A rise in eCommerce and mCommerce has led to a rise in fraud over the last few decades due to the card-not-present (CNP), nature of online payments.
In 2015, eCommerce fraud rates averaged 0.53% worldwide. This may seem small, but it’s a substantial amount considering eCommerce sales are expected to reach $2.3 billion by 2017. That means eCommerce fraud could increase to more than $12 Billion.
CNP transactions make up the majority of the fraud. CNP fraud represents a significant proportion of all fraud in countries where there are a lot of online merchants.
Online fraud is widespread, but it’s not surprising. CNP transactions are more secure than other types of transactions due to the difficulty in verifying the identity of the buyer and determining if they are the cardholder.
Since 2001, 3D Secure Protocol, which is one the most trusted and established technologies in the fight against CNP Online Fraud, is available.
While the protocol’s main purpose is to protect the cardholder, it provides an authentication layer to verify that they used their card for the transaction. It also protects merchants against fraudulent chargebacks.
This protection is provided by a shift in liability from the merchant to the card issuing institution.
It is important to note that this protection does not cover non-fraudulent consumer claims.
The point at which liability shift occurs is not always the same. It can vary depending on the card provider and whether or not a card is already enrolled in a 3D Secure program.
SO HOW DOES 3D SECURE WORK?
Two steps are required to determine if liability shifting is allowed in the current protocol (3DS1).
In the first stage, the merchant will send a request to the issuing bank for information about whether a card has been registered in its 3DS program. To accomplish this, the merchant must install an approved merchant plug-in. This will handle the authentication messaging between the bank and the merchant, using a 3D Secure vendor.
If the card issuer can’t provide the card status, then the response will be returned as ‘unavailable. Visa and MasterCard differ in the extent to which liability has passed from the merchant if the unavailability is indicated.
The third step involves the actual 3D Secure cardholder verification. Once again, the request is returned with a definitive Yes’ (authentication success) or a No’ (authentication failing). If there is a network or system error, the response could be ‘Authentication error’/’Authentication attempted.
If a liability shift is occurring, it will be determined by combining the results of step 1 (card enrolment), and step 2 (authentication status).
In general, these are the rules:
- Card issuers can confirm that a card has been activated under 3D Secure. If the cardholder authentication passes, liability will shift from the merchant to the issuer (e.g. bank). These guidelines indicate that the merchant should authorize payment.
- If the merchant attempts authentication but the issuing bank is unable to respond to the cardholder’s request, the card issuer can still assume liability.
- If the merchant fails to authenticate the cardholder, and the issuer confirms that enrolment has been confirmed, it is the merchant’s responsibility.
- The merchant is responsible for any error that occurs in the authentication process (e.g. network error, purchaser closing the popup/inline window during the verification step).
In this situation, there is no evident failure of authentication.
- The merchant will be responsible for any card enrolment failures if the issuer can’t confirm it. The merchant is responsible for determining the threat level and deciding if the transaction should proceed.
- The final situation occurs when the card issuer confirms a card is NOT enrolled. Major card companies, like MasterCard and Visa, will confirm that there has been a liability shift. The issuer will then be responsible for any fraudulent chargebacks.
EFFECTS FROM 3D SECURE2 ON LIABILITY SHIFT
The global program activation day is 12/04/2019. Until then, existing liability shift rules from the original 3DS1 Protocol will continue to be in full effect.
After 3DS2 goes live, there will only be a minor shift in liability shifts. This could offer major benefits for merchants to protect them against fraudulent chargebacks.
As it stands now, merchants can try authentication with 3DS2 if the issuer is unable or unwilling to respond (system unavailable), and they will receive protection against fraudulent chargebacks.
If the issuing bank DOES not support 3DS2, there will be no liability shift and the merchant will still have to pay. This change will take effect on 12 April 2019 and merchants will still have full fraud protection.
3D Secure, a buyer authentication solution that uses 3D Secure to authenticate buyers, is still the best way of reducing fraud in CNP purchasing. It provides protection for both the consumer and the merchant, by shifting liability.