Sometimes merchants will turn off 3d secure because of the approval drop with 3ds. This is one of the main reasons why 3dsv2 was introduced to elimate the friction.
Even with 3dsv1 the liability doesn't always shift to the issuing bank. For example, I believe it is Mastercard NA(Might be Visa NA) that doesn't allow any 3ds liability shift for high risk merchants.
Source: Worked at payment processor in high risk processing +$1B in volume
1. It tries to gather more data points about the customer environment (i. e. browser and screen details). I think the goal is to provide more signals that the bank can use to decide low/high risk transactions. This likely feeds into...
2. Some transactions can be passed through in a "frictionless" manner. Instead of getting the "please log into your bank this is not phishing trust us" interstitial, it requires no interaction.
If most of the time, customers are sitting int eh 'frictionless" universe, then they won't hit too many situations that encourage cart abandonment.
Even with 3DS challenges, people are persuaded out of their one-time passcodes by phishing, using an increasingly elaborate series of text-message and voice-call based deceptions. I hate the term, but search for “smishing” and there’s a bunch of material explaining the exploits.
Depending on the region, only a small fraction of payments are enrolled in the framework to do that validation / challenge anyway, it’s been expensive to adopt and a lot of card acceptors are still nervous about abandoned carts and lost revenue.
Aaaand that’s not to mention good old fashioned stolen cards, counterfeiting and at the other end, full-scale identity takeovers.
Many security features are still bypassable by using the legacy system that should have been supplanted by now. It is a constantly-evolving (and frustrating) field.
Yeah but why would anyone bother with with all the hassle and some porn. Other than few people for the lulz, I can’t imagine this being serious problem (when 3ds works)
