In The News

Customer Quotes

"The Fraud Practice is a world-class credit card fraud mitigation consulting practice."

Kevin Mitnick, President Mitnick Security Consulting LLC

For Email Marketing you can trust

Fraud Blog Subscribe in a reader

ACH Processing

Advertisement

Consulting Services
Mr. Montague  is the founder and President of The Fraud Practice. He has spent the last fourteen years in the information technology industry.
Read more
Fraud Library
Looking for information on fraud prevention techniques, solutions and best practices. The fraud library is your first stop to find free research.
Read more
Fraud in the News
A series of news feeds and articles of interest to fraud professionals.
Read more

Consumer Authentication - Fraud Library

The Fraud Practice eCommerce Fraud Consulting Services

“Consumer authentication” is a blanket term to discuss emerging tools that are intended to validate that the authorized credit card holder is the one actually attempting to make a purchase. Visa calls their consumer authentication service “Verified by Visa,” and MasterCard calls their service “MasterCard SecureCode.” American Express does not offer any similar service today, but has indicated that they are looking into the program.

Google

Inexpensive to implement, a fraud free gurantee, but can drop sales conversion from negative consumer response...

“Consumer authentication” is a blanket term to discuss emerging tools that are intended to validate that the authorized credit card holder is the one actually attempting to make a purchase. Visa calls their consumer authentication service “Verified by Visa,” and MasterCard calls their service “MasterCard SecureCode.” American Express does not offer any similar service today, but has indicated that they are looking into the program. JCB's program is called J/Secure.

How Good Is It? 

In general the concept of authenticating the consumer is a good one. For the merchant, this is an excellent tool since it is one of the first tools that actually offers some financial coverage if fraud does occur. The card associations implemented these programs to increase consumer confidence in making purchases online, and to help protect online merchants from fraud.

The main reason a merchant wants to implement this service is the protection it offers from fraud-related charge-backs. Not everything is protected, so be sure to review the details of the program with Visa and MasterCard. There are significant differences on what is covered in the United States versus what is covered in Europe. Some examples of what is not covered by the program include: Purchases made with procurement cards, recurring billing, split shipments or back-ordered goods and “one-click” technology sales and transactions in which the consumer cannot be authenticated.

It also seems that certain high-risk segments, such as adult and gaming, are not going to be covered, so merchants in these vertical markets should check with Visa or MasterCard before they implement this technique. There is no threshold set for risk, but there is wording that suggests a threshold for fraud rates will be set and merchants will have to keep their losses below that. Also merchants have to properly set the e-commerce-preferred indicator.

The other major benefit of the consumer authentication tools is the simplification of some of their charge-back resolution activities. For those orders in which the consumer was participating in the program and they did authenticate them, the resolution process would occur between the issuing bank and the consumer, not between the merchant and the consumer.

Consumersmay be legitimate even if they can’t authenticate. Some examples of reasons why good customers may not be able to authenticate include:

  • The use of software that prevents pop-up windows will render this service obsolete, the pop-up can time out

  • Consumersthat were pre-registered may not know that they have a password or PIN to authenticate properly

  • Blog: Is Payer Authentication hurting sales conversion?

Considerations When Implementing or Buying This Functionality   

  • The current consumer authentication tools offered by Visa and MasterCard  are meant for, and work only on, e-commerce transactions. Merchants still need to have fraud processes in place to handle MOTO traffic.
  • For these programs to work the merchant, consumer, issuer and acquiring bank must all be participating in the program. So make sure to verify that the acquiring bank supports these programs prior to set up. Merchants will also need to verify the acquiring bank certification requirements.
  • For European merchants, some of the acquiring banks are still not set up to support consumer authentication.
  • Merchants still need to perform other fraud checks — this tool does not cover many of the card types on the market today. Likewise there are legitimate cases in which a merchant may not be able to complete the authentication process with the consumer. Merchants still need to make sure their overall fraud rates are kept within acceptable levels and industry experts expect to see some fraud shifts to cards not offering this service.
  • For companies doing little transactional volume, they should consider using an outsourced service bureau to perform this service.
  • Always check and provide all of the correct data points: Merchants have to make sure they are supplying all of the correct data elements or they may not get the guarantee offered in the program. Confirm that the e-commerce indicator, ECI, is used, and AVS was checked. Likewise the CAVV/AVV  needs to show the order was checked for enrollment. Additionally the XID (the unique transaction number) must be with the order.
  • Merchants will have to get a digital certificate, which takes some time to get. Merchants have to get it from Visa or MasterCard. Expect two weeks for this process. The acquiring bank can provide the forms for merchants to start the process.

