[morpheuskafka]

> The first thing that can reduce conversions is the higher rate of 3DS triggered user abandonment. Since many consumers are not familiar with the 3DS process, there is a higher chance of abandonment during the authentication process.

This would presumably go away once PSD2 is fully implemented and all purchases require it, which is a benefit of requiring it by law rather than letting merchants choose whether or not to require it. Requiring it is a common good in the sense that it reduces the economy's overall loss due to fraud.

Additionally, as the article mentions, using 3DS shifts liability for charge not authorized disputes from the merchant to the bank. Thus, the decreased rate of conversions must be compared against decreased losses due to chargebacks.

[globile]

It quickly gets complicated. There are many more variables to take into account.

- SCA exemptions - Prepaid Cards (with no built in 2FA support) - Banks in less developed markets (No 3DS) - "We encountered a 3DS processing error" is a common nondescript message which occurs with international payments

For regular merchants, the decrease in conversion (double digit) is VERY far away from any improvements in chargebacks. Bear in mind that most merchants need to stay below 0.75-1% chargeback regardless of conversion/decline ratios.

EDIT: Spelling

[lxgr]

Depends on the business though, right?

In a high-value, low-margin business, reducing chargeback losses to almost zero might be worth the cost of a double-digit conversion drop. In other circumstances, the same numbers can be catastrophic.

[tharkun__]

And that I guess is the OPs point.

It should be a choice a business can make based on their circumstances. Instead, the EU legislates conversion loss for everyone.

If you think about it, when was the last time you entered even a CVV2/CVC on Amazon? Compare that to most regular sites which require you to enter CVV. Some allow you to enter the card holder name and address, while others don't and just sent the shipping address you've entered.

And it's not like this is a surefire way to make things better anyway. Like was mentioned before, it makes people that know about these things queasy when a random site redirects you to your bank and wants you to log in. What better way to scrape bank login info than a fake login screen for your bank? It's like when banks introduced TAN numbers. Then indexed TAN, SMS TAN etc. What regular user that fell for the "Please enter 3 TAN numbers to verify your account" will figure out whether a shady site is scraping their logins?

[_0w8t]

In Norway after the redirect to the payment page from a bank to approve the transaction the only thing one typically types is the phone number and the birthday. The rest happens on the mobile.

A bank in Spain implemented this even better as one does not enter anything on the site. Rather one has to go to the bank app on the phone and approve the purchase there. The latter is very frictionless especially with biometric authentication.

[sofixa]

> A bank in Spain implemented this even better as one does not enter anything on the site. Rather one has to go to the bank app on the phone and approve the purchase there. The latter is very frictionless especially with biometric authentication

Same here in France at my two main banks, LCL and Boursorama, the payment screen tells you to open the app and confirm the payment.

[razius]

I agree, the change needs to be viewed overall. The liability shift is a godsend, it also decreases customer support contacts to verify if the order is fraud or not.

Also, paired with 3DS2's frictionless flow we actually saw a small uptick.