←back to thread

343 points beeburrt | 10 comments | | HN request time: 0.932s | source | bottom
Show context
nottorp ◴[] No.44002746[source]
Speaking of Stripe, when will they support 3d secure or however it's called this year?

The card I mostly use for online impulses purchases is from a semi paranoid bank that turns down non 3d secure transactions by default. Sometimes they call you for confirmation.

Needless to say, that means no impulse purchases from Stripe using merchants. And no buying coffees for anyone.

Guess it's cheaper for me in the long run...

replies(3): >>44002755 #>>44002767 #>>44002889 #
ezfe ◴[] No.44002755[source]
Stripe supports 3D Secure, it sounds like your bank isn't invoking it properly for it to trigger on the Stripe end.

https://docs.stripe.com/payments/3d-secure

replies(1): >>44003826 #
1. nottorp ◴[] No.44003826[source]
Heh, I skimmed through the docs. It looks like it's extra work on the merchant's end to enable it.

So someone like BackerKit just didn't bother catering to EU customers.

Plus I saw a chapter about "reducing friction" in the Stripe docs. Via such honest practices as charging automatically after a free trial if the customer has a credit card on file? This has been discussed on HN recently wrt to i-forget-what-service.

I suppose not requiring the extra 3d secure step is also "reducing friction".

replies(1): >>44003937 #
2. leejo ◴[] No.44003937[source]
The "d" in 3d means "domain", so three domains: the merchant, the card issuing bank, and the card scheme(s). The first two have to opt-in to the process for it to be enabled, and most (all?) card issuing banks already have so it's down to the merchant.

Not all merchants will opt-in to 3d Secure as they might see a greater loss in revenue due to the friction it creates versus the risk. They might be taking payments in a low risk sector and use other fraud checking factors, or it might not make sense for them - examples where you end up having to produce the same card in person anyway so "card not present" fraud doesn't factor in so much.

Some merchants don't opt-in as it would lose them millions of dollars of payments an hour due to the friction: Amazon for example.

I worked on the 3d Secure (and, formally, "Verified by Visa") integration at my previous job, and for a long time I was thinking I should write a blog post on what a complete mess of a protocol and implementation it [still] is. Haven't ever gotten around to that though.

replies(1): >>44003984 #
3. nottorp ◴[] No.44003984[source]
> on what a complete mess of a protocol and implementation it [still] is

Banks are banks :)

> so it's down to the merchant

... or down to the implementation team that may not even have mentioned it to the merchant if said merchant is in an area used to insecure credit card payments ...

Opting out is still customer hostile if you ask me.

replies(1): >>44004042 #
4. leejo ◴[] No.44004042{3}[source]
> Opting out is still customer hostile if you ask me.

That's debatable - I really dislike my own card issuer's implementation as they will ring me, rather than prompt for a OTP, which is a long process and not always convenient. Other card issuers have other implementations. That's one of the, er, issues with the protocol - a lack of consistency. There are many other problems with it.

I'm using this with a credit card, and that already has strong consumer protections if fraud should happen. I, as the consumer, do not get to opt-out of this poorly implemented protocol.

Merchants are sold the protocol with the argument that it reduces chargebacks, i.e. reduces their costs, not that it is good for their consumers. If I (or someone else) makes a payment with my card, and it passes the 3d Secure process, then the chargeback option is a liability that it taken by the issuing bank - and they shift that liability further by passing it on to the card holder: "This transaction when through 3d Secure, your charge back option for it is revoked".

That's hostile to the customer.

Like I said, I have a tonne of material for a blog post. I just need to be bothered to write it.

replies(2): >>44004141 #>>44006084 #
5. nottorp ◴[] No.44004141{4}[source]
Chargebacks are extra work for the consumer too you know.

If we're philosophising, wouldn't it be better to have a honest system where the user authorizes all charges and the merchant doesn't get to auto renew subscriptions without user input just because they feel like it?

replies(1): >>44004305 #
6. leejo ◴[] No.44004305{5}[source]
> Chargebacks are extra work for the consumer too you know.

It's not about work it's about the burden of cost due to fraud not being passed on to a consumer such that it could put them in financial difficulty. Chargebacks are there to protect the consumer and not the merchant - The 3d Secure "liability shift" (they literally call it this in the spec) flips that arrangement. Merchants are compelled to reduce their chargeback levels as they have to pay for each chargeback case, and should it become frequent their ability to process payments will be revoked.

Just turn on 3d Secure and your merchant chargeback costs reduce significantly. Nice? Not for the consumer. But I repeat myself.

> If we're philosophising, wouldn't it be better to have a honest system where the user authorizes all charges and the merchant doesn't get to auto renew subscriptions without user input just because they feel like it?

Merchants probably should notify their users with subscriptions, sure - I got one a couple of months ago from F1TV that my subscription will renew and maybe I don't want that subscription any more, or perhaps I want to change the level of my subscription. Other merchants won't be as nice, and dark patterns will creep in. Some companies have business models built on these recurring subscriptions.

I can't recall the rules around these, but I can recall that there are (were, we're going back 12 years here) systems in place to reduce issues for recurring payments. Even when a cardholder's details are updated, including replacement of a card and its PAN[1]. Any subscriptions would be retained to avoid interruption to the consumer's subscription, which might be critical for them (the consumer).

[1] https://en.wikipedia.org/wiki/Payment_card_number

replies(1): >>44004667 #
7. nottorp ◴[] No.44004667{6}[source]
> Any subscriptions would be retained to avoid interruption to the consumer's subscription, which might be critical for them (the consumer).

Sorry, that's complete and utter bullshit. Even if you think you're defending the customer's position, everything you said is in the vendor's favour. It "reduces friction" but only when it's in their interest.

replies(1): >>44004754 #
8. leejo ◴[] No.44004754{7}[source]
> Sorry, that's complete and utter bullshit.

I'm saying that's how it is, not how it should be.

9. mardifoufs ◴[] No.44006084{4}[source]
Please write that blog post if you can! It's such an interesting part of the industry imo but there's basically ~ public documentation or discussions about it.
replies(1): >>44059547 #
10. leejo ◴[] No.44059547{5}[source]
I may do so, eventually.

Related - I gave a talk a couple of weeks ago about banking interchange formats, which is related to all of this. The slides are here (top one) and the recording of the talk (which I will link) should appear soon: https://leejo.github.io/code/