VERIFIED BY VISA (VbV) TECHNICAL OVERVIEW
Verified by Visa is an authentication tool that is intended to validate that the authorized credit card holder is the one actually attempting to make a purchase. The key benefit to this program for merchants is that it provides a liability shift for covered transactions.
Key considerations when implementing or buying this functionality include:
The current consumer authentication tools offered by Visa are meant for and work only on e-commerce transactions. You need to have fraud processes to handle your MOTO traffic.
For these programs to work the merchant, issuer and acquiring bank must all be participating in the program. So make sure your acquiring bank is set up to support the e-commerce indicator, and check on their certification requirements.
You still need to perform other fraud checks. This tool only covers certain Visa transactions. There are legitimate cases in which you may not be able to complete the authentication process with the consumer and you still need to make sure overall fraud rates are kept within standards.
Companies doing little transactional volume should consider using an outsourced service bureau to perform this service.
Make sure you are checking and providing all of the correct data points: You have to note it as e-commerce with the ECI, and you must check the AVS, you must check for enrollment, you need the CAVV/AVV, show the order was checked for enrollment and you need the XID the unique transaction number.
You will have to get a digital certificate from Visa, which takes about two weeks. See your acquiring bank to get the form.
HOW DOES IT WORK?
The process used by the consumer authentication services to authenticate consumers is pretty simple. The consumer enrolls with the issuing bank and is given a password, PIN or device to authenticate themselves. When the consumer makes a purchase online the consumer is asked to give that password, PIN or device to authenticate. Depending on issuer implementations and mandates in certain countries, 2 Factor Authentication (2FA), a One-Time Password (OTP) or other dynamic authentication mechanisms may be required.
The purchase sequence can be broken down into five stages, first the consumer goes through the check-out procedure, the same way they do today, providing the same data fields they do today. When the buy button is pressed on their system, using the commercially available software on the market, it sends a message to Visa and card issuer, to find out if the consumer is participating in the VbV authentication program. If the consumer is participating in the program, the service will send a pop-up window to the consumer. The pop-up looks like it is coming from the consumer’s issuing bank. The pop-up asks the consumer to enter their password, OTP or PIN. The issuing bank then validates this password or PIN and returns the results to the merchant.
The benefits to merchants are that transactions covered by Verified by Visa shift the liability of fraud losses from the merchant to the card issuer. However, the requirements for eligible transactions can differ by region or country. Since 2003 Verified By Visa has provided a liability shift for transactions when the consumer authenticates through VbV, but also for transactions where the merchant attempts VbV authentication but the consumer is not enrolled in the program. Although, if the consumer is enrolled but they can’t authenticate you get no liability shift.
Only certain reason codes are covered for the liability shift with Verified by Visa. This includes:
Reason Code 83 - Fraudulent Transaction CNP
Reason Code 75 - Cardholder Does Not Recognize Transaction
Reason Code 23 - Invalid Travel & Entertainment
Reason Code 61 - Fraudulent Transaction MO/TO/EC
Several countries have mandates related to Verified by Visa. In the UK Visa Europe requires all issuers to use dynamic tokens for their VbV implementations. In Italy all online merchants must implement Verified by Visa. In Australia all card issuers will be required to enroll Visa cardholders in VbV by April, 2013.
From a security perspective, all communication between the consumer and issuing bank is secured, you as a merchant will not see or ask for this password. The pop-up window the end user receives contains a secret message that only the consumer knows and that shows the consumer that the pop-up window is real and not a fake that someone made to try and steal their password.
There has been a fraud case in which fraudsters acquired account information and then called the issuing bank and changed the address information and signed up for Verified by Visa. The fraudsters then made a lot of fraudulent transactions. But merchants will be covered as long as they followed the rules.
HOW DO YOU USE THE RESULTS?
For Visa orders, when you are using this technology, you should implement the following:
For orders in which the consumer is participating in the program, the order type is a covered type, and the consumer successfully authenticates, accept the order.
For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are within their normal order tolerances, accept the order.
For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are not in-line with their normal orders, review the order or perform further fraud checks favoring sales conversion.
For orders in which the consumer is participating in the program, cannot successfully authenticate and the order characteristics are in line with their normal orders; perform other fraud-screening checks or manually review the order favoring risk aversion.
For non-covered orders perform traditional checks.
DID YOU KNOW
Verified by Visa is a consumer authentication mechanism also known as 3-D Secure. It is intended to validate the authorized cardholder is the one attempting to make a purchase online.
In general the concept of authenticating the consumer is a good one. For the merchant, this is an excellent tool since it offers some financial coverage if fraud does occur. The card associations implemented these programs to increase consumer confidence in making purchases online, and to help protect online merchants from fraud.
The main reason a merchant wants to implement this service is the protection it offers from fraud-related chargebacks. Not everything is protected, so be sure to review the details of the program. Some examples of what is not covered by the program include: Purchases made with procurement cards, recurring billing, split shipments or back-ordered goods and “one-click” technology sales.
Also, certain high-risk segments, such as adult and gaming, may not be covered, so merchants in these vertical markets should check with Visa before they implement this technique.
The other major benefit of the consumer authentication tools is the simplification of some of their chargeback resolution activities. For those orders in which the consumer was participating in the program and they did authenticate, the resolution process would occur between the issuing bank and the consumer, not between the merchant and the consumer.
Consumers may be legitimate even if they can’t authenticate. Some examples of reasons why good customers may not be able to authenticate include: Use of software that prevents pop-up windows rendering the service obsolete, the pop-up timing out, and consumers that were pre-registered and may not know they have PIN or password to authenticate properly.
THE FRAUD PRACTICE
Alternative Solutions - MasterCard SecureCode, American Express' SafeKey (UK and Singapore only), J/Secure by JCB
Building this In-House - N/A
Estimates Costs - You can find this service available as an outsourced service, or as a software application that you can implement in-house. The actual cost to purchase the software is fairly low — a couple of thousand dollars to purchase. You will have to pay annual maintenance on the software. You will also have to make changes to your front-end e-commerce engine.
Sample Vendors - Cardinal Commerce