3-D Secure Payer Authentication
Introduction: The Industry and The Goals
Payer Authentication is the newest and most powerful tool available to ecommerce merchants today. Payer Authentication provides merchants with the electronic equivalent of a signed sales receipt. Under the umbrella of Visa’s 3-Domain Secure initiative, internet merchants can participate in Payer Authentication. Visa’s program is called Verified by Visa. MasterCard and Japanese Credit Bureau (JCB) also have 3-D Secure programs (licensed from Visa): MasterCard SecureCode and J/Secure. All three programs operate exactly the same way, they validate that the consumer shopping on your website is the legitimate cardholder.
Why would the payment associations (Visa, MasterCard, JCB) want to do this? They are worried about brand erosion.
Guaranteed payment
The benefits of payer authentication are pretty substantial. First and foremost, merchants are guaranteed payment on all fully authenticated transactions, even if the transaction is later determined to be fraudulent. The merchant will NOT be charged back. In fact, the chargeback is actually blocked from being submitted to the merchant’s acquiring bank by Visa and MasterCard, so there is not even awareness at the merchant bank level that a chargeback occurred. More importantly, the number of chargebacks that a merchant records with their acquirer will drop dramatically. Typical participating merchants see a drop of 60-70 percent in their monthly chargeback rates.
Transaction liability shift
Even more monumental in concept than guaranteed payment is the shift in transaction liability from the merchant to the card issuing bank. Never before in the history of card-not-present (CNP) transactions have the payment networks ever offered a way for merchants to avoid liability for CNP transactions they accept. It has ALWAYS been the merchant’s liability. Those days are now over. This is ground breaking stuff here folks.
“If I had a nickel for every …”
Now, how about a little lower margin for doing busy more securely? Visa says sure. Just for installing Verified by Visa software on your site, Visa will lower your interchange rate by 5 basis points. I know, I know, basis points are confusing, what does that really mean? Well it works out to $0.05 for every $100.00 you process. A nickel doesn’t seem like a lot, but it adds up when you are processing $1,000,000 a month or more in sales. Why did Visa do this? Well they want to motivate merchants to participate, and the 5 basis points is intended to help offset the cost that merchants pay for their payer authentication services (typically between 5 and 10 cents per transaction).
Common Misconceptions
Misconception #1: Not enough cardholders are enrolled.
This is 100% false. 300 million plus US Visa cards are enrolled. Visa is offering merchants guaranteed payment on all Visa cards* regardless of whether the cardholder is enrolled or not. This means that from day one, with Verified by Visa enabled on your site, a merchant can cut their transaction liability by 50-60 percent, just on their Visa transactions. Today, 1 out of every 3 online Visa transactions are fully authenticated, which means the cardholders are actively enrolled in the program.
MasterCard does not offer attempts processing liability coverage at this time, but 5-10 percent of MasterCard transactions are guaranteed payment, and their adoption rate is growing every day.
When a merchant combines the coverage of Visa and MasterCard together, they are typically getting guaranteed payment on 60-70 percent of their overall transaction volume. They are also eliminating 7 out of 10 chargebacks.
* A small percentage of Visa cards are not eligible for the Verified by Visa program, including some Business to Business cards and pre-paid gift cards.
Misconception #2: Not enough banks offer the service.
Completely untrue. 45 of the top 50 U.S. issuing banks, and over 10,000 issuing banks worldwide now have the software up and running and available to cardholders.
Misconception #3: If it is such a good program, why aren’t the big name merchants doing it?
Good question. These merchants would like to know why you don’t consider them big names:
Walmart.com, JCPenney.com, Hotwire.com, 1800Flowers.com, CompUSA.com, TigerDirect.com, NewEgg.com, Etronics.com, Crutchfield.com, OfficeMax.com, JetBlue.com, NorthwestAirlines, eCost.com, Zales.com, BlueNile.com, FogDog.com, PlayStation.com, LizClaiborne, Wilsons Leather, eBags.com, Nickelodeon, Cooking.com, and about 30,000+ others worldwide that I don’t have room to list here.
Misconception #4: I have heard that Verified by Visa/MasterCard SecureCode cause higher “abandonment” rates?
First of all, lets define abandonment: Abandonment is the process by which a customer leaves/aborts the CHECKOUT process prior to a final submission of the order – including items for purchase, billing and shipping method, and payment information.
Pay attention to this: payer authentication occurs AFTER CHECKOUT (when the shopping cart sequence has been completed) but PRIOR TO AUTHORIZATION of the credit card (it works with both real-time and batch authorization).
Understanding the definition of abandonment explains why Verified by Visa contributes to absolutely zero ‘shopping cart abandonment’. It can’t. Fundamentally, Verified by Visa, as a process that a consumer would experience, does not begin until the checkout sequence has been COMPLETED.
