MASTERCARD SECURECODE TECHNICAL OVERVIEW
Consumer authentication techniques, such as MasterCard SecureCode, are intended to validate that the authorized credit card holder is the one actually attempting to make a purchase. The key benefit to this program for merchants is that it provides a liability shift for covered transactions.
Key considerations when implementing or buying this functionality include:
Works only on e-commerce transactions. Merchants need to have fraud processes to handle their MOTO traffic.
The merchant, consumer, issuer and acquiring bank must all be participating in the program. So make sure your acquiring bank is set up to support the e-commerce indicator, and check on their certification requirements.
Merchants still need to perform other fraud checks. This tool does not cover many of the card types on the market today and there are legitimate cases in which a merchant may not be able to complete the authentication process with the consumer. Merchants also need to make sure their overall fraud rates are kept within standards.
Companies doing little transactional volume should consider using an outsourced service bureau to perform this service.
Make sure you are checking and providing all of the correct data points: Merchants have to mark transactions as e-commerce with the ECI, and they must check AVS, enrollment, and they need the CAVV/AVV, which shows the order was checked for enrollment. Merchants also need the XID (the unique transaction number).
Merchants will have to get a digital certificate from MasterCard, which takes about two weeks. See the acquiring bank to get the form and start the process.
HOW DOES IT WORK?
The process used by MasterCard SecureCode to authenticate consumers is pretty simple. The consumer enrolls with the issuing bank and is given a password, PIN or device to authenticate themselves. When the consumer makes a purchase online the consumer is asked to give that password, PIN or device to authenticate. Depending on issuer implementations and mandates in certain countries, 2 Factor Authentication (2FA), a One-Time Password (OTP) or other dynamic authentication mechanisms may be required.
The purchase sequence can be broken down into five stages, first the consumer goes through the check-out procedure, the same way they do today, providing the same data fields they do today. When the buy button is pressed on their system, using the commercially available software on the market, it sends a message to MasterCard and card issuer, to find out if the consumer is participating in the SecureCode authentication program. If the consumer is participating in the program, the service will send a pop-up window to the consumer. The pop-up looks like it is coming from the consumer’s issuing bank. The pop-up asks the consumer to enter their password, OTP or PIN. The issuing bank then validates this password or PIN and returns the results to the merchant.
The benefits to merchants are that transactions covered by SecureCode shift the liability of fraud losses from the merchant to the card issuer. However, the requirements for eligible transactions can differ by region or country. In the United States, MasterCard SecureCode provides the liability shift not only for transactions where the consumer successfully authenticates, but also for transactions where merchant attempts SecureCode authentication but the consumer is not enrolled. The liability coverage expanded in October, 2011 to include transactions where the consumer is not enrolled, but this is only for U.S. domestic transactions, meaning the merchant is U.S. based and the card used was issued in the U.S.
Outside of the U.S. market only transactions where the consumer is authenticated with MasterCard SecureCode are eligible for the liability shift. Additionally, only certain chargeback reason codes are covered:
Reason Code 4837 - No Cardholder Authorization
Reason Code 4863 - Cardholder Does Not Recognize/Potential Fraud
Several countries have mandates related to 3-D Secure and MasterCard SecureCode. For all of Europe, merchants that want to be able to accept Maestro debit online must support MasterCard SecureCode to do so. In Singapore, all 3-D Secure implementations must use a dynamic One Time Password (OTP).
HOW DO YOU USE THE RESULTS?
When using this technology you should implement the following with MasterCard orders:
For orders in which the consumer is participating in the program, the order type is a covered type, and the consumer successfully authenticates, accept the order.
For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are within their normal order tolerances, accept the order.
For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are not in-line with their normal orders, review the order or perform further fraud checks favoring sales conversion.
For orders in which the consumer is participating in the program, cannot successfully authenticate and the order characteristics are in line with their normal orders; perform other fraud-screening checks or manually review the order favoring risk aversion.
For non-covered orders perform traditional checks.
DID YOU KNOW
MasterCard Secure Code is a form of 3-D Secure Consumer Authentication that applies to MasterCard Credit and debit (Maestro) transactions. Verified by Visa, American Express SafeKey and JCB J/Secure are similar services.
In general the concept of authenticating the consumer is a good one. For the merchant, this is an excellent tool since it offers some financial coverage if fraud does occur. The card associations implemented these programs to increase consumer confidence in making purchases online, and to help protect online merchants from fraud.
The main reason a merchant wants to implement this service is the protection it offers from fraud-related chargebacks. Not everything is protected, so be sure to review the details of the program. There are significant differences on what is covered in the United States versus what is covered in Europe. Some examples of what is not covered by the program include: Purchases made with procurement cards, recurring billing, split shipments or back-ordered goods and “one-click” technology sales, as well as non-U.S. MasterCard transactions in which the consumer is not enrolled.
Also, certain high-risk segments, such as adult and gaming, may not be covered, so merchants in these vertical markets should check with Visa or MasterCard before they implement this technique.
The other major benefit of the consumer authentication tools is the simplification of some of their chargeback resolution activities. For those orders in which the consumer was participating in the program and they did authenticate, the resolution process would occur between the issuing bank and the consumer, not between the merchant and the consumer.
Consumers may be legitimate even if they can’t authenticate. Some examples of reasons why good customers may not be able to authenticate include:
The use of software the prevents pop-up windows, which will render the service obsolete
The pop-up can time out
Consumers that were pre-registered may not know they have a password or PIN to use
THE FRAUD PRACTICE
Alternative Solutions - Verified by Visa, American Express SafeKey (in UK & Singapore only), JCB J/Secure
Building this In-House - N/A
Estimates Costs - Merchants can find this service available as an outsourced service, or as a software application that can be implemented in-house. The actual cost to purchase the software is fairly low — a couple of thousand dollars to purchase. Merchants will have to pay annual maintenance on the software. Merchants will have to make changes to their front-end e-commerce engine.
Sample Vendors - Cardinal Commerce