In The News

Customer Quotes

"The Fraud Practice is a world-class credit card fraud mitigation consulting practice."

Kevin Mitnick, President Mitnick Security Consulting LLC

For Email Marketing you can trust

Fraud Blog Subscribe in a reader

ACH Processing

Advertisement

Consulting Services
Mr. Montague  is the founder and President of The Fraud Practice. He has spent the last fourteen years in the information technology industry.
Read more
Fraud Library
Looking for information on fraud prevention techniques, solutions and best practices. The fraud library is your first stop to find free research.
Read more
Fraud in the News
A series of news feeds and articles of interest to fraud professionals.
Read more

MOD 10 Check - Fraud Library

The Fraud Practice eCommerce Fraud Consulting Services

The MOD 10 checktakes the credit card number the customer submitted and validates that the number is in the correct range and format to be a credit card number and it is the type of credit card the consumer says it is.

Google

Consumer Authentication...

MasterCard SecureCode is an emerging tool that is intended to validate that the authorized credit card holder is the one actually attempting to make a purchase. Visa has a similar service called Verified by Visa.

How Good Is It? 

In general the concept of authenticating the consumer is a good one. For the merchant, this is an excellent tool because it is one of the first tools that actually offers some financial coverage if fraud does occur. The card associations implemented these programs to increase consumer confidence in making purchases online and to help protect online merchants from fraud.

The main reason a merchant wants to implement this service is the protection it offers from fraud-related charge-backs. Not everything is protected, so make sure to review the details of the program with MasterCard. There are significant differences on what is covered in the U.S. versus what is covered in Europe. Some examples of what is not covered by the program include: purchases made with procurement cards, recurring billing, split shipments or back-ordered goods, “one-click” technology sales and transactions in which the consumer cannot be authenticated.

They are introducing some workarounds for things, such as backordered goods and split shipments. Make sure to check and see what updates have been made to the rules and regulations when they implement the service.

It also seems that certain high-risk segments, such as adult and gaming, are not going to be covered. So if you are in these vertical markets you should check before you buy. There is no threshold set for risk, but there is wording that suggests that a threshold for fraud rates may be set and a merchant will have to keep their losses below that. Also merchants have to properly set the e-commerce-preferred indicator.

The other major benefit of the MasterCardSecureCode technique is the simplification of some of their charge-back resolution activities. For those orders in which the consumer was participating in the program and a merchant did authenticate them, the resolution process would occur between the issuing bank and the consumer, not between the merchant and the consumer.

Consumersmay be legitimate even if they can’t authenticate. Some examples of reasons why good customers may not be able to authenticate include:

  • the use of software the prevents pop-up windows will render this service obsolete,

  • the pop-up can time out or

  • consumers that were pre-registered may not know they have a password or PIN to use this.

Considerations When Implementing or Buying This Functionality    

  • Works only on e-commerce transactions. Merchants have to have fraud processes to handle their MOTO traffic.
  • The merchant, consumer, issuer and acquiring bank must all be participating in the program. So make sure their acquiring bank is set up to support the e-commerce indicator, and check on their certification requirements.
  • For European merchants, some of the acquiring banks are still not set up to support consumer authentication.
  • Merchants still need to perform other fraud checks. This tool does not cover many of the card types on the market today and there are legitimate cases in which a merchant may not be able to complete the authentication process with the consumer. Merchants also need to make sure their overall fraud rates are kept within standards. Also the industry expects some fraud shift to cards not offering this service.
  • Companies doing little transactional volume should consider using an outsourced service bureau to perform this service.
  • Make sure you are checking and providing all of the correct data points: Merchants have to mark transactions as e-commerce with the ECI, and they must check AVS, enrollment, and they need the CAVV/AVV, which shows the order was checked for enrollment. Merchants also need the XID (the unique transaction number).
  • Merchants will have to get a digital certificate from MasterCard, which takes about two weeks. See the acquiring bank to get the form and start the process.

Estimated Costs – Merchantscan find this service available as an outsourced service, or as a software application that can be implemented in-house. The actual cost to purchase the software is fairly low — a couple of thousand dollars to purchase. Merchants will have to pay annual maintenance on the software. Merchants will have to make changes to their front-end e-commerce engine.

Alternative Solutions – None

Vendors – Arcot, CyberSource, Clear Commerce

How Does it Work?  

The process used by MasterCard  SecureCodeto authenticate consumers is pretty simple. The consumer enrolls with the issuing bank and is given a password, PIN or device to authenticate him or her. When the consumer makes a purchase online, the consumer is asked to give that password, PIN or device to authenticate.

The purchase sequence can be broken down into five stages. First the consumer goes through the checkout procedure the same way he or she does today, providing the same data fields. When he or she presses the buy button, the consumer’s system, using the commercially available software on the market, sends a message to MasterCardto find out if the consumer is participating in the consumer authentication program. If the cardholder is participating in the program, MasterCard will send a pop-up window to the consumer. It appears as if the pop-up is coming from consumer’s issuing bank, asking him or her to enter the password or PIN. The bank then validates this password or PIN and returns the results to the merchant.

For these programs to work, the merchant, consumer, issuer and acquiring bank must all be participating in the program. Consumer adoption is slow at best. Likewise merchant adoption has been slow. Merchant enrollment should increase over time. Consumersare being enrolled by self-registration, issuer auto enrollment and issuer-prompted registration. The liability shift is different based on the region the merchant is doing business in and the type of charge-back they have. For MasterCardonly charge-backs coded as RC37 are covered right now. Currently for European transactions, in which the cardholder and merchant are European, they have the liability shift already.

From a security perspective, all communication between the consumer and issuing bank is secured. You as a merchant will not see or ask for this password. The pop-up window the end user receives contains a secret message that only the consumer knows, which shows the consumer that the pop-up window is real and not a fake that someone made to try and steal the password.

There was a fraud case in which fraudsters acquired account information and then called the issuing bank and changed the address information and signed up for Verified by Visa. The fraudsters then made a lot of fraudulent transactions. The merchants will be covered as long as they followed the rules.

How Do I Use the Results? 

For MasterCardorders when using this technology, you should implement the following:

  • For orders in which the consumer is participating in the program, and the order type is a covered type, and the consumer successfully authenticates, accept the order.
  • For orders in which the consumer is not participating in the program, and the order type is a covered type, you have checked for enrollment, and the order characteristics are within their normal order tolerances, accept the order.
  • For orders in which the consumer is not participating in the program, and the order type is a covered type, you have checked for enrollment, and the order characteristics are not in-line with their normal orders, review the order or perform further fraud checks favoring sales conversion.
  • For orders in which the consumer is participating in the program, and cannot successfully authenticate, and the order characteristics are in-line with their normal orders, perform other fraud-screening checks or manually review the order favoring risk aversion.
  • For non-Visa and MasterCardorders, perform traditional checks.

Building This In-House 

Not Applicable.

Property of The Fraud Practice, all rights reserved, no unauthorized duplication, reproduction or distribution without the express written permission of The Fraud Practice.