3-D Secure Payer Authentication

Nice article, but obviously propaganda to favor VbV.

Why do I say that? “Misconception #4: Ababandoned sales”

I first encountered VbV myself as a customer. I tried to purchase something online and at checkout I was prompted for a VbV password. Well, #1, I had never even HEARD of VbV, so of course I did not have a password set up. So guess what? I could not complete the sale because of this. I left and found a different vendor for the same goods.

~RB

I’m going to say that is just a merchant with strict security standards and not how a typical implementation of VbV works.

Rabies,

That’s a very interesting situation. I am curious to see when this transaction had occured. As of right now banks may pre-enroll card-holders in the program but this must be done after a considerable amount of marketing has been done in order to inform an individual cardholder that their bank really wants them to enroll in these programs. Even then the cardholder still has to go out and creat their own password/PIN. The whole point of this program is that an individual cardholder creates a personal form of IP that works in conjunction with that card for online purposes.

The other thing I find intereting is that even if this did occur, why didn’t you just hit the “forgot your password” option? This is mandatory on all cards and for all banks. When that option is engaged you can simply sumbit some basic pieces of personal information and create another pass/PIN all within the website…never leaving.

Do guaranteed payments work for a recurring billing model as well?

They currently do not work for recurring billing.

Paysat used this technology to make the most secure atmosphere for their merchants 3D secure is a sucessful way to check the validty of the Credit CARd , i heared that soon all credit cards will be 3D secured Authenticated.

tomy

Great article. I was only reading today about how my country are only opening up to this now.

Thanks for clearing up many questions I had.

Ireland is one of the fastest adopters of the service. Almost all the banks are activeley participating. AIB being one of them.

Yea, I was reading an article on Nevada.ie about it. Realising now it was a little old.

So far, it looks like all banks here have adopted. :slight_smile:

Good as 3-D Secure is, it is worthwhile pointing out that the banks - in the UK at least - have sought to restrict their liability, consequently liability now only shifts to the card issuer where a merchant has less than 1% chargebacks (the same as it generally is now), but obviously merchants have a more secure environment for trading online.

Our feeling is that liability shift will probably disappear altogether, once enough merchants have signed up, the technology has become standardised and 3-D secure eventually becomes mandatory for CNP transactions conducted online… about 2 years away…

Here’s a recent Greensheet Article

http://greensheet.com/Secured-/NextIssue-/14.htm

Time to use Verified by Visa and MasterCard SecureCode?
By David H. Pres

he Verified by Visa and MasterCard SecureCode programs have not really caught on with cardholders or merchants since their introductions in 2001. The programs were designed to increase both cardholder and merchant confidence in Internet purchasing and reduce disputes and fraudulent activity related to card use.

Since the liability shift from acquirers to issuers for fraudulent card use became effective, however, the programs have provided real value for merchants. For merchants to use Verified by Visa and SecureCode on their e-commerce sites, they must purchase a simple plug-in software module that determines cardholder participation in the service and establishes an Internet connection.

This enables issuers to authenticate cardholders. The implementation process for merchants was at first somewhat complex, but today the various vendor solutions have made it much easier. For ISOs and merchant level salespeople (MLS), program use can mean additional income earned from merchants and decreased exposure to fines from the card Associations’ chargeback monitoring programs.

The programs provide ISOs and MLSs with the ability to continue to receive income from merchants who might otherwise have to be terminated because of “excessive chargebacks.” They also give them the opportunity to reduce merchants’ overall risk exposure because the transactions are considered better quality.

The card Associations have marketed Verified by Visa and SecureCode to increase cardholders’ confidence in making more online purchases, but the programs really do nothing for cardholders.

In fact, they may take away some of the cardholders’ chargeback rights because the issuers cannot pass on the loss to the acquirers and are less likely to credit cardholders when the funds come from the issuers.

The card Associations’ zero liability policies have already virtually eliminated consumer liability in cases of card fraud for all transactions.

