Definitive guide on 3D Secure, Chargebacks and Liability

Let's start from the beginning...

Strong Customer Authentication (SCA) is a European legal requirement for online payments, that's due to come into force from 31st December 2020 in the EU and from 14th September 2021 in the UK. In order to be compliant with this law, the industry are adding 3DS2 checks to most online payments (details on exemptions below).

Why did they bring it in? How does it impact chargebacks and liability? Keep reading…

3DS2

3D Secure 2 is an authentication protocol for SCA. It adds an additional layer of security during online transactions to help ensure that the cardholder and the person making the purchase, match.

Chargebacks

Chargebacks are disputes that are raised against a merchant when a cardholder does not recognise a transaction on their bank statement or if they believe that they did not receive the service that they paid for.

Liability

When it comes to chargebacks & 3DS2, the liability determines who is responsible for refunding a customer's funds.

3D Secure 101

The purpose of 3D Secure 2 (3DS2) is to reduce fraud and provide extra security for online payments. As we continue to buy more and more goods online instances of fraud are also increasing. In the past, customers have only had to enter their financial details to complete an online purchase. So, the payments industry needed to step up their game to protect both merchants and consumers from the rising rates of online fraud.

In most cases, your customer's shopping experience will remain the same. But, if the issuer (the bank or financial organisation that issued your customer's card) isn't completely satisfied that the real cardholder is the one making the purchase, they'll ask for some additional input to authorise the transaction.

If, after the additional input they're still not satisfied, the transaction will be declined.

Authentication Check

Your customer's payment experience will largely remain the same, with 3DS2 checks working seamlessly in the background to validate that the person making the purchase is the real cardholder.

How does this work?

Once the cardholder has entered their card details at the checkout, the 3D Secure tool will send a data-rich authentication request to the issuer asking them to authorise the transaction.

This data can include a mixture of data points such as device ID, shipping address or the customer's purchase history. If these data points don't satisfy the issuer then they'll request additional input using two-factor authentication (see below).

Two-factor Authentication

The additional input your customers may have to provide is known as 'two-factor authentication'. Your customers may be asked to provide two of the following three identity categories during the online process:

Exempt or Out of Scope Transactions

All merchants taking online payments need to comply with Strong Customer Authentication, but there are some transactions that are exempt from SCA or fall outside of its scope:

  • Low-value payments under £45 (or €50)
    Note: This follows a decision to increase the contactless limit from £30 as a response to COVID-19 (since 1 April 2020).
    Note: This exemption takes place until a customer makes more than five exempt payments in a row, although this may change as a result of increasing the contactless limit.
  • 'Whitelisted' eCommerce websites
    Note: Customers will be able to select online shopping sites they trust and regularly use, which means SCA will only be required when they make a first purchase.
  • Recurring Payments / Merchant-Initiated Transactions (MIT)
    i.e. If your customer takes out a subscription they'll only need to provide their identity when they first sign up to your service.
  • Mail Orders & Telephone Orders (MOTO)
    All transactions that take place via mail or telephone are exempt, as they are not classed as electronic payments.
  • One Leg Out Transactions
    i.e. Transactions where either the issuer or the merchant is outside of the EEA are  exempt from the SCA requirement.
  • Low Risk Payments / Transaction Risk Analysis (TRA)
    Note: Certain transactions can be exempt from SCA, provided they are considered low risk and below target fraud thresholds.
    Note: Checks can include transaction history, location at the time of payment and previous use of a customer's payment device. The Judopay team can tell you more about how TRA works.
  • Direct Debit
    e.g. Monthly bills

Chargebacks 101

Chargebacks are disputes raised against a merchant when a cardholder doesn't recognise a transaction on their bank statement OR doesn't receive the service/goods they paid for e.g. they ordered something online and it didn't arrive.

But this doesn't happen automatically. Once the dispute is raised, the customer's issuing bank will contact the merchant and ask for evidence. The cardholder can raise a "Second Chargeback" if the issuing bank rules in favour of the merchant in the first chargeback claim, and the cardholder wants to question the transaction again. This process usually requires extra supporting evidence from the merchant, and incurs the same chargeback fee again.

