Didyou know

Consumer Authentication is also known as 3 Domain Secure, or 3D-S. Specifc 3D Secure programs include Verified by Visa for Visa transactions, SecureCode for MasterCard transactions, SafeKey for American Express transactions and J/Secure for JCB transactions.

Consumer Authentication can both deter fraud and provide a liability shift with covered chargebacks being the financial responsibility of the issuing bank rather than the merchant.

In general the concept of authenticating the consumer is a good one. For the merchant, this is an excellent tool since it offers some financial coverage if fraud does occur. The card associations implemented these programs to increase consumer confidence in making purchases online, and to help protect online merchants from fraud.

The main reason a merchant wants to implement this service is the protection it offers from fraud-related chargebacks. Not everything is protected, so be sure to review the details of the program. There are significant differences on what is covered in the United States versus what is covered in Europe and elsewhere.

In the United States merchants will have liability protection for transactions where the consumer is enrolled in the 3-D Secure program and successfully authenticates, as well as for transactions where the merchant checks for enrollment but the cardholder is not participating, and this is for both Visa and MasterCard U.S. domestic transactions. Outside of the U.S. the liability shift on transactions where the customer is not enrolled only applies to Visa transactions.

Some examples of what is not covered by the program include: Purchases made with procurement cards, recurring billing, split shipments or back-ordered goods and “one-click” technology sales, as well non-U.S. MasterCard transactions in which the consumer cannot be authenticated through SecureCode.

Also, certain high-risk segments, such as adult and gaming, may not be covered, so merchants in these vertical markets should check with Visa or MasterCard before they implement this technique.

The other major benefit of the consumer authentication tools is the simplification of some of their chargeback resolution activities. For those orders in which the consumer was participating in the program and they did authenticate them, the resolution process would occur between the issuing bank and the consumer, not between the merchant and the consumer.

Consumers may be legitimate even if they can’t authenticate. Some examples of reasons why good customers may not be able to authenticate include: Use of software that prevents pop-up windows rendering the service obsolete, the pop-up timing out, and consumers that were pre-registered and may not know they have PIN or password to authenticate properly.

These programs are excellent deterrents, but they are not “silver bullets” that will end all fraud. Many merchants will implement the Verified by Visa and MasterCard SecureCode programs not to combat fraud, but to attract new consumers that were not comfortable with using the Internet  for making purchases before these services were available. In the article, “Visa Starts Password Service to Fight Online Fraud,” By Saul Hansell, The New York Times on the Web, Published on December 3, 2001, Hansell quotes Dell Computers as one of the merchants looking to the Verified by Visa program to help give customers more confidence buying online.

But even for transactions that are covered but the consumer is not enrolled in the program, other fraud checks should be performed as the merchant may not have direct financial loss from the covered chargeback, but it does contribute to the chargeback rate which in most cases should be below 1 percent to avoid card association high risk programs.

 

subscribe to newsletter

 

 

Consumer Authenticationtechnique overview

“Consumer authentication” is a blanket term to discuss the tools that are intended to validate that the authorized credit card holder is the one actually attempting to make a purchase. Visa calls their consumer authentication service “Verified by Visa,” and MasterCard calls their service “MasterCard SecureCode.” JCB International calls their service J/Secure while American Express only offers their service, SafeKey, in the UK and Singapore today. Key considerations when implementing or buying this functionality include:

  • The current consumer authentication tools offered by Visa and MasterCard  are meant for, and work only on, e-commerce transactions. Merchants still need to have fraud processes in place to handle MOTO traffic.
  • For these programs to work the merchant, consumer, issuer and acquiring bank must all be participating in the program. So make sure to verify that the acquiring bank supports these programs prior to set up. Merchants will also need to verify the acquiring bank certification requirements.
  • Merchants still need to perform other fraud checks — this tool does not cover all of the card types on the market today. Likewise there are legitimate cases in which a merchant may not be able to complete the authentication process with the consumer. Merchants still need to make sure their overall fraud rates are kept within acceptable levels.
  • For companies doing little transactional volume, they should consider using an outsourced service bureau to perform this service.
  • Merchants have to make sure they are supplying all of the correct data elements or they may not get the guarantee offered in the program. Confirm that the e-commerce indicator, ECI, is used, and AVS was checked. Likewise the CAVV/AVV  needs to show the order was checked for enrollment. Additionally the XID (the unique transaction number) must be with the order.
  • Merchants will have to get a digital certificate, which takes some time to get. Merchants have to get it from Visa or MasterCard. Expect two weeks for this process. The acquiring bank can provide the forms for merchants to start the process.

How does it work?