More for merchants

The programs do a lot for online merchants, though, especially now with lower interchange rates for Verified by Visa and SecureCode transactions. When properly used, the programs eliminate chargebacks for fraudulent transactions. The risk of loss remains with issuers. This is a huge benefit to acquirers and online merchants who have been plagued with “I didn’t do it” chargebacks, such as:

Visa Reason Code 83: Fraudulent Transaction-Card Absent Environment
Visa Reason Code 75: Cardholder Does Not Recognize Transaction
MasterCard Reason Code 37: No Cardholder Authorization.
Interchange rates lowered

Now the card Associations have lowered interchange fees by up to 15 basis points for Visa-branded transactions and up to 59 basis points for MasterCard-branded transactions for using these programs. The savings for using SecureCode is particularly dramatic, although the new rates will apply differently to credit and debit cards. According to MasterCard, effective Oct. 1, 2005:

The interchange rate for merchants (Merit 1) not participating in SecureCode increased by five basis points, from 1.90% + $0.10 to 1.95% + $0.10.

For fully authenticated SecureCode credit card transactions, however, the interchange rate dropped from 1.95% + $0.10 to 1.73% + $0.10, a difference of 22 basis points.

For MasterCard credit card transactions that are not fully authenticated in SecureCode, the interchange rate for merchants dropped from 1.95% + $0.10 to 1.63% + $0.10, a difference of 32 basis points.

For MasterCard debit cards, the interchange rate for merchants (Merit 1) not participating in SecureCode remained at 1.64% + $0.16.

For fully authenticated SecureCode debit card transactions, the interchange rate dropped from 1.64% + $0.16 to 1.15% + $0.15, a difference of 49 basis points and $0.01.

For MasterCard debit card transactions not fully authenticated in SecureCode, the interchange rate for merchants dropped from 1.64% + $0.16 to 1.05% + $0.15, a difference of 59 basis points and $0.01.
These lower interchange rates for MasterCard SecureCode transactions offer an incentive for both ISOs and MLSs and their merchants to participate in the program.

Free network vulnerability scans

To make it easier for merchants to understand, adopt and comply with the Payment Card Industry (PCI) Data Security Standard, MasterCard recently announced the global availability of free network scans for merchants.

Scanning is one of the steps required for many merchants to achieve compliance with PCI. This offering by select companies will allow merchants to learn more about network vulnerabilities and how they can improve network security and achieve PCI compliance. (Go to www.mastercardsecurity.com to find links to the participating security companies.)

Merchants have been slow to adopt Verified by Visa and SecureCode primarily because of the added cost and because of the fear of lost sales due to consumer abandonment before finalizing the transaction.

The true measure should be the merchants’ net income rather than the gross sales. Many abandoned sales are fraudulent transactions anyway. The savings from reduced chargebacks and fees and lost product and the new interchange discounts may offset the merchants’ upfront expense and extra cost for the services. Both card Associations have a lot of information available on their Web sites that ISOs and MLSs can review to learn more about the programs and to find information helpful to their merchants. Visit:

usa.visa.com/business/accepting_visa/ops_risk_management/vbv.html

www.mastercard.com/us/merchant/security/what_can_do/SecureCode/index.html

David H. Press is Principal and President of Integrity Bankcard Consultants Inc. Call him at 630-637-4010, e-mail dhpress@ibc411.com or visit www.ibc411.com .

FYI:

At the MRC Michael Yakel from Visa informed everyone that the protection of VbV will also now be applicable to recurring payments starting April of 2006.

Stay tuned for updates.

Hi Guys,

I am currently writing a project on verified by visa and am needing some help. I am working on a section which deals with current issues surrounding the Verified by Visa Program. I have tried to find out if there are any technical issues but so far have not been able to find any documentation on this. If someone could possibly give some help here on technical issues and any others that you think could be helpfull I would be most appreciative

Regards,

Derick

One of the technical barriers that keep merchants from being able to participate is that there are strict requirements on how the data is passed.