Chargeback Fees

Each chargeback that is raised incurs a non-refundable admin fee charged by the issuing bank to the acquiring bank, and passed on by the acquirer to the merchant. The fee amount is specified in the contract you signed when you joined Judopay. Please note this fee applies regardless of the outcome of the chargeback, i.e. even if the issuing bank accepts the merchant's evidence as sufficient to validate the transaction.

Reducing Chargebacks

  • What Descriptor appears on your customers' bank statements when they buy from you? This needs to be something your customers will easily recognise, such as your trading name.
  • Whether you're providing goods or a service, give your customers as much information at the point of sale to minimise returns or queries.
  • Make sure your support team have the necessary resources and training to respond quickly to any queries. Before a customer raises a chargeback they'll often reach out to merchants directly to try and resolve the issue first - this is your opportunity to stop chargebacks before they've even been raised.
  • If there is likely to be a delay between your customer paying and them receiving the service/goods make this explicitly clear at the point of sale and if possible keep them updated on the delivery. People can get impatient and will be more likely to raise a chargeback if left waiting.
  • Can you issue refunds? Depending on the service/goods this could be a quicker and cheaper alternative that could build a better and long-lasting relationship with your customers.

Disputing Chargebacks

If you want to dispute a chargeback, your chargeback notification will explain how to do this. Make sure to include any evidence you have to prove that this transaction is legitimate or that the customer did indeed receive the service/goods.
For example :

General: any written communication you've had with the customer regarding the services/goods
Private car hire industry: you can submit booking details including GPS tracking or call recordings if the payment was made over the phone
Ecommerce website: you can submit the tracking number or updates that show the goods being dispatched/received

Chargeback Timelines

Your customers typically have 120 days to raise a chargeback (this can vary depending on the service/goods sold). The time limit for the customer to provide supporting evidence and deal with the dispute varies e.g. Visa often places a time limit of 540 days. The start date of a chargeback time depends on the service/product.
For example:

Issue with goods purchased online: time limit starts from the day the consumer receives the goods

Who is Liable?

In most instances, the merchant is liable for chargebacks and must provide evidence that the registered cardholder made the transaction or that service/goods were delivered. However with 3DS2 transactions, liability is shifted to the issuer. See 'Chargeback liability with 3DS' for more details.

Chargeback liability with 3DS

One of the big benefits for merchants when it comes to 3DS2 is the liability shift. Once 3DS2 has been enabled for a merchant, the issuer will become liable for any fraudulent transactions authorised by 3DS2. Note - some transaction types are exempt from 3DS2 or out of scope, so it's worth brushing up on these and speaking to the Judopay team if you're currently offering or plan to offer any of these.

While a merchant would normally cover the costs of any chargebacks, 3DS2 enables issuers to better authenticate the identity of customers during online transactions, therefore shifting the liability to them.

When is the Merchant liable?

This liability shift only takes place when an online 3DS2-enabled transaction is successfully authorised by an Issuer. If an online transaction isn't authorised by 3DS2 then the liability remains with the merchant. So, any non-3DS2 transactions that result in a chargeback are the responsibility of the merchant.

For this reason it's vital that merchants ensure that 3DS2 is enabled, where relevant, and is in working order, before the deadline.

When is the Issuer liable?

One of the biggest benefits of 3DS2 for merchants is that they won't be liable for fraudulent 3DS2-enabled transactions that are authorised by the Issuer. Which means, that if a chargeback is raised against a 3DS2 processed transaction, it is the issuer that will be liable for refunding the costs.

For example:

ACME Retail has 3DS2 enabled on all online transactions over £45. Anthony notices a charge for £60 from ACME Retail on his bank statement, but knows he didn't make the purchase. Because the transaction had 3DS2 enabled and was authorised by the Issuer, the Iiability sits with the issuer, and they must cover the costs.

What if the transaction doesn't run through a 3DS2 check?

Think of transactions as "enabled with 3DS2" or "not enabled".

If a transaction is "enabled with 3DS2" and is successful, the liability lies with the Issuer as they deemed this transaction to be legitimate.
If a transaction is "not enabled" and is successful, the liability remains with the merchant.

However, after the EU deadline of 31st December 2020 and UK deadline of 14th September 2021 all online transactions (that aren't exempt or outside the scope) have to be 3DS2 enabled, by law.