That's a simplistic way of understanding "best interest."
The optimal amount of fraud is neither zero nor "let it all through." Their "best interest" is a balance between allowing legit transactions to get through and blocking enough fraudulent ones that fraud doesn't become too common.
I believe you’re referencing Patrick McKenzie’s takes on fraud, which I agree with — but when he (and others) talk about the optimal amount of fraud they’re usually referring to fraud from “losing money from the company to customers”. This is not PayPal’s case; because PayPal isn’t the victim of fraud on its platform but makes money off its use, their optimal amount of fraud is “as much as they can permit without losing customers or regulators getting up their ass”.
This is an important concept. More you push to zero fraud, the more inconvenience you put on your customer. You can cut bunch of fraud if you only allow shipments to the billing address but then you inconvenience people who want to buy gifts, recently moved or have a vacation home. You can block all traffic from cloud providers but you'll end up blocking outbound proxies for people on military bases or corporate proxies.
Personally I'd like to see a move away from just giving your card details to a website and having them charge it for whatever they want. Because it just ends up that stolen details go around and get used for fraud easily.
Should be moving to a system where setting up payments with a new provider has them request access to charge you, and then on the bank app you approve it. Australia has this as a fairly new system called PayTo, where you can approve and later unapprove individual merchants the ability to charge you.
Brazils pix system as a similar mechanism, where a website can generate a code for payment, that you can copy or scan a qr code into your bank app, and then approve the payment.
Individual merchants barely get any information from you this way, and have no way of even trying to charge you more later.
99% of e-commerce merchants don't have hand the credit card informations. Its all passed on the front side by payment providers like Stripe or Braintree. Shopify merchants go further with a hosted payment page. Handling card numbers bring on a lot regulations for PCI.
But fraud prevention is not free and has negative returns at some point.
I dislike it when people use "the optimal amount of fraud isnt zero", because it is wrong and makes the underlying problem harder to understand, which is that people like to overoptimize a single desirable property(fraud prevention) without considering other desirable properties(like ease of use and a low rate of false positives for legit transactions)
The optimal amount of fraud is neither zero nor "let it all through." Their "best interest" is a balance between allowing legit transactions to get through and blocking enough fraudulent ones that fraud doesn't become too common.