Understanding 3DS and Potential Issues for Ecommerce Merchants

episode Transcript

Podcast Introduction

You’re listening to Gateway to E-Commerce, a podcast by ClearSale. In this series, global ecommerce leaders discuss challenges, best practices, new tech, and secrets to success.

In this episode, our host Rafael Lourenco takes us through the pros and cons of 3D Secure 2.0, AKA 3DS. To give you some background, 3DS is an alternative for payments that allows you to get a little extra security and authentication for users and merchants. In the consumer market, we know it by different names, like Mastercard SecureCode, Verified by Visa, and SafeKey by American Express.

When you make a purchase using 3DS online, the merchant sends you to the website of the card-issuing bank to issue the transaction. In many cases, the bank system is responsible for the security of your transaction because they can track your history and habits to determine the legitimacy of your purchase. Today, Rafael will break down the impact of 3DS 2.0 on your customer service efforts, liability and profits to help you decide if 3DS is right for your business.

Rafael Lourenco

The 3DS topic has been a buzzword or a buzz topic and very trendy in the last months, and I’d like to spend some time with you guys today to try to explain and get more details on what would be the impact to a merchant when adopting or not this technology as a possibility for customer authentication. The fact that the financial liability of the fraud of some of these transactions can be shifted to someone else sounds like a very good idea, and in fact, it is. The idea of having these transactions evaluated and rated by the issuer banks is basically what is behind the 3DS. There are a bunch of protocols, a bunch of technology aspects of this process, that you should comply with so that you can send these transactions through this different path of decision-making. And after that, if the transaction is approved, you can consider yourself backed up financially.

Let’s discuss a little bit about why people look for the 3DS and what would be the impacts and why they should make a decision in one direction or the other. The first thing I want to say is that the change, the shift in liability and financial liability is not something very new to the market. On one hand, you have 2DS 1.0 with the exact same idea, but let’s say another technology, involved there. On the other hand, you have a lot of solution providers in the market that can offer you the very same shift in financial liability in which they will reimburse you in case they approve an order that turns out to be fraudulent.

If you’re looking for 3DS just because of the shift in liability, just keep in mind that there are alternatives and you should compare them, let’s say, apples to apples. And to a more conscious comparison, let’s discuss first what are these elements that distinguish one fraud prevention strategy from the other, regardless of if you were talking about 3DS, an outsourcing solution, or even a decision platform or fraud prevention tool out there.

Well, the most important thing, as you know, is understanding whether or not this solution and this strategy is able to reduce your fraud levels. Obviously, when we are talking about fraud prevention, preventing chargebacks from happening should be our concern number one. But I would say your concern number 1.5, so as close as you can get to the one, would be the sales, right? I usually make a joke in which I say that it’s easy to have zero fraud — it’s just a matter of not selling anything.

And the reason behind the joke is they are two sides of the same coin. We are talking about transactions being blocked before they even happen so that we can avoid fraud from happening, but we may be talking about good transactions, good consumers, trying to make their purchase and being blocked from their attempt. In that matter, understanding the decline rate as a KPI, as an important KPI, is very, very important to our business and it’s essential in your decision process.

The third element that should be taken into account is the customer experience, right? You bring your customer to your website, you offer them the products or services you have, and everything is pretty. But then imagine what are the possible impacts that a fraud prevention strategy can have on you either adding more data points to your form (in a world where people are on their mobile phones more, and therefore trying to fill forms on mobile is a lot less comfortable), or even declining the transactions, like I said before. So the brand damages of a false positive, that’s how we call the transactions that shouldn’t be declined and they are, the brand damage there is huge.

And third, what are the additional steps you’re asking this consumer to take? A lot of people choose ecommerce as a sales channel because of the convenience. So you don’t want to add extra layers of protection for you, but that gets the consumer involved in a problem that’s actually yours. If I’m a consumer and I’m using my own credit card, usually I don’t want to be involved in an extra layer of protection — two-factor authentication, taking selfies in terms of biometry, or being called or any of these elements — so you should use this prerogative very carefully.

