Secure Payer Authentication

3-D Secure Payer Authentication

A.K.A Verified by Visa & MasterCard SecureCode

Introduction: The Industry and The Goals

Payer Authentication is the newest and most powerful tool available to ecommerce merchants today. Payer Authentication provides merchants with the electronic equivalent of a signed sales receipt. Under the umbrella of Visa’s 3-Domain Secure initiative, internet merchants can participate in Payer Authentication. Visa’s program is called Verified by Visa. MasterCard and Japanese Credit Bureau (JCB) also have 3-D Secure programs: MasterCard SecureCode and J/Secure. All three programs operate exactly the same way, they validate that the consumer shopping on your website is the legitimate cardholder.

Why would the payment associations (Visa, MasterCard, JCB) want to do this? They are worried about brand erosion.

The benefits of payer authentication are pretty substantial. First and foremost is guaranteed payment on all fully authenticated transactions. Even if the transaction is later determined to be fraudulent. The merchant will NOT be charged back. In fact, the chargeback is actually blocked from being submitted to the merchant’s acquiring bank by Visa and MasterCard, so there is not even an awareness at the merchant bank level that a chargeback occurred. More importantly, the number of chargebacks that a merchant records with their acquirer will drop dramatically. Typical participating merchants see a drop of 60-70 percent in their monthly chargeback rates.

Even more monumental in concepts than the guaranteed payments is the shift in liability from the merchant to the card issuing bank. Never before in the history of card-not-present (CNP) transactions, have the payment networks ever offered a way for merchants to avoid liability for CNP transactions they accept. It has ALWAYS been the merchants liability. Those days are now over. This is ground-breaking stuff here folks.

Now, how about a little lower margin for doing busy more securely? Visa says sure. Just for installing Verified by Visa software on your site, Visa will lower your interchange rate by 5 basis points. I know, I know, basis points are confusing, what does that really mean? Well it works out to $0.05 for every $100.00 you process. A nickel doesn’t seem like a lot, but it adds up when you are processing $1,000,000 a month or more in sales. Why did Visa do this? Well they want to motivate merchants to participate, and the 5 basis points is intended to help offset the cost that merchants pay for the payer authentication service (typically between 5 and 10 cents per transaction).

Common Misconceptions

Misconception #1: Not enough cardholders are enrolled.

This is irrelevant. 300 million plus US Visa cards are enrolled. Visa is offering merchants guaranteed payment on all Visa cards* regardless of whether the cardholder is enrolled or not. This means that from day one, with Verified by Visa enabled on your site, a merchant can cut their transaction liability by 50-60 percent, just on their Visa transactions.

MasterCard does not offer attempts processing liability coverage at this time, but 5-10 percent of MasterCard transactions are guaranteed payment, and their adoption rate is growing every day.

When a merchant combines the coverage of Visa and MasterCard together, they are typically getting guaranteed payment on 60-70 percent of their overall transaction volume. They are also eliminating 7 out of 10 chargebacks.

Misconception #2: Not enough banks offer the service.

Completely untrue. 45 of the top 50 U.S. issuing banks, and over 10,000 issuing banks now have the software up and running, worldwide.

Misconception #3: If it is such a good program, why aren’t the big name merchants doing it?

Good question. These merchants would like to know why you don’t consider them big names:

Walmart.com, JCPenney.com, Hotwire.com, 1800Flowers.com, CompUSA.com, TigerDirect.com, NewEgg.com, Etronics.com, Crutchfield.com, OfficeMax.com, JetBlue.com, NorthwestAirlines, eCost.com, Zales.com, BlueNile.com, FogDog.com, PlayStation.com, LizClaiborne, Wilsons Leather, eBags.com, Nickelodeon, Cooking.com, and about 30,000+ others worldwide that I don’t have room to list here.

Misconception #4: I have heard that Verified by Visa/MasterCard SecureCode cause higher “abandonment” rates?

First of all, lets define abandonment: Abandonment is the process by which a customer leaves/aborts the CHECKOUT process prior to a final submission of the order – including items for purchase, billing and shipping method, and payment information.

Pay attention to this: payer authentication occurs AFTER CHECKOUT (or shopping cart) has been completed, but PRIOR TO AUTHORIZATION of the credit card (it works with both real-time and batch authorization).

Understanding the definition of abandonment explains why Verified by Visa contributes to absolutely zero ‘shopping cart abandonment’. It can’t. Fundamentally, Verified by Visa, as a process that a consumer would see, does not begin until the checkout has been COMPLETED.