Estimated Costs – Merchantscan find this service available as an outsourced service, or as a software application that can be implemented in-house. The actual cost to purchase the software is fairly low (it costs a couple of thousand dollars to purchase). Merchants will have to pay annual maintenance on the software and will have to make changes to their front-end e-commerce engines.

Alternative Solutions – Commercially available consumer authentication.

Vendors – Arcot, Cardinal Commerce, CyberSource, RSA.

How Does it Work? 

The process used by the consumer authentication services to authenticate consumers is pretty simple. The consumer enrolls with the issuing bank and is given a password, PIN or device to authenticate themselves. When the consumer makes a purchase online the consumer is asked to give that password, PIN or device to authenticate.

The purchase sequence can be broken down into five stages, first the consumer goes through the check-out procedure, the same way they do today, providing the same data fields they do today. When the buy button is pressed on their system, using the commercially available software on the market, it sends a message to the card association (i.e., Visaor MasterCard ), to find out if the consumer is participating in the consumer authentication program. If the consumer is participating in the program, the card association service will send a pop-up window to the consumer. The pop-up looks like it is coming from the consumer’s issuing bank. The pop-up asks the consumer to enter their password or PIN. The issuing bank then validates this password or PIN and returns the results to the merchant.

For these programs to work the merchant, consumer, issuer and acquiring bank must all be participating in the program. Consumer adoption is slow at best. According to Visa , about 10 million cardholders are enrolled as of October 2002. Likewise merchant adoption has been slow too. Merchant enrollment should increase in the United States as of April 2003, when the financial coverage for certain orders took affect.

Consumersare being enrolled by self-registration, issuer auto enrollment, and issuer prompted registration. The liability shift is different based on the region you are doing business in, the type of charge-back you have and the type of card. For the Visa  program you will be covered from charge-backs that are coded as RC23, RC61 and RC75. For MasterCardonly charge-backs coded as RC37 are covered right now. For the Visa program you only have to check to see if they are enrolled to get coverage. Remember if they are enrolled and they can’t authenticate you get no liability shift. Currently for European transaction, in which the cardholder and merchant are European, you have the liability shift for both card types. For the United States the liability shift for Visa started in April 2003 and for MasterCard a date had not been announced as of the writing of this website.

From a security perspective, all communication between the consumer and issuing bank is secured. A merchant will not see or ask for this password. The pop-up window the end user receives contains a secret message that only the consumer knows, that shows the consumer that the pop-up window is real and not a fake. This is to reassure the consumer base that someone is not trying to steal the password from them. There has been a fraud case in which fraudsters acquired account information and then called the issuing bank and changed the address information and signed up for the Verified by Visaprogram. The fraudsters then made fraudulent orders on these accounts. The merchants will be covered as long as they followed the rules.

These programs are excellent deterrents, but they are not “silver bullets” that will end all fraud. In reality the majority of merchants that are implementing the Verified by Visa  and MasterCard  SecureCode  programs today are doing so not to combat fraud but to attract new consumers that were not comfortable with using the Internet  for making purchases before these services were available. In the article “Visa Starts Password Service to Fight Online Fraud,” By Saul Hansell, The New York Times on the Web, Published on December 3, 2001, Hansell quotes Dell Computers as one of the merchants looking to the Verified by Visa program to help give customers more confidence buying online.

How Do I Use the Results? 

For Visa  and MasterCardorders when merchants are using this technology they should implement the following:

  • For orders in which the consumer is participating in the program, the order type is a covered type, and the consumer successfully authenticates, accept the order.

  • For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are within their normal order tolerances, accept the order.

  • For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are not in-line with their normal orders, review the order or perform further fraud checks favoring sales conversion.

  • For orders in which the consumer is participating in the program, and cannot successfully authenticate and the order characteristics are in line with their normal orders; perform other fraud-screening checks or manually review the order favoring risk aversion. For non-Visaand MasterCard  orders perform traditional checks.

Building This In-House 

N/A

 

Property of The Fraud Practice, all rights reserved, no unauthorized duplication, reproduction or distribution without the express written permission of The Fraud Practice.