Why Did Companies Start Losing Money After 3DS 2.0

When 3D Secure 2.0 was introduced, it was widely positioned as a major step forward in payment security. Card schemes, banks, and payment providers promoted it as a solution that would reduce fraud, improve authentication, and shift liability away from merchants.

From a technical standpoint, this is true. 3DS 2.0 significantly improves authentication by using risk-based analysis, behavioral signals, and stronger customer verification methods.

However, in practice, many companies experienced the opposite outcome: after implementing 3DS 2.0, their financial losses increased instead of decreasing.

This paradox is not caused by the technology itself, but by how it is implemented and understood within the broader payment and risk management framework.

What actually changed with 3DS 2.0

The key difference between 3DS 1.0 and 3DS 2.0 is the introduction of risk-based authentication.

Instead of forcing every transaction through a challenge (such as a one-time password), 3DS 2.0 allows issuers to decide whether additional verification is needed based on:

  • device information;
  • transaction history;
  • behavioral patterns;
  • merchant data;
  • risk scoring models.

This improves user experience and conversion rates. But it also introduces new layers of complexity that many merchants underestimate.

The core misconception

One of the most common mistakes is treating 3DS 2.0 as a “fraud solution”.

In reality:

3DS is not designed to prevent fraud. It is designed to manage liability.

This distinction is critical.

A transaction can be fully authenticated through 3DS and still be fraudulent. The difference is simply who absorbs the financial loss.

Case 1: increased conversion, hidden risk

A merchant implements 3DS 2.0 and sees an immediate improvement in approval rates.

Fewer transactions are challenged, and customers complete payments more easily.

However, over time:

  • fraud attempts increase;
  • low-risk transactions bypass additional verification;
  • more fraudulent payments are successfully authorized.

The result:

conversion improves — but fraud losses grow.

Case 2: incorrect reliance on liability shift

Many merchants assume that using 3DS automatically protects them from chargebacks and dispute processes.

This is only partially true.

Liability shift depends on:

  • authentication status;
  • issuer response;
  • transaction type;
  • compliance with scheme rules.

If any of these conditions are not met, the merchant remains responsible.

In practice, companies often discover this only after disputes start to accumulate.

Case 3: friction mismanagement

Another issue arises from incorrect configuration.

If too many transactions are forced into challenge mode:

  • conversion drops;
  • customers abandon payments;
  • revenue decreases.

If too few are challenged:

  • fraud risk increases;
  • unauthorized transactions pass through;
  • losses grow silently.

The balance between friction and risk is not automatic — it must be actively managed.

Why companies start losing money

There are several structural reasons why 3DS 2.0 leads to losses when misused.

First, over-reliance on authentication.

Companies assume that if a transaction is authenticated, it is safe. This is not true.

Second, lack of integration with fraud systems.

3DS is often implemented as a standalone tool instead of being combined with:

  • behavioral monitoring;
  • transaction risk scoring;
  • velocity checks;
  • customer profiling.

Third, misunderstanding of risk signals.

3DS decisions are based on issuer logic, not merchant-specific context. This creates blind spots.

Case 4: “clean” transactions that are not clean

A transaction passes 3DS without challenge.

From the system perspective:

  • device is recognized;
  • location is consistent;
  • risk score is low.

However, the account itself is compromised.

The result:

a fully authenticated fraudulent transaction.

What a correct approach looks like

3DS 2.0 should be treated as one component of a broader risk strategy.

An effective setup includes:

  • combining 3DS with internal fraud detection systems;
  • adjusting challenge rates based on risk segments;
  • monitoring post-transaction behavior;
  • analyzing chargeback patterns continuously;
  • segmenting customers by behavior and history.

This transforms 3DS from a passive tool into an active control mechanism.

Why audit becomes necessary

The complexity of 3DS 2.0 makes internal assessment difficult.

Most companies:

  • do not fully understand how their configuration behaves;
  • cannot clearly measure effectiveness;
  • react only after losses occur.

An external review allows businesses to:

  • identify hidden inefficiencies;
  • analyze real fraud vs authenticated transactions;
  • optimize friction levels;
  • align configuration with business model.

Conclusion

3D Secure 2.0 is not a guarantee of protection. It is a tool that shifts responsibility and introduces flexibility.

When used correctly, it improves both security and conversion. When misunderstood, it creates new types of financial exposure.

The difference lies not in the technology itself, but in how it is integrated into the overall risk management system.

To understand how your current 3DS setup impacts losses, conversion, and liability — and where hidden risks may exist — you can explore a structured evaluation on the audit page.

We wish you secure and optimized payment performance.

  • Contact Us

    Contact Us

    We’ll find the right solution for your business.

    Contact us

  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Centr Plus 22 Ltd

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.

Ok Decline