With that said, the initial implementation of Verified by Visa, more than two years ago, had some problems with the authentication process. But those problems have been fixed. First and foremost, pop-up windows are no longer allowed for the authentication screen. Due to pop-up blocking software and the almost instinctive act of a consumer closing pop-up windows, Visa realized that this was not going to be effective. Since then they have mandated the “in-line” presentation method, which presents the Verified by Visa screen within the same browser window. This in-line method has proven to be dramatically more effective reducing authentication abandonment from 20-30 percent, down to less than one percent. The in-line method also allows the merchant to keep their brand on the same page as the authentication screen, which provides additional reassurance to the shopper that they are not being enticed by a ‘phishing’ scam.

Also, Visa and MasterCard strongly encourage the prominent display of the Verified by Visa and MasterCard SecureCode logos, both on the homepage, and the checkout page, so that it is clear to the shopper that this site is protected by these programs.

Finally, the strategic placement of consumer messaging (which is the fancy phrase for providing instructions and guidance to your shoppers in the from of text) has been surprisingly helpful. Amazingly, just telling consumers what they can expect to happen (ex: You may be prompted to enter your password if you are enrolled in Verified by Visa), and what to do if the expected thing does not happen (Ex: please call this 1-800 number if you experience a delay or are unsure how to proceed), has been extremely helpful.

Misconception #5: I have so many passwords, and I can never remember all of them. What happens if I forget mine?

First of all, do you have a debit card? If yes, then what’s your PIN number? Don’t answer that. It’s a rhetorical question (and you never know who might be listening!). But you get the point, right? Why can you instantly recall the PIN number for your debit card amidst the tens, if not hundreds, of passwords you have? Because it’s the key to your bank account – your money. The same goes for payer authentication. In regards to consumer experience, it’s almost identical to entering your PIN number for a debit card purchase. In fact, if you want to make your Verified by Visa password a ‘PIN’ number, instead of a password, go ahead, it’s OK. The point is, we already have a proven and flourishing example of consumers successfully protecting their money with a password (PIN) and payer authentication works exactly the same way – you just enter the password in your web browser instead of an ATM machine.

What are the merchant benefits of Payer Authentication?

Guaranteed Payment.

Yeah, right. Guaranteed payment? Where’s the fine print. What is that supposed to mean?
Exactly what it says. Guaranteed payment. If you are an ecommerce merchant, and you install payer authentication software on your site, Visa and MasterCard will guarantee that you get paid, and can NEVER be chargedback on fully authenticated transactions. For a typical ecommerce merchant, this represents about 25-33 percent of Visa card volume and 5-10 percent of MasterCard volume.

In addition Visa also offers guaranteed payment, including chargeback protection, on what they call “attempts processing”. This means that if the merchant has the Verified by Visa software on their site, even if the shopper is not enrolled (has not set up their password), Visa will guarantee payment on that transaction, and block any chargebacks from coming back to the merchant on that transaction. This represents an additional 60-65 percent of the merchants overall Visa card volume.

When you combine the protection outlined in the above two paragraphs together, that equates to roughly 60-70% of your overall credit card volume being covered by the two programs. That means 60-70% of your overall credit card volume will be guaranteed payment, and will be protected from chargeback liability. Sounds crazy right? See Misconception #3 above to see how crazy it really is.

Chargeback Blocking.

What the heck is chargeback blocking? It’s exactly what it sounds like. Literally, Visa and MasterCard step in between and block chargebacks from being passed by Issuing bank who issues credit cards to consumers, to the Merchant Acquiring bank, who receives funds for settled purchases from issuing banks on behalf of you the merchant.

What this means is that a chargeback is blocked from ever reaching your Merchant Acquiring Bank. This means that the number of chargebacks that show up on your monthly chargeback report are going to drop – dramatically. Typically by 65-70 percent. When the number of chargebacks drops, the fines for those chargebacks (usually $15-25 each) also go away. In addition, since their was no chargeback, you the merchant can keep the funds for that purchase. The issuing bank again is blocked from pulling the funds for that fraudulent purchase out of your merchant account. Why? Because you have done your part. You have the payer authentication software on your site. You are off the hook for those transactions that are protected. But somebody has to pay for that fraudulent transaction, right? Right. Lets’ read on…

Transaction Liability Shift.

