| ▲ | jonathanlydall 5 hours ago |
| If 3D secure was mandatory everywhere that would help a lot, but if I understand correctly, it’s not really used in the US and with them being so big, card issuers are largely forced to allow non 3D secure requests or their clients will be unable to use their cards for too many things. So an enormously good anti-fraud mechanism is severely handicapped. It’s really frustrating for most of the rest of the world. I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience? Even for non-victims of fraud, they still pay for the fraud as all merchants up the prices of their goods to cover fraud costs/insurance. |
|
| ▲ | mandevil 4 hours ago | parent | next [-] |
| No, the laws are different- and more consumer friendly in the US- so the US consumer behavior is different. Back when credit cards were first starting out (which happened in the US) the US Congress passed a law- the Fair Credit Billing Act of 1974- that consumers were only liable for $50 of losses as long as they reported the missing credit card within 60 days of the end of the fraudulent billing cycle. This was back when credit cards purchases were all made on paper with the machine that went "kachunk" and transferred a carbon copy of your card- everything was done completely offline. That law has not been changed, in fact, most banks completely waive the $50 and don't hold card-holders liable for anything reported (basically, annoying a customer over $50 isn't worth it to the bank). Thanks to the internet, suddenly cards got a lot easier to steal and a lot easier to exploit- but banks are still on the hook for all losses reported within 60 days of the end of the cycle. The result is that American banks have invested an enormous amount in real-time monitoring of credit card transactions, and are doing lots of stuff to monitor this- they care deeply since ultimately they are on the hook- but the consumer doesn't care. This is why US card's from the consumer perspective are so much laxer, because our banks have invested far more on the back-end because the consumer is held harmless in a way they aren't with European cards. As a totally separate issue, the EU has regulated the amount of interchange fees that card-companies can charge, but the US has not capped them. The result is that US card-holders can get significant kickbacks for using cards (especially true for the top decile of wealth), in a way that is functionally impossible with EU issued cards that have capped interchange fees. There is a big lawsuit happening now to try and allow merchants to only accept low-fee cards (the standard VISA/MC/AMEX deal requires treating all cards equally, which gives them an incentive to push people to higher interchange cards). We will see what happens with that suit, but until then, American high-spenders can have much higher rewards on their cards, which also encourages greater use of the cards- and making them have less friction than the EU versions. |
| |
| ▲ | lxgr 3 hours ago | parent | next [-] | | This theory explains why cardholders in the US are still using cards despite these being relatively less secure than in other countries, but fails to explain why issuing banks wouldn't take steps to protect their own fraud losses, such as introducing 3DS or PINs. The actual explanation lies in the game theory of fraud prevention; see my sibling comment for details. | |
| ▲ | X0Refraction 4 hours ago | parent | prev [-] | | Why would the law being different mean they wouldn't use 3DS though? Surely it'd cut out a good amount of fraud along with the realtime monitoring? I understand that US consumers don't have a stake in this, but can't all the banks just agree to enforce 3DS? I can't imagine Americans are going to stop using their cards because of a small amount of friction added | | |
| ▲ | Denvercoder9 4 hours ago | parent | next [-] | | > can't all the banks just agree to enforce 3DS They could, but it's one of those things that really only work if everybody joins. Because 3DS is rarely used right now, a portion of merchants don't even support it, so if you start enforcing is as a single bank, your customers will start complaining their card doesn't work. The banking industry in the US is also more decentralized than in the EU, so getting everybody to join in simultaneously is hard. The window of opportunity for 3DS has also more or less passed, the industry is moving on to the next generation of tech (wallets/tokenization), that should be both easier to use and more secure. | |
| ▲ | mercutio2 4 hours ago | parent | prev [-] | | Because adding friction will deter many impulse purchases. Americans use credit cards constantly. The equilibrium would be perturbed in a way very much not advantageous for the credit card issuers if consumers became more cautious about using credit cards. It’s the same reason credit card issuers are willing to pay Apple a few basis points to participate in Apple Pay: reducing friction has a non-linear impact on propensity to pay. |
|
|
|
| ▲ | fckgw 5 hours ago | parent | prev | next [-] |
| > I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience? Do you think we are requesting to have less secure payment methods or something? No, we don't "prefer to get defrauded", but things like this are a matter of negotiation between the card issuers and the merchants. |
| |
| ▲ | Denvercoder9 5 hours ago | parent | next [-] | | > but things like this are a matter of negotiation between the card issuers and the merchants. Not necessarily, the EU has mandated strong customer authentication by law (PSD2), and as a result has practically universal 3DSecure support. | | |
| ▲ | jonathanlydall 4 hours ago | parent | next [-] | | Exactly, if citizens could convince US lawmakers to make it mandatory, it would be a huge net benefit to society as a whole. I suspect that banks and merchants would lobby against it due the work involved. After all, they’ve already marked up their services and goods to cover the cost of fraud/insurance. So right now they don’t pay the cost of it, instead all their customers do through higher prices than they would otherwise have needed to pay. | | |
