CONSUMER AUTHENTICATION TECHNICAL OVERVIEW
“Consumer authentication” is a blanket term to discuss the tools that are intended to validate that the authorized credit card holder is the one actually attempting to make a purchase. Originally developed in 2001, 3-D Secure 2.0 protocols were released in 2016. Visa now calls their consumer authentication service Visa Secure and MasterCard calls their service Identity Check. Discover/Diner's Club, American Express, JCB, China Union Pay and RuPay in India have consumer authentication programs as well. 3-DS 2.0 products can help merchants meet Strong Consumer Authentication (SCA) requirements. Key considerations when implementing or buying this functionality include:
3-DS 2.0 should be supported, only using the original version for a fallback when it is not supported by a card issuer.
PSD2 and mandates outside of Europe require Strong Consumer Authentication (SCA) for many to most online transactions. Pay attention to these mandates and use 3-DS 2.0 to meet these compliance requirements for eCommerce payment card transactions when required.
For these programs to work the merchant, consumer, issuer and acquiring bank must all be participating in the program. So make sure to verify that the acquiring bank supports these programs prior to set up. Merchants will also need to verify the acquiring bank certification requirements.
Merchants still need to perform other fraud checks — this tool does not cover all of the card types on the market today. Likewise there are legitimate cases in which a merchant may not be able to complete the authentication process with the consumer. Merchants still need to make sure their overall fraud rates are kept within acceptable levels.
Merchants have to make sure they are supplying all of the correct data elements. 3-DS 2.0 supports 150 data fields.
HOW DOES IT WORK?
The process used by the consumer authentication services to authenticate consumers is pretty simple. The consumer enrolls with the issuing bank and is given a password, PIN or device to authenticate themselves. When the consumer makes a purchase online the consumer is asked to give that password, PIN or device to authenticate. Depending on issuer implementations and mandates in certain countries, 2 Factor Authentication (2FA), a One-Time Password (OTP) or other dynamic authentication mechanisms may be required.
The purchase sequence can be broken down into five stages, first the consumer goes through the check-out procedure, the same way they do today, providing the same data fields they do today. When the buy button is pressed on their system, using the commercially available software on the market, it sends a message to the card association and card issuer, to find out if the consumer is participating in the consumer authentication program. If the consumer is participating in the program, the service will first attempt passive authentication under 3-DS 2.0. If an authentication step is required by the issuer, the cardholder may be sent a one-time-use pasasword (OTP) or if on a mobile device may complete this step with a biometric reading such as a fingerprint scan.
The benefits to merchants are that transactions covered by 3-D Secure Consumer Authentication programs shift the liability of fraud losses from the merchant to the card issuer. However, the requirements for eligible transactions differ by card type and country. Since 2003 Verified By Visa has provided a liability shift for transactions when the consumer authenticates through VbV, but also for transactions where the merchant attempts VbV authentication but the consumer is not enrolled in the program. Although, if the consumer is enrolled but they can’t authenticate you get no liability shift. MasterCard Secure Code also offers a liability shift, but until 2011 this only covered transactions where the consumer was fully authenticated through SecureCode. Since October, 2011 merchants have also been covered for transactions where the merchant attempts authentication through SecureCode but the consumer is not enrolled, but this is only for U.S. domestic transactions (U.S. merchant AND U.S. issued card).
Often for these programs to provide a liability shift the merchant, consumer, issuer and acquiring bank must all be participating in the program. Additionally, only certain chargeback reason codes are covered, and these are chargebacks for third party fraud. Please see the Technique Overview pages for Verified by Visa and MasterCard SecureCode for a list of chargeback reason codes eligible for the liability shift with these card brands.
Adoption of 3-D Secure programs have grown quite a bit in Europe while adoption in Asia is moderate and adoption 3-DS in the U.S. is somewhat low. The consistent liability shift protection for Visa and MasterCard in the U.S. should provide more incentive for merchants to adopt the program and for issuers to get more consumers enrolled. But in Europe and Asia 3-D Secure mandates have encouraged more use of the service. This includes Europe where SecureCode is required to accept Maestro debit, Italy where VbV is required for all eCommerce transactions, as well as India where VbV or 2FA is required for all eCommerce transactions.
