fourteen years in the information technology industry.Read more
fraud library is your first stop to find free research.
Read more 
Read more Verified by Visa - Fraud Library
The Fraud Practice eCommerce Fraud Consulting Services
Verified by Visais an emerging tool that is intended to validate that the authorized credit card holder is the one actually attempting to make a purchase.
Only for internet sales...
Verified by Visais an emerging tool that is intended to validate that the authorized credit card holder is the one actually attempting to make a purchase.
In general the concept of authenticating the consumer is a good one. For the merchant, this is an excellent tool since it is one of the first tools that actually offers some financial coverage if fraud does occur. The card associations implemented these programs to increase consumer confidence in making purchases online, and to help protect online merchants from fraud.
The main reason you want to implement this service is the protection it offers from fraud-related charge-backs. Not everything is protected, so make sure you review the details of the program with Visa and MasterCard. There are significant differences on what is covered in the U.S. versus what is covered in Europe. Some examples of what is not covered by the program include: purchases made with procurement cards, recurring billing, split shipments or back-ordered goods, “one-click” technology sales, transactions in which the consumer cannot be authenticated. It also seems that certain high-risk segments, such as adult and gaming, are not going to be covered. So if you are in these vertical markets you should check before you buy. There is no threshold set for risk, but there is wording that suggests a threshold for fraud rates will be set and you will have to keep your losses below that. Also you have to properly set the e-commerce-preferred indicator.
The other major benefit of the Verified by Visa tool is the simplification of some of their charge-back resolution activities. For those orders in which the consumer was participating in the program and you did authenticate them, the resolution process would occur between the issuing bank and the consumer, not between you and the consumer.
Consumers may be legitimate even if they can’t authenticate. Some examples of reasons why good customers may not be able to authenticate include: The use of software the prevents pop-up windows will render this service obsolete, the pop-up can time out or consumers that were pre-registered may not know they have a password or PIN to use this.
Considerations When Implementing or Buying This Functionality
The current consumer authentication tools offered by Visaare meant for and work only on e-commerce transactions. You have to have fraud processes to handle your MOTO traffic.
-
For these programs to work the merchant, consumer, issuer and acquiring bank must all be participating in the program. So make sure your acquiring bank is set up to support the e-commerce indicator, and check on their certification requirements.
-
For European merchants, some of the acquiring banks are still not set up to support consumer authentication.
-
You still need to perform other fraud checks. This tool does not cover many of the card types on the market today. There are legitimate cases in which you may not be able to complete the authentication process with the consumer and you still need to make sure their overall fraud rates are kept within standards. Also the industry expects some fraud shift to cards not offering this service.
-
Companies doing little transactional volume should consider using a outserviced service bureau to perform this service.
-
Make sure you are checking and providing all of the correct data points: You have to not it as e-commerce with the ECI, and you must check the AVS, you must check for enrollment, you need the CAVV/AVV, shows the order was checked for enrollment and you need the XID the unique transaction number.
-
You will have to get a digital certificate from Visa, which takes about two weeks. See your acquiring bank to get the form.
Estimated Costs – You can find this service available as an outsourced service, or as a software application that you can implement in-house. The actual cost to purchase the software is fairly low — a couple of thousand dollars to purchase. You will have to pay annual maintenance on the software. You will have to make changes to your front-end e-commerce engine.
Alternative Solutions – None
Vendors – Arcot, CyberSource, Clear Commerce. CyberSource uses Arcot as their underlying technology and are the only ones offering a transaction-based model to implement consumer authentication.
The process used by the consumer authentication services to authenticate consumers is pretty simple. The consumer enrolls with the issuing bank and is given a password, PIN or device to authenticate himself or herself. When the consumer makes a purchase online the consumer is asked to give that password, PIN or device to authenticate.
The purchase sequence can be broken down into five stages, first the consumer goes through the checkout procedure the same way they do today providing the same data fields they do today. When the buy button is pressed the consumer’s system, using the commercially available software on the market, sends a message to Visato find out if the consumer is participating in the consumer authentication program. If the cardholder is participating in the program, the card association service will send a pop-up window to the consumer. The pop-up looks as if it is coming from the issuing bank of the consumer, asking them to enter their password or PIN. The bank then validates this password or PIN and returns the results to the merchant.
For these programs to work the merchant, consumer, issuer and acquiring bank must all be participating in the program. Consumer adoption is slow at best. According to Visa, about 10 million cardholders are enrolled as of October 2002. Likewise merchant adoption has been slow. Merchant enrollment should increase in the U.S. since in April 2003 the financial coverage for certain orders took effect.
Consumers are being enrolled by self-registration, issuer auto enrollment and issuer prompted registration.
The liability shift is different based on the region you are doing business in and the type of charge-back you have. For the Visaprogram you will be covered from charge-backs that are coded as RC23, RC61 and RC75. For the Visa program you only have to check to see if they are enrolled to get coverage. Remember though if they are enrolled and they can’t authenticate you get no liability shift. Currently for European transactions, in which the cardholder and merchant are European, you have the liability shift already for both card types. For the U.S. the liability shift for Visa started in April 2003.
From a security perspective, all communication between the consumer and issuing bank is secured, you as a merchant will not see or ask for this password. The pop-up window the end user receives contains a secret message that only the consumer knows that shows the consumer that the pop-up window is real and not a fake that someone made to try and steal the password.
There has been a fraud case in which fraudsters acquired account information and then called the issuing bank and changed the address information and signed up for Verified by Visa. The fraudsters then made a lot of fraudulent transactions. The merchants will be covered as long as they followed the rules.
1. “VisaStarts Password Service to fight Online Fraud,” By Saul Hansell, The New York Times on the Web, www.nytimes.com. Published on December 3, 2001Dell Computer (news/quote), by contrast, signed on to be among the first merchants to participate in the Verified by Visaprogram, but mainly to reduce the number of people who call to order computers because they are afraid to enter their card numbers on the web. “We’re not greatly concerned about fraud levels,” said Sam Decker, Dell’s senior manager for consumer e-business. “We want to give customers more confidence in buying online.” Moreover, in 2003, Visa expects to change these rules so that merchants that accept Verified by Visa will not be liable for unauthorized charges. That promise is not enough to get Amazon.com, the largest online store, to participate in Verified by Visa. “From our standpoint, the amount of friction that Verified by Visa introduces for the customer outweighs the benefit from reducing fraud,” said Mark Britto, Amazon’s director of corporate development. “It would turn one-click ordering into four-point, three-click ordering,” he said, referring to the online store’s trademark method of fast checkout.
For Visa orders when you are using this technology you should implement the following:
-
For orders in which the consumer is participating in the program, and the order type is a covered type, and the consumer successfully authenticates, accept the order.
-
For orders in which the consumer is not participating in the program, and the order type is a covered type, you have checked for enrollment, and the order characteristics are within their normal order tolerances, accept the order.
-
For orders in which the consumer is not participating in the program, and the order type is a covered type, you have checked for enrollment, and the order characteristics are not in-line with their normal orders, review the order or perform further fraud checks favoring sales conversion.
-
For orders in which the consumer is participating in the program, and cannot successfully authenticate, and the order characteristics are in-line with their normal orders perform other fraud-screening checks or manually review the order favoring risk aversion.
-
For non-Visa orders, perform traditional checks.
N/A
Property of The Fraud Practice, all rights reserved, no unauthorized duplication, reproduction or distribution without the express written permission of The Fraud Practice.