Transaction Liability is the end result of chargeback blocking. If fraud occurs on a transaction, and the merchant is no longer required to reimburse the consumer for that fraud because the merchant was employing payer authentication, then who will? The bank that issue the credit card. Yep. You read that right. All banks that issue Visa or MasterCard credit cards are now liable for all ecommerce transactions that are protected with payer authentication by merchants. When did this happen? Well, it’s actually always been this way with Verified by Visa and MasterCard SecureCode. Now are we starting to understand why the biggest merchants in the world want these programs on their websites?

So why would issuing banks allow this to happen? Aren’t they now exposed to a huge amount of fraud? That’s partially true, but banks, as members of Visa and MasterCard, are bound by the rules of the card associations they are members of. Also, issuing banks realize in the long run, these programs will strengthen the brand of their cards, and make consumers more willing to shop online. And as you know, issuing banks love it when you use your credit card.

The ecommerce channel today represents only 2-3 percent of the overall commerce in the U.S. However, it is the fastest growing payment channel. Issuing banks realize that ecommerce is really still in it’s infancy, or maybe now more like a toddler. It’s learning to walk, but its still stumbling around like a drunken sailor trying to get his sea-legs. It may not be perfect, but it’s getting better, and becoming ubiquitous. Pretty soon it will be so big, it will be too big to fix, so banks are willing to scrape their knees a little now, and get the problems fixed. When ecommerce eventually is 5, 10, 20, or 50 percent of US commerce, consumers will feel good about using their credit card to shop online, and not be afraid of identity theft and fraud.

Accept International Transactions.

Do you accept transactions today from Nigeria? No? Not surprising. Nobody does. However, what about Canada, or Mexico, or England, or Germany, or Australia, or Japan. There are most certainly customers in these and many other countries that we would be happy to do business with, if we only could feel safe about accepting the transaction. But there’s no Address Verification System (AVS) for these countries, so what can we do?

Well, if you enable Verified by Visa/MasterCard SecureCode on your ecommerce site, not only can you accept transactions from these countries and all over the world, you can do so with exactly the same benefits and protections that you get on U.S. issued credit cards.

A conservative approach for a merchant who is hesitant to test the international markets may be to simply offer to accept international orders ONLY if they are made with a Verified by Visa or MasterCard SecureCode credit card. That seems fair enough. Talk about expanding your markets!

Reduce Overall Cost of Doing Business (operational overhead).

This benefit probably takes the longest to realize, but can be pretty substantial. Ask yourself this question: How much manpower, time and resources do I spend preventing/screening transactions for fraud, and dealing with chargebacks that I have received? Whatever the answer is, now cut that manpower, time and resource allocation by 60-70 percent, and that’s what payer authentication has to offer your business in terms on reducing your costs of doing business.

Verified by Visa and MasterCard SecureCode make your business more efficient. They reduce the time you spend as a business trying to be a security expert, and give you more time and resources to focus on selling your products, which is what a “merchant” should be doing. It’s a beautiful thing!

Verified by Visa Chargeback Reason Codes Covered

U.S. Visa Credit and Debit Cards – Full & Attempted Authentication
23: Invalid Travel & Entertainment
61: Fraudulent Mail Order/Telephone Order/eCommerce
75: Cardholder does not recognize transactions

Visa International Credit and Debit Cards - Full & Attempted Authentication
23: Invalid Travel & Entertainment
83: Fraudulent Mail Order/Telephone Order/eCommerce

MasterCard SecureCode Chargeback Reason Codes Covered

U.S. MasterCard & Maestro Cards – Full Authentication
4837: Cardholder non-authorization
4863: Cardholder not recognized

Which merchants can benefit the most from these programs?

If you accept credit cards as payment online for merchandise, then you can benefit. It does not matter if you are a small business run out of your basement, or if you are selling millions of dollars a year in merchandise. Every merchant can benefit from these programs. More specifically, merchants that are in high risk categories for fraud: jewelry, consumer electronics, software, DVDs; merchants whose items can be easily pawned or fenced: sporting goods, tools, tobacco, ticketing; merchants who sell ‘soft’ products: games, music, content, airtime/phone minutes

So where can I go to get this software?

Visa and MasterCard both have published vendor lists on their websites. You should also talk to your Merchant Acquiring Bank, your Payment Gateway, and/or your Payment Processor to find out if they already have a vendor that they recommend or are partnered with.

Verified by Visa Merchant Information Site: http://usa.visa.com/business/accept...ng_support.html

Verified by Visa Consumer Information Site: https://usa.visa.com/personal/security/vbv/index.html

MasterCard SecureCode Merchant Information Site:
http://www.mastercardmerchant.com/securecode/index.html

MasterCard SecureCode Consumer Information Site: http://www.mastercard.com/securecd/welcome.do