| ▲ | toast0 4 hours ago | parent [-] | | > Exactly, if citizens could convince US lawmakers to make it mandatory, it would be a huge net benefit to society as a whole. That's not obviously true. Adding security would likely reduce fraud, but would also make transactions more difficult and time consuming, and may also make recovering from fraud more difficult and time consuming. The costs may not justify the benefits. |
| |
| ▲ | Hupriene 5 hours ago | parent | prev | next [-] | | Bold of you to assume that the public has more influence on legislation than lobbyists do in the US. | |
| ▲ | idiotsecant 4 hours ago | parent | prev [-] | | Ah, the natural call of the wild European: blaming individual Americans for a century of policy failures with truly majestic smugness. | | |
| ▲ | M95D 4 hours ago | parent [-] | | Who should be blamed then? Do you not vote your lawmakers? Do you not vote with your wallet by buying from non-3d-secure merchants? |
|
| |
| ▲ | eterm 4 hours ago | parent | prev [-] | | Legislate that the banks are liable for refunding this class of fraud and you'll find they suddenly take this stuff a lot more seriously and "discover" the technology. | | |
| ▲ | gustavus 4 hours ago | parent | next [-] | | I don't understand your point. The banks and credit card companies are already responsible. If I have a fraudulent charge I call and tell them it's fraudulent and they say okay and take it off and either getit back from the issuer or eat the difference. | | |
| ▲ | rstupek 2 hours ago | parent | next [-] | | I think what you're missing is the bank and credit card companies rarely eat the difference. The business who sold the item which was charged back is the one paying the cost of the transaction (no income, lost item) plus a chargeback processing fee (typically $15 per chargeback). | |
| ▲ | rvnx 4 hours ago | parent | prev [-] | | They can also punish you for doing so, like banning you from the bank. They also report account closures to ChexSystems, which can make it harder to open accounts at other banks for years. Credit card issuers can drop you and ding your credit. Definitively not your fault, but still your problem, and the consequences are for you. |
| |
| ▲ | dboreham 4 hours ago | parent | prev [-] | | Quite hard to do when banks are major bribers of politicians. |
|
|
|
| ▲ | lxgr 3 hours ago | parent | prev | next [-] |
| > I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience? The general idea is that if the conversion rate drop of a given security mechanism is higher than the average fraud rate, it doesn't make financial sense to deploy it. However, at the industry-wide level, this is a pretty classical coordination problem, in that conversion rate only drops because there still is a simpler alternative around unless all merchants and banks were to enforce 3DS at the same time. If there's nothing more convenient left to move to, users will for better or worse have to learn the new, more secure thing, and conversion rates will go up again. This is what the EU has done with mandating 3DS for many payments, but even there regulators have recognized that a 100% coverage is counterproductive, and there's a sweet spot somewhere in the middle. As more evidence for the same general idea: US credit cards don't have PINs, because any individual bank introducing them would see a huge drop in usage rates since customers would just use their competitor's card without a PIN instead. In other markets, all cards have PINs (whether due to regulatory invention or card network incentive), and people have just gotten used to them. |
|
| ▲ | neom 4 hours ago | parent | prev | next [-] |
| FWIW, HSBC USA Mastercard uses 3D secure if it's something you want and you're in the states. |
| |
| ▲ | lxgr 3 hours ago | parent [-] | | Capital One also offers it for their credit cards, which makes them the only ones usable in countries where requiring 3DS is common. (No idea why this is a thing actually – merchants get the fraud chargeback liability shift as soon as they request 3DS, whether the issuer actually supports it or not.) The real problem is that in the US, almost no merchants request it in my experience, despite the fact that they'd get an almost free (in terms of conversion rate dropoff) liability shift. I suppose the few US issuers that do support it have a bad enough implementation that the conversion drop is still significant. | | |
| ▲ | rstupek 2 hours ago | parent [-] | | Yeah from a software dev perspective the implementations are shockingly terrible from a UX perspective. I'm surprised Stripe doesn't make it automatic with their integration | | |
| ▲ | lxgr 2 hours ago | parent [-] | | One problem is that the UX is largely defined by the issuer. 3DS (on the web) is literally an issuer-rendered iframe. |
|
|
|
|
| ▲ | gnopgnip 5 hours ago | parent | prev [-] |
| How much is lost to fraud that would be prevented by 3d secure, 0.1%? |
| |
| ▲ | beejiu 4 hours ago | parent [-] | | In Europe, the max interchange fee is 0.3%. In the US, the average is 2%. So the relative impact of fraud is much higher. | | |
| ▲ | SkiFire13 4 hours ago | parent | next [-] | | There is also an additional (usually pretty high) fee for getting chargebacks. | |
| ▲ | mercutio2 4 hours ago | parent | prev [-] | | Huh? Your conclusion does not follow. A large fraction of the interchange fee is kicked back to customers. The size of the pie being so much bigger means the issuer’s tolerance for fraud is much larger, but it’s orthogonal to whether there’s actually more fraud. In practice credit cards fraud actually impacting customers is vanishingly rare at this point. | | |
| ▲ | lxgr 3 hours ago | parent [-] | | A large fraction, yes, but I believe in absolute numbers, US issuers still retain much more interchange than European ones. The numbers are even public: https://usa.visa.com/content/dam/VCOM/download/merchants/vis... If you take a look at some of the more "expensive" cards, interchange is often higher than 2%, yet issuers often pay as much only on certain categories, and flat cashback cards usually pay 1.5% (2% is relatively rare). Compare that difference to a total interchange of 0.3% in the EU. |
|
|
|
