The Great (Invisible...) Chargeback Gravy Train
Chargebacks are a big pain in the butt for online merchants. Right now the card holder (you or I) has considerable latitude in refusing to pay for anything that is bought in a shop, especially online. This is not going to be a tutorial on consumer rights, but the fact is that most people do not actually realize just how much power they have under law when seeking to nullify a payment made by credit card. When a card holder does this, it is called a "chargeback" to the merchant.
With CNP transactions, especially over the Internet, the risk to the merchant is considerable. Recall from an earlier article how easy it is to generate sufficient credit card details to enable an opportunity for a fraudulent transaction. It is for this reason that merchants are very cautious in what they make available for online purchase.
Say you purchase some music online and download it. Subsequently you contact your credit card issuing bank and claim that the payment on your bill is fraudulent. The payment is then charged back to the merchant, who is at a loss for the transaction, and you are refunded for the purchase. This is ideally what 3DS is designed to solve, and in that there is a kicker for the cardholder. If you do actually get hit by a fraudulent charge on your credit card, you're going to have a helluva time getting a refund for it. Why?
Let us imagine that everyone associated with credit card payments is signed up to 3DS. You have your PIN, and during each payment transaction, you personally verify your payment with this PIN. The added security means that under 3DS, you must be who your PIN verifies, so you cannot charge back for a fraudulent transaction. Under 3DS, the issuing bank and card holder are responsible for fraudulent payments that may appear on your bill.
Now for this to work fairly, you would think that within this new mandated protocol there would be a provision saying that the process of verifying such PINs should adhere to the rules laid out for 2 Factor Authentication in FFIEC guidelines. Think again - the banks are free to employ whatever system of verification that they see fit. If you read the previous article on verification schemes for online banking, then you know that all is not well in that sphere. A spokesperson from MasterCard absolutely agreed with this point, and there is no real reason why issuing banks could not implement higher levels of authentication for users.
So in this new world order of 3DS, if you are hacked and fraudulent transactions appear on your bill, then you and the bank that issued the card to you are going to have to sort it out. You will not be able to charge the fee back to the merchant.