[jonathanlydall]

If 3D secure was mandatory everywhere that would help a lot, but if I understand correctly, it’s not really used in the US and with them being so big, card issuers are largely forced to allow non 3D secure requests or their clients will be unable to use their cards for too many things.

So an enormously good anti-fraud mechanism is severely handicapped.

It’s really frustrating for most of the rest of the world.

I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?

Even for non-victims of fraud, they still pay for the fraud as all merchants up the prices of their goods to cover fraud costs/insurance.

[mandevil]

No, the laws are different- and more consumer friendly in the US- so the US consumer behavior is different.

Back when credit cards were first starting out (which happened in the US) the US Congress passed a law- the Fair Credit Billing Act of 1974- that consumers were only liable for $50 of losses as long as they reported the missing credit card within 60 days of the end of the fraudulent billing cycle. This was back when credit cards purchases were all made on paper with the machine that went "kachunk" and transferred a carbon copy of your card- everything was done completely offline. That law has not been changed, in fact, most banks completely waive the $50 and don't hold card-holders liable for anything reported (basically, annoying a customer over $50 isn't worth it to the bank). Thanks to the internet, suddenly cards got a lot easier to steal and a lot easier to exploit- but banks are still on the hook for all losses reported within 60 days of the end of the cycle. The result is that American banks have invested an enormous amount in real-time monitoring of credit card transactions, and are doing lots of stuff to monitor this- they care deeply since ultimately they are on the hook- but the consumer doesn't care. This is why US card's from the consumer perspective are so much laxer, because our banks have invested far more on the back-end because the consumer is held harmless in a way they aren't with European cards.

As a totally separate issue, the EU has regulated the amount of interchange fees that card-companies can charge, but the US has not capped them. The result is that US card-holders can get significant kickbacks for using cards (especially true for the top decile of wealth), in a way that is functionally impossible with EU issued cards that have capped interchange fees. There is a big lawsuit happening now to try and allow merchants to only accept low-fee cards (the standard VISA/MC/AMEX deal requires treating all cards equally, which gives them an incentive to push people to higher interchange cards). We will see what happens with that suit, but until then, American high-spenders can have much higher rewards on their cards, which also encourages greater use of the cards- and making them have less friction than the EU versions.

[SkiFire13]

> Thanks to the internet, suddenly cards got a lot easier to steal and a lot easier to exploit- but banks are still on the hook for all losses reported within 60 days of the end of the cycle.

For card-not-present transactions (i.e. online ones) the liability is on the merchant. They however also have an incentive NOT to use 3DS because it adds real friction to purchases. I'm also not sure if all USA banks even support 3DS.

[lxgr]

This theory explains why cardholders in the US are still using cards despite these being relatively less secure than in other countries, but fails to explain why issuing banks wouldn't take steps to protect their own fraud losses, such as introducing 3DS or PINs.

The actual explanation lies in the game theory of fraud prevention; see my sibling comment for details.

[X0Refraction]

Why would the law being different mean they wouldn't use 3DS though? Surely it'd cut out a good amount of fraud along with the realtime monitoring? I understand that US consumers don't have a stake in this, but can't all the banks just agree to enforce 3DS? I can't imagine Americans are going to stop using their cards because of a small amount of friction added

[Denvercoder9]

> can't all the banks just agree to enforce 3DS

They could, but it's one of those things that really only work if everybody joins. Because 3DS is rarely used right now, a portion of merchants don't even support it, so if you start enforcing is as a single bank, your customers will start complaining their card doesn't work. The banking industry in the US is also more decentralized than in the EU, so getting everybody to join in simultaneously is hard.

The window of opportunity for 3DS has also more or less passed, the industry is moving on to the next generation of tech (wallets/tokenization), that should be both easier to use and more secure.

[mercutio2]

Because adding friction will deter many impulse purchases. Americans use credit cards constantly. The equilibrium would be perturbed in a way very much not advantageous for the credit card issuers if consumers became more cautious about using credit cards.

It’s the same reason credit card issuers are willing to pay Apple a few basis points to participate in Apple Pay: reducing friction has a non-linear impact on propensity to pay.

[fckgw]

> I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?

Do you think we are requesting to have less secure payment methods or something?

No, we don't "prefer to get defrauded", but things like this are a matter of negotiation between the card issuers and the merchants.

[Denvercoder9]

> but things like this are a matter of negotiation between the card issuers and the merchants.

Not necessarily, the EU has mandated strong customer authentication by law (PSD2), and as a result has practically universal 3DSecure support.

[jonathanlydall]

Exactly, if citizens could convince US lawmakers to make it mandatory, it would be a huge net benefit to society as a whole.

I suspect that banks and merchants would lobby against it due the work involved. After all, they’ve already marked up their services and goods to cover the cost of fraud/insurance. So right now they don’t pay the cost of it, instead all their customers do through higher prices than they would otherwise have needed to pay.

[toast0]

> Exactly, if citizens could convince US lawmakers to make it mandatory, it would be a huge net benefit to society as a whole.

That's not obviously true. Adding security would likely reduce fraud, but would also make transactions more difficult and time consuming, and may also make recovering from fraud more difficult and time consuming.

The costs may not justify the benefits.

[Hupriene]

Bold of you to assume that the public has more influence on legislation than lobbyists do in the US.

[idiotsecant]

Ah, the natural call of the wild European: blaming individual Americans for a century of policy failures with truly majestic smugness.

[M95D]

Who should be blamed then? Do you not vote your lawmakers? Do you not vote with your wallet by buying from non-3d-secure merchants?

[idiotsecant]

Yes, I vote for leaders. So does everyone else, unfortunately.

[eterm]

Legislate that the banks are liable for refunding this class of fraud and you'll find they suddenly take this stuff a lot more seriously and "discover" the technology.

