How have fraud‑prevention tools like 3DS 3.0 and behavioral analytics changed merchant vulnerability to carding since 2023?

1. 3DS changed the economics of carding by moving liability and adding intelligence

EMV 3DS’s biggest structural effect for merchants is the liability shift: when a transaction is authenticated under 3DS and later proves fraudulent, card issuers often absorb the chargeback rather than the merchant, reducing direct merchant losses and changing the attack calculus for carders ^{[5] [6]}. Beyond liability, modern 3DS sends hundreds of device and transaction signals to issuers—device ID, location, purchase context—so issuers and acquirers can make richer pre‑authorization decisions that reduce both fraud losses and false declines when implemented correctly ^{[1] [7]}.

2. Behavioral analytics reduced simplistic card‑stuffing but opened a cat‑and‑mouse game

Behavioral models and machine‑learning risk scoring have elevated the baseline cost for basic carding operations by flagging anomalous velocity, geography, and session signals, and by enabling “frictionless” authentication when the behavior fits known patterns ^{[5] [8] [9]}. Yet fraud actors have adapted: residential proxies, device emulators, synthetic identities, and crafted merchant flows can mimic legitimate device and behavioral signals to slip through frictionless checks, so behavioral analytics are effective but not foolproof ^{[4] [10]}.

3. Regulated markets show measurable benefit; unregulated markets remain problematic

Data cited by vendors and industry surveys show 3DS protections correlate with much lower fraud and higher approval rates in regions with strong SCA/regulatory mandates—evidence that where 3DS is widely used it materially reduces merchant vulnerability ^{[2] [11]}. Conversely, Datos Research highlighted that in largely unregulated North American markets 3DS usage remained low and documented paradoxes where 3DS‑protected orders in 2023 showed higher fraud rates in some samples, underscoring uneven implementation and measurement challenges ^[12].

4. Friction vs. conversion: a pragmatic tradeoff that shapes vulnerability

3DS’s operational reality is a tradeoff between security and checkout friction: aggressive challenges and issuer inconsistencies create lost sales and can push merchants to disable or weaken 3DS flows—actions that increase exposure to carding—whereas overly permissive frictionless routing leaves openings for spoofed or synthetic behaviors ^{[3] [6]}. Successful merchant strategies combine tokenization, transaction risk analysis, BIN‑level analytics and issuer data sharing to hit the balance; failure to do so leaves merchants more vulnerable despite having 3DS in place ^{[3] [4]}.

5. The vendor narrative and hidden incentives complicate the picture

Much of the reporting and vendor material promoting 3DS and behavioral analytics comes from companies that profit when merchants adopt or intensely use these systems, creating an incentive to highlight benefits and downplay limits; independent academic and workshop research stresses that 3DS decisioning can be conservative in foreign regions and can increase false declines if mis‑weighted, which in turn drives risky operational choices ^{[1] [13]}. Reported “6x lower fraud” claims in regulated markets often come via vendor‑sponsored studies and must be read alongside counterexamples from unregulated markets ^{[2] [12]}.

6. Bottom line: lowered but uneven vulnerability and an ongoing arms race

Since 2023 merchants are generally less vulnerable to blunt carding attacks where 3DS and behavioral analytics are fully implemented and where issuers participate in data sharing, but vulnerability remains uneven—driven by regional adoption, issuer behavior, implementation quality, and fraudsters’ evolving toolkits that exploit frictionless logic and synthetic identities—so 3DS plus analytics reduce risk but do not eliminate the need for layered controls and continuous tuning ^{[5] [4] [3] [2]}.