amex who has been profitable for decades.


So, I have a card with each top UK fintech and an Amex. I’ve used them mostly to figure out the challenge thresholds and risk appetites from each bank.

Ie. I made a transaction at each of them, with always increased amounts to see when they eventually challenge me. It’s a fun exercise of reverse-engineering their fraud rules


So how many helicopters do you have, now?


Looks at myself at not even 20.

I love the looks when I pull it out and I get asked how I got it on my average income at my age.

Built my credit score, they are a lot less picky than they used to be. (I actually told them slightly less than my income is)
I’m not the typical amex customer and yes sometimes it may just be like, I’ll use another card then and amex have the funds to foot the bill if anything goes wrong.

1 Like

Let me ask my manager if I can expense that. “I promise it’s for work”

Funny story, I tried to convince my manager to let me expense a trip to visit one of our team-mates who lives in Spain.

No luck :roll_eyes:


Isn’t it the case that amex are promoting white listing quite a lot compared to other issuers? If you opt in to add a merchant to a white list then you can let a transaction go straight through once you’ve done one 3ds v2 transaction.

1 Like

Whitelisting is something permitted by MasterCard and PSD2/SCA, though purely up to the issuer to manage how they see fit. It would be good to see this exposed perhaps as an interface in the app if implemented.

MasterCard state:

Q: I regularly shop at a specific retailer - will I have to verify my identity and payment every single time in the future?
A: It is up to the Issuer bank to decide whether to take advantage of the exemptions that PSD2 allows, e.g. offering Cardholders to build a ‘whitelist’ of trusted retailers where you do not always have to authenticate yourself. They might also decide to add individual rules around what retailers or products and services qualify for a ‘whitelist’ or if only payments below a certain threshold do not require additional authentication at whitelisted retailers.


Yeah, the EBA has that opinion. It’s an exemption called Trusted beneficiaries and recurring transactions

From what I can remember here, the customer has to explicitly whitelist the merchant - like the Amex model, but not our existing “automatic whitelist”


Yes, of course. VISA have a scheme it seems where they will let the customer select the option to whitelist and pass this on to the issuer when making the first payment. I’d imagine MasterCard will have (or has) something similar.

Personally, I don’t mind the 3DS prompt when implemented well and wouldn’t likely whitelist anyone as I personally feel it undermines the security somewhat. But each to their own.


The Amex method is also quite good as the fact you have to make a purchase once before whitelisting helps ensure you aren’t whitelisting the wrong merchant by accident - and the interface makes it simple, as all you have to do is click on the retailer you want whitelisted and it’s done.

I imagine something similar could work very elegantly in the Monzo app.

I also have to agree that I don’t find 3DS a burden myself, but I do think that some implementations have been poor in the past and led to confusion (especially amongst the less technologically literate who might just think the transaction isn’t working).

On balance, though, I think it’s better to always have 3DS as simply using the CVC (or even not bothering with that like Amazon) is so horrendously insecure! The “problem”, in my view, has been poor implementations rather than the concept of 3DS itself being a problem.

1 Like

That’s actually a requirement, so good to know they’re compliant. :wink:

3DS isn’t the end of the world when implemented well. Perhaps it’s just me, but I want to know when a merchant is making a charge and clicking to approve on a notification isn’t overly burdensome.

Oh I didn’t know that!

Agree with you 100% on making it more difficult, not easier, for people to make charges on my account too. I can see some people struggling with this if traditional high-street names don’t improve their processes though. Hopefully, the SCA changes will force their hand to move to a better implementation.

1 Like

As someone who has dealt with a lot of European legislation in my time (and it might just be a matter of semantics) it worries me slightly when you refer to a Regulation as somebody’s opinion.

I also trust you did not rely on the EBA document when coding your system as it included the draft text
of the legislation not the version which made it onto the statute books.

I haven’t compared the two fully but they are subtly different.


Perhaps it’s breaking the law in ‘very specific and limited way’?

Maybe international law will mean nothing by the end of the year and Monzo are ahead of the curve (or they’ve implemented the law as is). Who knows? :man_shrugging:


In reality we end up reading a lot more Mastercard manuals than EBA regulations. They translate these into more technical terms regarding the data we send and receive.

So our team doesn’t have to get dirty with the raw legislation, unless there are inconsistencies


Makes sense as I think the EBA would have trouble if either of Mastercard or Visa wrote manuals that weren’t compliant!

It’s reasonable to assume that Mastercard will have “done their homework” already and made sure they are giving correct advice which brings everybody into full compliance.