Sarasota, FL, March 18, 2013 / By: David Montague
I can’t tell you how many times I have been asked my opinion on the 3-D Secure programs offered by the major card brands. As an independent risk consultancy, our opinion has been pretty consistent over the years; we didn’t see much reason to consider 3-D Secure, outside of limited circumstances, until there was greater consistency in the programs across card brands and, most importantly, there was a better way to address the consumer experience to ensure sales conversion was not adversely impacted. It has been over 10 years since Verified by Visa and MasterCard SecureCode launched, and I am pleased to see that the market conditions look to have finally aligned to change our perception of 3-D Secure as a viable and very useful fraud technique to “re-consider”.
In short, we see three major market changes that have changed our perception of the viability of 3-D Secure in today’s market that include; (1) EMV is coming to the USA and there are increasing mandates and adoption of 3-D Secure worldwide making it useful in more cases and markets – the opportunity has reached a point that the effort to implement it makes more sense, (2) MasterCard in the fall of 2011 aligned their liability policy in the US market to be more in line with the policy from Visa, making the 3-D Secure program more consistent across card brands in liability protection for US cardholders, (3) a third party vendor implementation of 3-D Secure, CardinalCommerce, has emerged that can address the consumer experience and abandonment issues by allowing merchants to automate and control when and where actual cardholder authentication actually occurs.
3-D Secure is one technique merchants can apply to perform authentication, to receive fraud liability coverage or both. It is a tool to compliment a full fraud strategy and solution, not replace it. But with the changes to 3-D Secure in recent years and more control on how and when to use it, merchants should reconsider the value proposition and what it can provide, even if just considering a low-touch approach. These programs can provide reductions in interchange, increased fraud liability protection, and today be implemented in a manner that minimally changes the user experience.
EMV & Increasing Mandates and Adoption
From the start merchants saw the potential and value of 3-D Secure: that an additional layer of authentication between the cardholder and their card issuer could reduce risk for online transactions and could provide merchants with much needed protection from fraud on covered transactions. However, low adoption, poor education, poor program implementation, and broad inconsistencies across card brands and regions early on led to merchant and consumer confusion and lost sales for many of the early adopter merchants. Many in the online merchant community developed the disposition that 3-D Secure was a sales killer and more trouble than it was worth.
The reality is that 3-D Secure has come a long way, and while there are definite issues and concerns to address with consumer experience and abandonment, options such as CardinalCommerce finally give merchants an option to address these shortfalls. In terms of the program, 3-D Secure if implemented properly can provide reduced risk through liability shift, lower costs through interchange reduction in certain regions and it could actually be a means to increase sales conversion.
The first 3-D Secure programs, Verified by Visa and MasterCard SecureCode, launched in 2001. Other card associations, American Express and JCB, have developed 3-D Secure programs of their own, several countries have mandated these programs, and requirements regarding liability shifts and have been updated in many markets over the years. The concept of mandates has helped many countries in the accelerated adoption of 3-D Secure programs, which in turn has led to a more consistent experience. Albeit, that consistent experience they achieved would be characterized by many merchants as being a consistent bad experience for consumers.
Verified by Visa and MasterCard SecureCode are deployed in over 100 countries, and there have been large strides in growth and adoption for the European and Asia-Pacific regions as the result of mandates. Verified by Visa is mandated for all eCommerce merchants in Italy while SecureCode is required to accept Maestro debit for all of Europe. Verified by Visa or other 2 factor authentication is required for all eCommerce transactions in India while 3-D Secure is required for the online gaming industry in Japan. Meanwhile in Australia all card issuers were required to enroll Visa cardholders in VbV by April, 2013. Such mandates have increased consumer, merchant and issuer adoption of 3-D Secure programs, and although there hasn’t been similar mandates for the U.S. market, there has been increased incentives for merchants in hopes to spur adoption.