The process used by the consumer authentication services to authenticate consumers is pretty simple. The consumer enrolls with the issuing bank and is given a password, PIN or device to authenticate themselves. When the consumer makes a purchase online the consumer is asked to give that password, PIN or device to authenticate. Depending on issuer implementations and mandates in certain countries, 2 Factor Authentication (2FA), a One-Time Password (OTP) or other dynamic authentication mechanisms may be required.

The purchase sequence can be broken down into five stages, first the consumer goes through the check-out procedure, the same way they do today, providing the same data fields they do today. When the buy button is pressed on their system, using the commercially available software on the market, it sends a message to the card association and card issuer, to find out if the consumer is participating in the consumer authentication program. If the consumer is participating in the program, the service will send a pop-up window to the consumer. The pop-up looks like it is coming from the consumer’s issuing bank. The pop-up asks the consumer to enter their password, OTP or PIN. The issuing bank then validates this password or PIN and returns the results to the merchant.

The benefits to merchants are that transactions covered by 3-D Secure Consumer Authentication programs shift the liability of fraud losses from the merchant to the card issuer. However, the requirements for eligible transactions differ by card type and country. Since 2003 Verified By Visa has provided a liability shift for transactions when the consumer authenticates through VbV, but also for transactions where the merchant attempts VbV authentication but the consumer is not enrolled in the program. Although, if the consumer is enrolled but they can’t authenticate you get no liability shift. MasterCard Secure Code also offers a liability shift, but until 2011 this only covered transactions where the consumer was fully authenticated through SecureCode. Since October, 2011 merchants have also been covered for transactions where the merchant attempts authentication through SecureCode but the consumer is not enrolled, but this is only for U.S. domestic transactions (U.S. merchant AND U.S. issued card).

Often for these programs to provide a liability shift the merchant, consumer, issuer and acquiring bank must all be participating in the program. Additionally, only certain chargeback reason codes are covered, and these are chargebacks for third party fraud. Please see the Technique Overview pages for Verified by Visa and MasterCard SecureCode for a list of chargeback reason codes eligible for the liability shift with these card brands.

Adoption of 3-D Secure programs have grown quite a bit in Europe while adoption in Asia is moderate and adoption 3-DS in the U.S. is somewhat low. The consistent liability shift protection for Visa and MasterCard in the U.S. should provide more incentive for merchants to adopt the program and for issuers to get more consumers enrolled. But in Europe and Asia 3-D Secure mandates have encouraged more use of the service. This includes Europe where SecureCode is required to accept Maestro debit, Italy where VbV is required for all eCommerce transactions, as well as India where VbV or 2FA is required for all eCommerce transactions.

From a security perspective, all communication between the consumer and issuing bank is secured. A merchant will not see or ask for this password. The pop-up window the end user receives contains a secret message that only the consumer knows, that shows the consumer that the pop-up window is real and not a fake. This is to reassure the consumer base that someone is not trying to steal the password from them. There has been a fraud case in which fraudsters acquired account information and then called the issuing bank and changed the address information and signed up for the Verified by Visa program. The fraudsters then made fraudulent orders on these accounts. The merchants will still be covered as long as they followed the rules.

 

 

How do you use the results?

For Visa and MasterCard orders when merchants are using this technology they should implement the following:

For orders in which the consumer is participating in the program, the order type is a covered type, and the consumer successfully authenticates, accept the order.

For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are within their normal order tolerances, accept the order.

For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are not in-line with their normal orders, review the order or perform further fraud checks favoring sales conversion.

For orders in which the consumer is participating in the program, cannot successfully authenticate and the order characteristics are in line with their normal orders; perform other fraud-screening checks or manually review the order favoring risk aversion.

For non-covered orders perform traditional checks.

AdditionalResources

  • 3D Secure Consumer Authentication
    3-D Secure Consumer Authentication:
    Considerations & Best Practices

    Provides an in-depth discussion on what 3-D Secure Consumer Authentication programs are, how they work and the various parties that are involved. These programs are explained in the context of the benefits and value they provide organizations while including specific details around implementation options and liability shift requirements.

  • An option to Implement 3-D Secure that Makes Sense.

    There are three major market changes that make it worthwhile to reconsider 3-D Secure. The first being that mandates and global adoption of 3-D Secure has greatly increased in recent years, and as the US market embarks on a transition to EMV cards it is likely that even more fraud attempts will shift to the online channel. Read More.

keynotes

  • Alternative Solutions - Commercially available consumer authentication.
  • Building this In-House - Not Applicable
  • Estimated Costs -  Merchants can find this service available as an outsourced service, or as a software application that can be implemented in-house. The actual cost to purchase the software is fairly low (it costs a couple of thousand dollars to purchase). Merchants will have to pay annual maintenance on the software and will have to make changes to their front-end e-commerce engines.
  • Sample Vendors -