3DS chargebacks explained

Why are merchants still seeing chargebacks with 3D Secure (3DS)? Roman Korobkov from Riskified explains all

No security solution is perfect. Whether it’s an authentication protocol, a machine learning algorithm, a rule-based engine, or a manual review approach - there’s always a chance for a mistake as well as space for improvement. 

3DS has played a huge role in user verification for CNP transactions for over 20 years, and mandatory or not, it has proven to be a good tool for safeguarding the payment process and providing the liability shift incentive for authenticated orders. However, it’s not 100% fraud-proof. 

In the recently commissioned Riskified study conducted by Forrester Consulting, we asked 207 payments decision-makers from ecommerce organisations across the EU and the UK to share their insights on PSD2 now that it's been fully enforced for a while. One of the questions related to chargebacks on 3DS-authenticated transactions, and 39% of respondents stated they are seeing an increase. So, what could be behind that?

First of all, the 3DS protocol can be bypassed, and fraudsters are constantly looking for new ways to do this. They’re sharing knowledge on the dark web, exchanging tips on how to use bots, leverage malware, or commit sim-swap scams, and providing detailed social engineering scripts that can be used to take over the second factor. Some data is shared for free, while more exclusive knowledge, like full-scale online courses, is sold.  

Furthermore, even with extended data exchange capabilities in the newer versions of 3DS, the information sent via authentication rails is limited and might not always be enough to make the right decision about an order. For example, we’ve seen cases of transactions being successfully authenticated mostly based on their value. However, after a more thorough analysis, it was discovered that there were some red flags not taken into consideration, like multiple IP addresses being used, or connections to an identity already identified as fraudulent previously. Every detail about an order can significantly change the risk level of a transaction. A red flag, if missed, can then be a reason for a potential chargeback in the future.  

When asked about the current state of their businesses in relation to PSD2, 26% of the respondents shared they are still complying only with the minimum requirements of the regulation. But just adding the required authentication flow to the payment process means some eCommerce merchants are sending all of their traffic to 3DS, which might not always be the best strategy. When there is space for optimisation, we recommend leveraging all the data available to decline clearly suspicious transactions at the earliest possible stage, maximising exemptions and lifting 3DS when it’s necessary. It not only significantly decreases the risk of potential chargebacks on authenticated orders, but also improves the customer experience.