Now that we know what the elements are that we should use to compare using 3DS and compare with any other type of fraud prevention strategy, let’s get started by saying that 3DS obviously won’t stop every fraud from happening. We’re talking about an extra layer of protection, we’re talking about shifting the financial liability of these transactions to the issuer banks, but we are not talking about someone that can make a perfect decision, right? Yes, that’s a possibility for bank issuers. A lot of the issuer banks know a lot about their customers, so they’d have information that you as a merchant or even a solution provider may not have about this customer. But it’s important to highlight that they will have information only about their own transactions.

You as a merchant would send the transaction to a hub, and this hub would obviously route the transactions to the multiple issuer banks out there. And if you take the U.S., the United States only, you will see that there are more than 5,000 different issuer banks. These transactions will be routed to multiple companies, and each of these companies will have to make a decision based on solely the historic transactions their own customers have. So you as a merchant will have your decisions made by up to 5,000 different companies.

And as you know, a lot of the fraud signs may cross different credit cards. Let’s say that a fraudster utilizes 10 different credit cards but uses the same IP, the same email address, the same shipping address. The reality is that if, by chance, each of these credit cards utilized is from a different issuer bank, each of them will only see this one transaction — they cannot have access to the other nine transactions. And for them to make a better decision, there it’s going to be a little harder. I can’t reinforce enough the thing of preventing fraud and understanding that 3DS will not be the silver bullet and will not stop fraud from happening. Therefore, even though there will be a liability shift, there will also be fraud still happening.

I want to talk a little bit now about the other KPIs that I mentioned, so approval rates and customer experience. There is a study from Alchemy that found out that 40% of their users simply leave a website if it takes longer than three seconds to load. Also, there’s a famous study by Amazon that says that 1% of sales is lost for every extra 100 milliseconds of load time. And the reasons why I’m bringing this up is just to say that some of these processes involved in 3DS may take a longer time and they could add an extra layer of protection.

What do I mean by an extra layer of protection? I mean, either declining the order, and as I said, the damage in branding can be big, or adding what we call a challenge. So it’s an extra layer, an extra step in the process that can be either you logging into your bank account or into your internet bank account, or a text message to your phone, or even a phone call or something like this.

If we’re talking about challenge in some of the transactions, the question now is how worried these bank issuers are about customer friction and your sales? Well, now you’re taking control of your fraud prevention strategy, either through your own team and solutions or through a third party. Now you would have to talk to 5,000 different companies, and more than that, some of those companies may not be as accessible as your fraud prevention solution provider might be.

We are talking about banks that are not used to talking to merchants directly, especially small and medium. So you as a merchant — if you’re seeing a high level of the client or a high level of challenge, one of the cons of this scenario that is being designed is that you may not have any access to the company and the organization that is actually affecting your business and affecting your bottom line. I don’t foresee a smaller to medium version having the ability to talk to one of the larger banks that are actually affecting directly their conversions, for instance, so you don’t even know who to ask for help.

Last but not least, I want to try to bring up a little bit of numbers here, right? The 3DS protocol recommends that no more than 5% of the transactions should be declined and no more than 5% should be challenged. Let’s assume the banks will follow this recommendation — and again, there’s no penalty or anything clear on the protocol — but let’s assume they will follow this for every merchant. And again, this is something they should follow on average, but not necessarily. So if you are currently a high-risk merchant, they may decline or challenge all of your orders and still be compliant with the protocols and the terms and conditions of 3DS, right?

But let’s just assume for a minute that the banks would comply and would follow this recommendation and have 5% of the transactions declined and 5% of the transactions challenged. Well, the reality is that this 5% declined may not fit your risk profile. A lot of the merchants in the U.S., I would say the vast majority of those nowadays, are declining less than 5% of their orders because of their risk profile. You’re already talking about a first impact in sales here just by automatically declining some of the orders based on the risk profile that the issuer banks will make. The other 5%, we were talking about challenge. And as I said, challenge will add an extra step. As I said before, extra stress may be very damaging to your conversion, either because consumers will get just bothered by this extra step or they may give up.