What led to many 3-D Secure mandates in Europe and other countries was the surge of fraud to the online channel following the success of EMV to curb counterfeit card and POS fraud. Although the U.S. has lagged behind most other developed markets in EMV implementation, the transition to EMV is beginning. Starting this April all U.S. payment processors will be required to support EMV transactions, and by 2015 acquirers, rather than card issuers, will be liable for counterfeit card fraud for Card Present transactions if their merchant client does not have EMV enabled POS terminals. Expect EMV to become more common in the U.S. over the coming years, which could shift even more fraud attempts to the online channel and increase the need for the extra layer of authentication 3-D Secure provides. Furthermore, the card associations have shown their commitment to 3-D Secure programs through continued investment and innovation. In late 2012 Visa launched their Consumer Authentication Service (CAS) for issuers, which provides more sophisticated and dynamic methods for authentication as well as support for mobile devices with Verified by Visa (Source: Visa News Release: New Visa Consumer Authentication Service Combats eCommerce Fraud).
Greater Consistency Across Card Brands on Liability Protection
One incentive for merchants to implement 3-D Secure is the liability shift it offers on covered fraudulent transactions. Since 2003 Verified by Visa (VbV) offered a liability shift, putting the cost of fraud on the card issuer rather than the merchant, for both transactions where the consumer successfully authenticated through VbV and instances where authentication was attempted but the consumer was not enrolled with the card issuer. Beginning in the Fall of 2011 MasterCard increased their liability shift coverage for U.S. domestic transactions to also include instances where SecureCode authentication was attempted but the consumer was not enrolled, whereas prior to this the cardholder must have been able to successfully authenticate for the merchant to have liability shift for fraud.
What is important for merchants to consider today is how to benefit from the liability shift while being selective on how and when to implement 3-D Secure to ensure minimal effects on the user experience and purchase abandonment. Meaning, as a merchant your decision to implement 3-D Secure is not an all or nothing decision – you can be selective in terms of checking for participation and selective in who you force to authenticate regardless if they are participating or not. The big picture thought here is, you can get real and very meaningful financial benefits to 3-D secure well beyond “liability” shift.
Taking Back Control of the User Experience with 3-D Secure
One of the greatest drawbacks with 3-D Secure has been that you have to make an all or nothing choice to implement it. Most merchants understood the common use cases such as consumers getting stuck in the authentication process if the Issuer was employing an enroll on first use; or consumers getting trapped in the process because their issuer automatically enrolled them and they aren’t aware of it. But what about the impact of forcing your best customers to authenticate every time they use your site? What about the impact of authentication on your “fast-lane” checkout capabilities, who wants to add additional steps for checkout?! What the program needed, what merchants wanted, was the ability to control who is authenticated and what can happen as part of that process. In short merchants wanted to be able to say “don’t bother authenticating my best customers, we know them” and “don’t use my site to enroll your cardholders”, but they didn’t really have any option to do so. The programs in general are starting to change, Visa has been implementing VCAS which allows for smarter authentication from the issuer; authentication isn’t forced on all transactions, just the ones the issuer actually sees risk, but there was no broader option to control consumer experience.
Well that was the case up until the announcement of CardinalCommerce that it supports selective presentment as part of its offering. As of the point of writing this article this is the only third party service provider we are aware of that offers this capability for now. What we find most compelling about the combination of 3-D Secure and CardinalCommerce is the ability to check for enrollment, and receive liability coverage if the cardholder is not participating - opportunity to gain protection without requiring any change to the user experience; while having the ability to apply rules on who to force the next step of authentication on.
Tim Sherwin, EVP and Co-Founder at CardinalCommerce, explained how they have “developed a new approach to authentication that puts merchants back in the driver’s seat when it comes to who and how they want to authenticate consumers. Now, exclusively through Cardinal, merchants can selectively authenticate based on product type or price, IP location, failed fraud screening and more. And, with our partner MasterCard, we’ve developed a new seamless interface that makes it easy for those consumers they choose to authenticate to do so. We are excited about this major change in authentication and look forward to delivering choice, control and real sales-based success to merchants with this product.”
Merchants can now control the user experience and adjust their settings for authentication based on their appetite for risk. CardinalCommerce also offers tools to improve consumer experience with inline authentication for MasterCard, another exclusive capability that we find very compelling as it changes the user experience very dramatically. For example, traditionally consumers have been given pop-ups to authenticate with the issuer for 3-D Secure, but with MasterCard SecureCode Plus merchants can offer authentication directly within the checkout page. This more seamless integration of 3-D Secure authentication into the existing checkout process allows merchants to retain more control of the process and user experience reducing the effects on abandonment.