From a security perspective, all communication between the consumer and issuing bank is secured. A merchant will not see or ask for this password. The pop-up window the end user receives contains a secret message that only the consumer knows, that shows the consumer that the pop-up window is real and not a fake. This is to reassure the consumer base that someone is not trying to steal the password from them. There has been a fraud case in which fraudsters acquired account information and then called the issuing bank and changed the address information and signed up for the Verified by Visa program. The fraudsters then made fraudulent orders on these accounts. The merchants will still be covered as long as they followed the rules.
HOW DO YOU USE THE RESULTS?
For Visa and MasterCard orders when merchants are using this technology they should implement the following:
For orders in which the consumer is participating in the program, the order type is a covered type, and the consumer successfully authenticates, accept the order.
For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are within their normal order tolerances, accept the order.
For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are not in-line with their normal orders, review the order or perform further fraud checks favoring sales conversion.
For orders in which the consumer is participating in the program, cannot successfully authenticate and the order characteristics are in line with their normal orders; perform other fraud-screening checks or manually review the order favoring risk aversion.
For non-covered orders perform traditional checks.
DID YOU KNOW
Consumer Authentication is also known as 3 Domain Secure, or 3D-S. It is now in version 2.0, also known as EMV 3DS. Specifc 3D Secure programs include Visa Secure (formerly Verified by Visa), MasterCard Identity Check (formerly MasterCard SecureCode), American Express SafeKey, Discover and Diner's Club ProtectBuy, and J/Secure for JCB transactions.
Consumer Authentication can both deter fraud and provide a liability shift with covered chargebacks being the financial responsibility of the issuing bank rather than the merchant.
In general the concept of authenticating the consumer is a good one. For the merchant, this is an excellent tool since it offers some financial coverage if fraud does occur. The card associations implemented these programs to increase consumer confidence in making purchases online, and to help protect online merchants from fraud.
The main reason a merchant wants to implement this service is the protection it offers from fraud-related chargebacks. Not everything is protected, so be sure to review the details of the program. There are significant differences on what is covered in the United States versus what is covered in Europe and elsewhere.
In the United States merchants will have liability protection for transactions where the consumer is enrolled in the 3-D Secure program and successfully authenticates, as well as for transactions where the merchant checks for enrollment but the cardholder is not participating, and this is for both Visa and MasterCard U.S. domestic transactions. Outside of the U.S. the liability shift on transactions where the customer is not enrolled only applies to Visa transactions.
Some examples of what is not covered by the program include: Purchases made with procurement cards, recurring billing, split shipments or back-ordered goods and “one-click” technology sales, as well non-U.S. MasterCard transactions in which the consumer cannot be authenticated through SecureCode.
Also, certain high-risk segments, such as adult and gaming, may not be covered, so merchants in these vertical markets should check with Visa or MasterCard before they implement this technique.
The other major benefit of the consumer authentication tools is the simplification of some of their chargeback resolution activities. For those orders in which the consumer was participating in the program and they did authenticate them, the resolution process would occur between the issuing bank and the consumer, not between the merchant and the consumer.
Consumers may be legitimate even if they can’t authenticate. Some examples of reasons why good customers may not be able to authenticate include: Use of software that prevents pop-up windows rendering the service obsolete, the pop-up timing out, and consumers that were pre-registered and may not know they have PIN or password to authenticate properly.
These programs are excellent deterrents, but they are not “silver bullets” that will end all fraud. Many merchants will implement the Verified by Visa and MasterCard SecureCode programs not to combat fraud, but to attract new consumers that were not comfortable with using the Internet for making purchases before these services were available. In the article, “Visa Starts Password Service to Fight Online Fraud,” By Saul Hansell, The New York Times on the Web, Published on December 3, 2001, Hansell quotes Dell Computers as one of the merchants looking to the Verified by Visa program to help give customers more confidence buying online.
But even for transactions that are covered but the consumer is not enrolled in the program, other fraud checks should be performed as the merchant may not have direct financial loss from the covered chargeback, but it does contribute to the chargeback rate which in most cases should be below 1 percent to avoid card association high risk programs.
THE FRAUD PRACTICE
Alternative Solutions - Commercially available consumer authentication.
Building this In-House - N/A
Estimates Costs - Merchants can find this service available as an outsourced service, or as a software application that can be implemented in-house. The actual cost to purchase the software is fairly low (it costs a couple of thousand dollars to purchase). Merchants will have to pay annual maintenance on the software and will have to make changes to their front-end e-commerce engines.
Sample Vendors - N/A