Let’s say we’re talking about a text message. If I’m making a purchase, let’s say an impulsive purchase, and there is an extra step for me, and I see that I will have to receive a token on my cell phone in order to move forward with my purchase. I think chances are that a lot of consumers and maybe myself in this case would give up and just not do anything from now on, and we may face a lot of shopping cart abandonment. We know how important seamless customer experience is in today’s market, and sometimes I feel that people are underrating a little bit the impact that implementing 3DS may bring to the business.

Let’s say we’re talking about a text message. If I’m making a purchase, let’s say an impulsive purchase, and there is an extra step for me, and I see that I will have to receive a token on my cell phone in order to move forward with my purchase. I think chances are that a lot of consumers and maybe myself in this case would give up and just not do anything from now on, and we may face a lot of shopping cart abandonment. We know how important seamless customer experience is in today’s market, and sometimes I feel that people are underrating a little bit the impact that implementing 3DS may bring to the business.

In a nutshell, even if the banks follow the recommendations, and we know that sometimes banks will make kind of conservative financial decisions and just adding something else here, the banks will have no extra revenue for this new protocol and they may have an extra cost. Think about it, and consider that the banks will have these transactions on their hands to decide whether or not to approve them, and if they decide to approve it, they will have the financial liability on their shoulders. Chances are that especially in the beginning, the banks will be conservative just to take a look. Not all the banks are ready for that but at some point, if you start sending your transactions through 3DS, you are not sure whether or not these banks where you are sending the address to are ready.

They may make some conservative decisions, and that is expected — especially in the beginning. I would say that it’s unlikely that from day one and for every merchant all the banks will follow with the five plus 5% rule and the recommendations, especially because there’s no penalty expected. But let’s assume they would. We’re still talking about 10% of your consumers either being flagged and challenged or even not being able to go ahead and make their purchase. If you compare that with the solution providers out there, and obviously I don’t know their actual numbers, but I know ClearSale’s numbers. If we are talking about this five plus 5% as the recommendation for 3DS and you compare that with the solution providers out there, you might have a better understanding of what your pros and cons are.

Obviously, I don’t know the numbers of other solution providers, but at ClearSale for instance, on average, we automatically approve 95% of the orders, meaning that 5% of them have an extra pair of eyes looking at it, which makes less than 5% for sure of the consumers being potentially affected. At ClearSale for instance, when we were talking about retailers with people with physical goods to be shipped, we do not decline automatically any order. We are talking about potentially five plus zero versus five plus five. Again, you as a business owner will be the right person to make the decision.

What I just want today is to try to give you a bigger picture. Sometimes we hear the technology people talking about 3DS. It wasn’t expected to have any impact in sales or in business, but it’s very important to understand that we are adding an extra layer — we are providing to a different organization the prerogative of approving or not your transaction, and you’re potentially having the chance of cart abandonment or loss of conversion transactions. With that said, I would like to invite you all to know more about 3DS and the PSD2 protocols on ClearSale’s resources page of our website, and I invite you also to the next episodes of the Gateway to E-commerce podcast. Thank you so much.

Podcast Outro

3DS is a hot topic, and it’s growing in demand as merchants are looking for more ways to secure transactions. Hopefully, with the information that he outlined today, you’re closer to making a decision to determine if 3DS is the best route to go. Thanks again for listening to Gateway to E-commerce, a podcast by ClearSale. If you like what you heard please subscribe to our podcast on all major platforms and be sure to leave us a review on Apple Podcasts. Join us again next time as we continue to dive into topics in ecommerce. Have a great day.

For more ecommerce insights visit us on our website at clear.sale.