With that said, the initial implementation of Verified by Visa, more than two years ago, had some problems with the authentication process. But those problems have been fixed. First and foremost, pop-up windows are no longer allowed for the authentication screen. Due to pop-up blocking software and the almost instinctive act of a consumer closing pop-up windows, Visa realized that this was not going to be effective. Since then they have mandated the “in-line” presentation method, which presents the Verified by Visa screen within the same browser window. This in-line method has proven to be dramatically more effective, reducing authentication abandonment from around 30 percent, down to less than one percent. The in-line method also allows the merchant to keep their brand on the same page as the authentication screen, which provides additional reassurance to the shopper that they are not being enticed by a ‘phishing’ scam.
Also, Visa and MasterCard strongly encourage the prominent display of the Verified by Visa and MasterCard SecureCode logos, both on the homepage, and the checkout page, so that it is clear to the shopper that this site is protected by their programs.
Finally, the strategic placement of consumer messaging (which is the fancy phrase for providing instructions and guidance to your shoppers in the form of text) has been surprisingly helpful. Amazingly, just telling consumers what they can expect to have happen (ex: You may be prompted to enter your password if you are enrolled in Verified by Visa), and what to do if the expected thing does not happen (Ex: please call this 1-800 number if you experience a delay or are unsure how to proceed), has been extremely helpful.
Misconception #5: I have so many passwords, and I can never remember all of them. What happens if I forget mine?
First of all, do you have a debit card? If the answer is yes, then what’s your PIN number? Ok, don’t answer that. It’s a rhetorical question and you never know who might be listening!. But you get the point, right? Why is it that you can instantly recall the PIN number for your debit card amidst the tens, if not hundreds, of other passwords that you have? Because it is the key to your bank account – your money. The same goes for payer authentication – your password is the key to your money while shopping online.
In regards to consumer experience, it’s almost identical to entering your PIN number for a debit card purchase. In fact, if you want to make your Verified by Visa password a ‘PIN’ number, instead of a password, go ahead, it’s OK, we don’t mind at all. The point is, we already have a proven and flourishing example of consumers successfully protecting their money with a password (PIN) and payer authentication works exactly the same way – you just enter the password in your web browser instead of an ATM machine.
What are the merchant benefits of Payer Authentication?
Guaranteed Payment.
Yeah, right. Guaranteed payment? Where’s the fine print. It’s gotta be around here somewhere… What is that supposed to mean? Exactly what it says. Guaranteed payment. Let me make this crystal clear. If you are an ecommerce merchant, and you install payer authentication software on your site, Visa and MasterCard will guarantee that you get paid, and can NEVER be chargedback on fully authenticated transactions. For a typical ecommerce merchant, this represents about 25-33 percent of Visa card volume and 5-10 percent of MasterCard volume.
If that’s not enough, Visa also offers guaranteed payment, including chargeback protection, on what they like to call “attempts processing”. This means that if the merchant has the Verified by Visa software on their site, even if the shopper is not enrolled (has not set up their password), Visa will still guarantee payment on that transaction, and block any chargebacks from coming back to the merchant on that transaction. This represents an additional 60-65 percent of the merchants overall Visa card volume.
When you combine the protection outlined in the above two paragraphs together, that equates to roughly 60-70% of your overall credit card volume being covered by the two programs. That means 60-70% of your overall credit card volume will be guaranteed payment, and will be protected from chargeback liability. Sounds crazy right? See Misconception #3 above to see how crazy it really is.
Chargeback Blocking.
What the heck is chargeback blocking? It’s exactly what it sounds like. Literally, Visa and MasterCard step in between the issuing and acquiring banks and block chargebacks from being passed by issuing bank, who issues credit cards to consumers, to the merchant acquiring bank, who receives funds for settled purchases from issuing banks on behalf of you the merchant.
What this means is that a chargeback is blocked from ever reaching your merchant acquiring bank. This also means that the number of chargebacks that show up on your monthly chargeback report are going to drop – dramatically, typically by 65-70 percent. When the number of chargebacks drops, the fines for those chargebacks (usually $15-25 each) also go away. In addition on protected transactions that turn out to be fraudulent, since there was no chargeback because it was blocked, you the merchant can keep the funds for that purchase. The issuing bank again is blocked from pulling the funds for that fraudulent purchase out of your merchant account. Why? Because in the eyes of Visa and MasterCard, you the merchant have done your part to protect the transaction. You have the payer authentication software on your site. You are off the hook for those transactions that are protected. But somebody has to pay for that fraudulent transaction, right? Right. Lets’ read on…
Transaction Liability Shift.
Transaction Liability is the end result of chargeback blocking. If fraud occurs on a transaction, and the merchant is no longer required to reimburse the consumer for that fraud because the merchant was employing payer authentication on their site, then who will? The bank that issued the credit card. Yep. You read that right. All banks that issue Visa or MasterCard credit cards are now liable for all ecommerce transactions that are protected with payer authentication by merchants. When did this happen? Well, it’s actually been a couple of years now, and has always been this way for Verified by Visa and MasterCard SecureCode. Now are we starting to understand why the biggest merchants in the world want these programs on their websites?
