Merchants, Online Fraud And The 3DS 2.0 Reset

As has historically been the case with commerce security upgrades that roll in by government mandate, the path to European Union adoption of 3D Secure 2.0 (also known as “3DS 2.0” or “EMV 3DS”) has been a rocky road. It’s been replete with stumbles and delays getting the new technology paradigm off the ground — most notably in the middle of the coronavirus pandemic, a global event that put the brakes on projects large and small worldwide.

But for all of the headwinds that COVID-19 has thrown at the project, the outbreak and the flood of digital commerce the pandemic spawned also created a massive tailwind for 3DS 2.0. After all, a flood of fraudsters looking to intercept all that newly-created digital commerce is creating demand for better security, PAAY Chief Financial Officer Brian McCutcheon told PYMNTS in a recent interview.

“The EMV 3DS is uniquely qualified to help merchants keep their chargeback rates down,” McCutcheon said. “[That] keeps them from getting in trouble with the card brands, and obviously avoids the significant costs that come along with fighting, investigating and resolving chargebacks. At the end of the day, it’s kind of a low-priced piece of technology to fight what can be a very expensive issue for merchants.”

But first, 3DS 2.0 needs to make it over the bumpy road to adoption. That’s a path that McCutcheon said will have challenges, but perhaps fewer than we’ve seen in the recent history of security upgrades.

Why 3DS 2.0 Is (And Isn’t) Like Putting EMV Into Place 

3DS 2.0’s struggles toward universal adoption in the European Union is reminiscent of EMV chip cards’ rise — a similar journey that aimed to solve a different fraud problem.

When the card networks first started mandating EMV, McCutcheon said, there was heavy resistance. That meant the rollout was rocky and filled with delays almost everywhere it went, especially in the United States.

“When it was finally mandated in the U.S., a lot of providers were caught short in their efforts to roll it out,” he said. “In that way, I see it very similar to the 3DS mandate that is already in place for Europe.”

McCutcheon believes that like EMV, 3DS 2.0 will ultimately make it over the finish line because, bumps aside, it’s effective and reduces digital sales fraud.

Moreover, he noted that the 3DS 2.0 changeover should be easier to make because there isn’t a heavy hardware investment baked in — unlike the switch to chip and PIN cards. Those involved new point of sale (POS) devices with chip readers that were an expense for merchants (often a major one). McCutcheon said the cost only added to merchants’ initial resistance to adopting those systems.

“I don’t think the second wave of EMV 3DS will be as bumpy, because it doesn’t require the significant investment and the capital required to change out all the equipment,” McCutcheon said. “3DS is software. It’s done away from the point of sale.”

And although only the EU will soon require 3DS 2.0, McCutcheon said PAAY is developing solutions for the wider world as well. He said that’s because even beyond the EU requirement, 3DS is an increasingly necessary tool for merchants who are switching more and more to digital sales.

The Path Forward 

McCutcheon noted that large, enterprise-sized firms have very advanced security procedures and whole IT teams dedicated to fighting digital fraudsters, while small- to medium-size businesses face growing fraud problems that they don’t have the scale to take on alone. What 3DS 2.0 allows them to do is push off some of that liability to where it more properly belongs — the issuers. Issuers are more qualified to spot and repel scams given the fraud data they already have and the supplemental 3DS data they’re getting in.

“The issuing bank has much more viewpoint authority over the issued card and the cardholder,” McCutcheon said. “They’re in a better position to mitigate the fraud. The result of that can be that merchants get to sell their product, because the authorization rate stays up while shifting that liability to the issuing bank. So, they aren’t always fearing that chargeback.”

And because the need for such protection exists and is growing, he strongly suspects that while 3DS 2.0 is getting its big start in the EU, it’s going to make its way across the pond in fairly short order just as EMV did. McCutcheon believes that smart U.S. players will start readying their operations today for a switch in liability that’s almost certainly coming down the pike tomorrow.

“When it comes to data protection, security and payments technology, the trends seem to begin in Europe,” he said. “[But] in my humble opinion, the payment companies that succeed are the ones that see the needs and wants of the EU and have the foresight to build products that solve those same needs for the American market.”