3DS: Collaborative Path to Failure
Very good paper on card fraud systems and the “collaborative path to failure” posted by Bruce Schneier. I trust you have read this one already.. .wow…
I won’t foget a meeting I had with Paul Baker, Mastercard’s global product head for MasterCard Secure Code (MA’s version of 3DS). When we told him that it was broken and not working and detailed the fraud that was getting through his response was “we just defined the standard, it is the issuers job to implement it correctly“, and that MA thought the requirements were “adequate” but “implementations were not”.
So the networks go to merchants with updated agreements, and incent them with discounts of up to 50bps, to adopt new (broken) standards, in turn they obtain a “liability shift” for CNP transactions. Banks like HSBC and Citi saw their fraud losses skyrocket from nothing (as they did not bear loss in a CNP transaction) to $10M+/mo. The issuing banks then began to “dial down” the approval threshold for all transactions (consumers transactions were being declined to manage fraud loss). What a terrible consumer experience… many lessons on “collaboration”. Networks must take ownership for integrity of the system.. although both Visa and MA have Payment Systems Integrity groups, individual banks a left with informal coordination methods to find source of data compromises.. In the states collaborative bank entities like Early Warning are taking the lead.
I hope to see a change of attitude by Visa/MA, because if they don’t take ownership of risk and integrity other networks will emerge.