Unauthorized payment claims are the biggest driver of refund exposure in Turkey, and getting 2FA/3DS and the burden of proof right decides who pays.
One-line takeaway: When a customer claims an unauthorized payment, liability in Turkey turns on (i) whether strong authentication (2FA/3DS) was used correctly, (ii) consumer-law protections (Law 6502), (iii) the payments framework (Law 6493), and (iv) the burden of proof under the Turkish Code of Obligations. Get these right and you materially reduce refund exposure.
Why investors should care
- Cash leak: Unauthorized-claim losses = refunds + chargebacks + scheme penalties.
- Valuation: Processors price risk on refund exposure and dispute outcomes.
- Regulatory optics: Your dispute handling is part of the consumer-protection story.
The scenario
A cardholder says, “I didn’t authorize this.”
If 3DS/2FA succeeded and your logs prove it, you can shift or share liability. If it didn’t, the merchant/PSP usually carries the loss unless you can show customer negligence—tested against consumer law and the burden of proof under the Turkish Code of Obligations.
The legal frame you actually operate in
1) Law 6493 (payments & e-money)
Defines actors (banks, PIs, EMIs) and the execution of payment orders. In practice, your technical proof of authentication is central to showing an order was “authorized.”
2) Law 6502 (consumer protection)
Favors the consumer in remote sales. Weak disclosures, messy subscription flows, or poor refund UX inflate refund exposure even when a transaction was authenticated.
3) Burden of proof under the Turkish Code of Obligations
Who proves what?
- Merchant/PSP should prove: proper authentication, clear consent to terms, delivery/consumption, and absence of system error.
- Consumer should substantiate claims like identity theft or lack of possession—balanced against your evidentiary record.
Ambiguities in standard terms are interpreted against the drafter.
3DS/2FA and liability—what usually happens
| Situation | Practical liability outcome | What wins the case |
|---|---|---|
| 3DS/2FA successful (issuer approved) | Liability shifts away from merchant more often | ACS/issuer logs, ECI/CAVV/AAV, timestamps |
| 3DS frictionless (RBA) | Mixed; still helpful | Device fingerprint, risk score, profile link |
| No 3DS/2FA | High merchant liability | Explicit consent + delivery/usage proof |
| A2A wallet ATO (bypass) | Case-by-case | Anomaly controls, alert handling, no override |
| Tokenized in-app, device bound | Better defense | Device ID + token lifecycle + push approvals |
Your “proof” kit (what to keep, how to win)
Authentication artifacts
- 3DS server/DS/ACS logs (ECI, CAVV/AAV, challenge result)
- OTP/push approvals with device IDs, IPs, timestamps
- Risk signals (velocity, geolocation, device reputation)
Consent & contract
- Click-wrap evidence (checkbox, IP, timestamp, ToS version)
- Checkout snapshot (price/plan/renewal; hashed + time-stamped)
Delivery/consumption
- Physical: courier scan/signature + GPS
- Digital: login/IP, license activation, download/stream/API usage
Support trail
- Timeline of customer touchpoints; refund offers vs. escalation
Five concrete steps to reduce refund exposure
- Default to 3DS 2.x; step up to challenge on risk signals; prefer device-bound push over SMS.
- Snapshot checkout (hash + store 2+ years) and capture clean click-wrap.
- Consumer-law hygiene: pre-renewal reminders, one-click cancel, crisp refund language.
- Dispute SLAs: 48 hours to compile a dispute kit; track win rate by reason code and feed the risk engine.
- Contract levers with acquirer/PayFac: thresholds, cure periods, reserve caps, dispute SLAs.
Customer messaging (AML-safe, consumer-friendly)
Acknowledgement
We received your unauthorized payment report. We’re reviewing device and authentication records and will update you within 3 business days; we aim to complete the review within 10 business days.
If 3DS/2FA and usage are clear
Records show a two-factor approval from your registered device at [time/date], followed by [delivery/usage proof]. If you still don’t recognize it, please secure your device and update your password—we can help check for account compromise.
If likely account takeover
We detected signs of account compromise. We’ve reversed the charge and secured your account. Please follow these steps to protect it going forward.
Contract guardrails (copy-ready snippets)
Authentication & Evidence
Provider will apply strong customer authentication for remote payments and keep verifiable logs (3DS/2FA outcomes, device IDs, IPs) for [≥2 years] to support dispute resolution.
Consumer Law Alignment
Merchant will maintain clear refund/cancel terms and pre-renewal notifications; shortcomings that increase disputes may shift related losses to Merchant.
Dispute Cooperation
Merchant supplies delivery/usage proof and customer comms within [5 business days]; delays can shift liability for affected transactions.
Risk-Based Flows
Parties will enable challenge-first authentication for high-risk cohorts/SKUs based on shared KPIs, reviewed quarterly.
Metrics boards and lenders expect
- Chargeback ratio; unauthorized-claim rate
- 3DS adoption %, challenge pass %, frictionless fraud rate
- Dispute win rate (by reason code); average time to compile kit
- Refund vs. chargeback mix; friendly-fraud index
Conclusion
In Turkey, you cut risk on unauthorized payment claims (2FA/3DS vs. liability) by pairing strong authentication with excellent records and consumer-friendly UX. Read Law 6493 as your technical standard for valid orders, Law 6502 as your fairness compass, and rely on the burden of proof under the Turkish Code of Obligations to reward the side with better evidence. Do that, and your refund exposure falls while bank and investor confidence rises.
Yanıt yok