So why would issuing banks allow this to happen? Aren’t they now exposed to a huge amount of fraud? That’s partially true, but banks, as members of Visa and MasterCard, are bound by the rules of the card associations that they are members of. Also, issuing banks realize in the long run that these programs will strengthen the brand of their cards, and make consumers more willing to shop online. And as you know, issuing banks sure do love it when you use your credit card.
The ecommerce channel today represents only 2-3 percent of the overall commerce in the U.S. However, it is the fastest growing payment channel. Issuing banks realize that ecommerce is really still in its infancy, or maybe now its more like a toddler. Like my one year old son, learning to walk, but still stumbling around like a drunken sailor sometimes. It may not be perfect, but it’s getting better, and becoming ubiquitous. In a few short years though, ecommerce will be so big it will be too big to fix, so banks are willing to scrape their knees a little now, and get the problems fixed while it is still manageable. When ecommerce eventually is 5…10…20 or 50 percent of US commerce, consumers by then will feel good about using their credit card to shop online, and not be afraid of identity theft and fraud.
Accept International Transactions.
Do you accept transactions today from Nigeria? No? Not surprising. Nobody does. However, what about Canada, or Mexico, or England, or Germany, or Australia, or Japan? Certainly there are customers in these and many other countries that we would be happy to do business with, if we only felt safe about accepting the transactions. But there’s no Address Verification System (AVS) for these countries, so what can we do?
Well, if you enable Verified by Visa/MasterCard SecureCode on your ecommerce site, not only can you accept transactions from these countries and all over the world, you can do so with exactly the same benefits and protections that you get on U.S. issued credit cards.
A conservative approach for a merchant who is hesitant to test the international markets may be to simply offer to accept international orders ONLY if they are made with a Verified by Visa or MasterCard SecureCode credit card. That seems fair enough. Talk about expanding your markets!
Reduce Overall Cost of Doing Business (operational overhead).
This benefit is probably the most difficult to put your thumb on initially, but can be pretty substantial. Ask yourself this question: How much manpower, time and resources does my business spend screening/filtering/manually reviewing transactions for fraud, and then later dealing with chargebacks that slipped through these measures? Whatever the answer is, cut that manpower, time and resource allocation by 60-70 percent, and that’s what payer authentication has to offer you in terms on reducing your costs of doing business.
The bottom line is Verified by Visa and MasterCard SecureCode make your business more efficient. They reduce the time you spend as a business trying to be a security expert, and give you more time and resources to focus on selling your products, which is what a “merchant” should be doing. It’s a beautiful thing!
Verified by Visa Chargeback Reason Codes Covered
U.S. Visa Credit and Debit Cards – Full & Attempted Authentication
23: Invalid Travel & Entertainment
61: Fraudulent Mail Order/Telephone Order/eCommerce
75: Cardholder does not recognize transactions
Visa International Credit and Debit Cards – Full & Attempted Authentication
23: Invalid Travel & Entertainment
83: Fraudulent Mail Order/Telephone Order/eCommerce
MasterCard SecureCode Chargeback Reason Codes Covered
U.S. MasterCard & Maestro Cards – Full Authentication
4837: Cardholder non-authorization
4863: Cardholder not recognized
Which merchants can benefit the most from these programs?
If you accept credit cards as payment online for merchandise, then you can benefit. It does not matter if you are a small business or if you are selling millions of dollars a year in merchandise. Every merchant can benefit from these programs. More specifically, merchants that are in high risk categories for fraud: jewelry, consumer electronics, software, DVDs; merchants whose items can be easily pawned or fenced: sporting goods, tools, tobacco, ticketing; merchants who sell ‘soft’ products: games, music, content, airtime/phone minutes
So where can I go to get this software?
Visa and MasterCard both have published vendor lists on their websites. You should also talk to your Merchant Acquiring Bank, your Payment Gateway, and/or your Payment Processor to find out if they already have a vendor that they recommend or are partnered with.
Oh, and CardinalCommerce also offers the service if you are interested…
Verified by Visa Merchant Information Site: http://usa.visa.com/business/accepting_visa/ops_risk_management/vbv_marketing_support.html
Verified by Visa Consumer Information Site: https://usa.visa.com/personal/security/vbv/index.html
MasterCard SecureCode Merchant Information Site:
http://www.mastercardmerchant.com/securecode/index.html
MasterCard SecureCode Consumer Information Site: http://www.mastercard.com/securecd/welcome.do
——————————————————————————————————————————-
Rick Lynch
Director of Business Development
CardinalCommerce Corporation
6119 Heisley Road
Mentor, Oh 44060
Related posts brought to you by Yet Another Related Posts Plugin.
