[thepsi]

> I've outsourced each and every bit of the handling and processing to third parties, we still get hit with the chargeback penalty.

Ignoring the flaws in most current implementations, isn't this the kind of thing 3D-Secure (VBV, SecureCode, etc.) is supposed to reduce?

[jacquesm]

Using VBV just reverses the penalty of abuse on to the user instead of the merchant, because it is 'secure', whatever that means. If and when it will be hacked there will be a bit of a problem.

I helped a friend that runs an IPSP implement it, the spec is so large and convoluted that there's bound to be holes, so the flaws in the implementations are a problem but flaws in the spec are likely to crop up as well.

[thepsi]

I thought a merchant implementing 3DS wouldn't receive chargebacks if a customer denies placing the order, since the issuing bank has performed "enough" authentication to satisfy themselves that the transaction is legit.

If that's the case then, holes aside, it makes sense for a merchant to integrate 3DS to reduce chargebacks (not to mention some acquirers charge lower rates for VBV payments, which can help offset PSP fees). But your earlier comment suggested that you were still being stung for chargebacks - I'd be interested to know why.

(and yes, it's a lot of spec for what's essentially 3 XML request/response pairs, but that's the payments industry for you - you'll know what I mean if you've had the joy of ploughing through APACS-70 or its predecessors...)