They're set at whatever the payment networks can get away with. There's nothing that says that's good for anyone else, although it is very good for Mastercard and Visa.
There are several ways to reduce costs underlying payments. One is better IT. Notice that IT infrastructure has improved and dropped in cost by immeasurable amounts since those 3% fees were first instituted. Another way is to reduce card fraud. Notice that we’ve had excellent solutions to many types of fraud for decades now, but online shopping still requires us to enter 16-digit easily-stolen numbers into websites, and so fraud is enormously higher than it needs to be. With biometrics and modern smartphones, in person fraud should be very low.
A better way to look at these networks is to understand two things: the first is that at one level, they’re an insurance business that makes a profit from insuring against fraud, and reducing fraud would reduce the profit margins they can make from that business. And a second way to understand them is as guardians of a hugely profitable network portal that’s very hard to compete with, and they’re charging as much as the market can bear for that service.
I've noticed that I'm getting fewer and fewer 2FA requests with my 3DSEcure enabled VISA card of late. Places I frequently order from no longer trigger 3DS. Sometimes new shops don't either. From what I understand, whether or not the second factor triggers depends on a variety of factors including amount and retailer reputation.
They added a "frictionless" flow in 3-D Secure v2, so probably for situations like "we recognize this combination of device and payment card and the transaction is pretty small" it can slide you through without a direct interaction.
I think some interpretations of the PSD regulations call for specific "after X euros of spend/Y transactions you have to explicitly challenge" but it may vary by country.
I wish my bank had a setting I could toggle so 3DS would always trigger. I've had my card blocked twice because someone asshat made a bunch of online payments with it, some of which failed, but some succeeded. Presumably some shitty website leaked my details, but ideally 3DS should ensure that those details are unusable. Alas that wasn't the case.
> They're set at whatever the payment networks can get away with. There's nothing that says that's good for anyone else, although it is very good for Mastercard and Visa.
MasterCard and Visa are more like clearinghouses. The decision makers are their members having "access to the rails", issuers and processors, which are either banks, subsidiaries owned by banks, or companies sponsored by the aforementioned two (which very often includes one or more banks getting an ownership percentage).
