3DSecure failures cause big holiday headache for many French e-merchants

Dec 11, 2014
Vote on Hacker News

PSafe banking

The holiday season is often both a fruitful and trying time for many e-merchants trying to manage and fulfill the increasing number of online transaction.  However, this season is likely to go down as an even more of a challenging one for many French e-merchants due to the repeated system failures of 3DSecure, a system that many French e-merchants use to verify purchases and prevent fraud on their sites.

If you’ve ever purchased something online if France, chances are that you at least once came across 3D secure. It’s basically the system that sends you an SMS with a code from your bank that you, in turn, use to verify and complete your online purchase. The system, which was developed by Visa and Mastercard, is widely used across Europe, but less frequently used by e-merchants in France. Since late October, several French banks, including Banques Populaires, Caisses d’épargne, Crédit Agricole and LCL have been the victims of failures in the system which has prevented many consumers from completing their purchases.  Clearly a nightmare scenario for many e-merchants during the busiest shopping time of the year.

I caught up with Thibaut Faurès Fustel de Coulanges, President of of top payments solution Be2Bill and VP of digital monetization leader Rentabiliweb, to talk to me a bit about the ramifications of the failure and how Be2Bill works to protect its e-merchant clients.

thibaudWhat is 3D secure exactly and how present is the technology on ecommerce sites here in France?

The 3DS is an authentication system used in ecommerce to prevent online fraud. It ensures that each transaction is ordered by the bank card’s owner. This payment step consists in entering a code generated by the card’s owner bank and sent on his/her mobile phone. While it is widely used in the UK for example, it took a long time for France to spread its use due to a lack of pedagogical approach. In 2013, we recorded in our platform that 99% of French cards were enrolled for 3DSecure. If 3DSecure does limit online fraud attempts, it however has a negative action on conversion rate by implying an additional step in the payment process.

Therefore some merchants chose not to install it on their online stores and rather deal with some fraudulent transactions. The money they lose because of default payments is counterbalanced by a better conversion rate they obtain by avoiding to set up the 3DSecure authentication system.

It seems that this isn’t the first failing of 3D secure. What exactly happened from a technical point-of-view?  What are the consequences of these types of system failures?

3DSecure is an efficient tool that does help in fighting online fraud but it uses complicated protocols that can make it unstable. Technically, the 3Dsecure system requires the PSP (Payment Service Provider) to “call” the 3DS technical infrastructure which itself calls the card owner’s bank technical platform in order to identify the card holder. In this precise case, there has been a problem with the infrastructures of some French banks that seemed unable to answer the calls. Therefore no transaction requiring 3DS could occur. They were just blocked with no explanation given to the card owner. The consequences of this incident are that many clients were not able to buy online and many merchants lost sales and customers at a particularly wrong time: the beginning of the Christmas period.

Be2bill-art-of-paymentHow has Be2Bill dealt with this?  What safeguards do you have in place to protect your clients?

Given the fact that, Be2bill, was created by Rentabiliweb, a pure web player, it was clear that we wanted a payment solution focused on e-merchants needs and the most obvious of all: fighting fraud while optimizing conversion rate. That is why we monitor the 3DS activation which means that we are able to determine with and for our customers whether a 3DS needs to be activated or not at each transaction. Deciding to halt or reduce the use of 3DS indeed implies to open a break in its risk management. However each time we do so, we set up complementary velocity monitoring and blocking tools to reduce payment defaults. Thanks to Data we deal specifically with each and every dysfunction of the system. It this precise case, our analyst team identified the 70 BINs (bank identification number => 6 first digits on a payment card) that were impacted by the 3DS issue. Once the identification was made, we were able to halt the 3DS on these payment cards when our customers asked us to do so and prevent them from fraud with our complementary velocity monitoring tools. This way, their sales were not impacted by the issue contrary to merchants who worked with common Payment Services Providers.