[gustavus]

I don't understand your point. The banks and credit card companies are already responsible. If I have a fraudulent charge I call and tell them it's fraudulent and they say okay and take it off and either getit back from the issuer or eat the difference.

[rstupek]

I think what you're missing is the bank and credit card companies rarely eat the difference. The business who sold the item which was charged back is the one paying the cost of the transaction (no income, lost item) plus a chargeback processing fee (typically $15 per chargeback).

[rvnx]

They can also punish you for doing so, like banning you from the bank.

They also report account closures to ChexSystems, which can make it harder to open accounts at other banks for years. Credit card issuers can drop you and ding your credit. Definitively not your fault, but still your problem, and the consequences are for you.

[dboreham]

Quite hard to do when banks are major bribers of politicians.

[lxgr]

> I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?

The general idea is that if the conversion rate drop of a given security mechanism is higher than the average fraud rate, it doesn't make financial sense to deploy it.

However, at the industry-wide level, this is a pretty classical coordination problem, in that conversion rate only drops because there still is a simpler alternative around unless all merchants and banks were to enforce 3DS at the same time. If there's nothing more convenient left to move to, users will for better or worse have to learn the new, more secure thing, and conversion rates will go up again.

This is what the EU has done with mandating 3DS for many payments, but even there regulators have recognized that a 100% coverage is counterproductive, and there's a sweet spot somewhere in the middle.

As more evidence for the same general idea: US credit cards don't have PINs, because any individual bank introducing them would see a huge drop in usage rates since customers would just use their competitor's card without a PIN instead. In other markets, all cards have PINs (whether due to regulatory invention or card network incentive), and people have just gotten used to them.

[cnst]

IIRC, MasterCard SecureCode and Visa's verified-by-visa were more of a thing in the US maybe like decade or two ago? I think NewEgg and B&H did support it at one point? Afterwards, everyone has simply disabled the thing, and you simply get a wave-through by most issuers when shopping on foreign sites, where you get redirected to issuer's website, then back to the online shop, without having to type or confirm anything.

Back when it was a thing, it was quite a nightmare, where you had to register for a 3ds account, often separate from your normal online account, and keep a separate password etc. Then those iframe windows look exactly like the phishing websites, too.

Honestly, it's much ado about nothing. If the transaction is suspicious or likely fraudulent, today, you already get an SMS or an alert within bank's app on your phone. All you have to do is confirm and retry the transaction a minute later. This works for both in-person transactions, as well as remote ones, with the same flow, unlike 3ds, which only works for online shopping.

[neom]

FWIW, HSBC USA Mastercard uses 3D secure if it's something you want and you're in the states.

[lxgr]

Capital One also offers it for their credit cards, which makes them the only ones usable in countries where requiring 3DS is common. (No idea why this is a thing actually – merchants get the fraud chargeback liability shift as soon as they request 3DS, whether the issuer actually supports it or not.)

The real problem is that in the US, almost no merchants request it in my experience, despite the fact that they'd get an almost free (in terms of conversion rate dropoff) liability shift. I suppose the few US issuers that do support it have a bad enough implementation that the conversion drop is still significant.

[zinekeller]

> No idea why this is a thing actually

a) It still affects their bottom-line: the issuer might still try to dispute this using a different code despite payment scheme (formal term for Visa et al.) rules, and the merchant targeted is prone for fraud (for example, airlines have been hit with this by exploiting tourists looking for cheaper tickets by offering them suspiciously cheap tickets on seemingly-trustworthy websites by fraudsters and funding them by insecure cards)

b) Misinterpretation of mandatory rules: PDS2 is applicable only for EEA customer - EEA merchant, but some extended it for whole world despite the rules literally dictating the limits

c) Soft friction for encouraging domestic card usage: because of accept-all rules by payment schemes (and no local rules that allowed merchants in a region to reject international payments), this is a way to block US cards by guise of fraud prevention (because international cards are expensive for merchants to process)

[lxgr]

Wow, c) never occured to me but makes total sense.

b) can probably explain this happening for EU merchants, but I've also seen this in Japan and Central America, and I think even before PSD2 in the EU.

That's what I love about the payments space: While you're absorbed in your own game of checkers, you never know if your opponent is actually playing 1d or 10d chess :)

[rstupek]

Yeah from a software dev perspective the implementations are shockingly terrible from a UX perspective. I'm surprised Stripe doesn't make it automatic with their integration

[lxgr]

One problem is that the UX is largely defined by the issuer. 3DS (on the web) is literally an issuer-rendered iframe.

[gnopgnip]

How much is lost to fraud that would be prevented by 3d secure, 0.1%?

[beejiu]

In Europe, the max interchange fee is 0.3%. In the US, the average is 2%. So the relative impact of fraud is much higher.

[gnopgnip]

And then the next question, how does this affect consumer spending, what percent of purchases get the 3d secure message and change their mind instead of confirming the purchase?

[mercutio2]

Huh? Your conclusion does not follow. A large fraction of the interchange fee is kicked back to customers.

The size of the pie being so much bigger means the issuer’s tolerance for fraud is much larger, but it’s orthogonal to whether there’s actually more fraud. In practice credit cards fraud actually impacting customers is vanishingly rare at this point.

[lxgr]

A large fraction, yes, but I believe in absolute numbers, US issuers still retain much more interchange than European ones.

The numbers are even public: https://usa.visa.com/content/dam/VCOM/download/merchants/vis...

If you take a look at some of the more "expensive" cards, interchange is often higher than 2%, yet issuers often pay as much only on certain categories, and flat cashback cards usually pay 1.5% (2% is relatively rare).

Compare that difference to a total interchange of 0.3% in the EU.

[SkiFire13]

There is also an additional (usually pretty high) fee for getting chargebacks.