Typically a merchant will only be required to pass these data elements:
-ECI
-CAVV/AAV
-XID

A merchant who isn’t a direct connect to a processor must use a Gateway and these gateways must certify to pass the data elements to first data/global/paymentech/vital. As a merchant you must rely on them to pass the fields properly. Most gateways will only certify on a portion of their porcessors for the service. Merchants will sign up and think they are passing the data properly, and then they start getting hit with chargebacks becauase they have never passed the data elements. Instead of pointing the finger at the real problem, many merchants automatically assume its a problem with Verified by Visa, when its not. This was one of the technical growing pains the programs have had to deal with.

I’ve been meaning to get this post concerning “How to Implement 3D Secure.” The key to participation is being able to pass the data. This is only a temporary list and there are many other ways to get set up, but these seem to be the most popular.

Gateways: Certification
-Authorize.net AIM : certified to: FDMS Nashville and Vital
-Verisign Payflow Pro: certified to: FDMS Nashville, FDMS South, Paymentech, Vital, and Nova.

Shopping Carts: These carts provide modules so integration is almost immediate. These carts are only certified to pass the data to certain gateways. The arrow will refer to who they can work with.

-AbleCommerce V5.5+ –> Authorize.net AIM, USAePay
-Ablecommerce Coldfusion V5.5+ —> Authorize.net AIM, USAePay, Verisign Payflow Pro
-BVCommerce V2004.7 Enterprise+ —> Authorize.net AIM, Verisign Payflow Pro
-Candy Press V2.5+ —> Authorize.net AIM
-Miva Merchant V5+ —> Authorize.net AIM, Verisign Payflow Pro
-osCommerce V2.2 (Milestone 2)+ —> Authorize.net AIM, USAePay, Verisign Payflow Pro
-Zen Cart V1.2.6+ —> Authorize.net AIM, USAePay, Verisign Payflow Pro
-ASPDotNetStoreFront PRO,ML —> Authorize.net AIM, Verisign Payflow Pro
-Cart 32 V6.0+ —> Authorize.net AIM, USAePay, Verisign Payflow Pro
-Lagarde StoreFront V6 SP6+ —> Authorize.net AIM, Verisign Payflow Pro, Cybersource
-Product Cart V2.76+ —> Authorize.net AIM, USAePay, Verisign Payflow Pro, Paymentech Orbital
-Sales Cart V6.0+ —> Authorize.net AIM
-X-Cart V4.0.12+ —> Authorize.net AIM, NetBilling, USAePay, Verisign Payflow Pro

This should provide everyone with a roadmap to determine whether or not you can participate in the programs. If you are using one of these shopping carts please contact your cart provider for details. If you have a custom cart please contact your gateway provider so they can instruct you on how to get set up.

Thanks!

That is exremely helpful to know. Thanks. :tup:

We are currently using Streamline as the merchant bank and Protx as the payment processor. We are accepting GBP as the base currency and we’ve got 3D Secure payment authentication ability, which includes Verified by VISA and MasterCard Secure. Streamline has told us that if the transactions show up in our Protx administration area as GREEN flagged, we are immunized from the responsibility of chargeback. However, things didn’t turn out this way after a few chargebacks were turn against us, which at the time of the transactions, passed 3D Secure authentication. We were outraged by the false claim made by Streamline. We demanded written terms and conditions from Streamline but they said that they don’t have such document available. They verbally elaborated their claims by saying that we wouldn’t get immunized if we accept 3D Secure cards from US and Canada.

We are very skeptical about what Streamline told us since. We are here seeking second opinions.

Is what Streamline’s claim valid? Can we get chargeback immunity if we use a US merchant bank?

For US based merchant accounts you recieve complete protection on all fraudulent regardless of enrollment in the program or bank participation. For Visa you also recieve chargeback blocking protection. This means that when a fraudulnt chargeback is issued it is blockd at the issuer. For international transactions you must represent the authentication information to your acquirer an the chargeback will be reversed.

I did a little research on streamline and bounced your issues around several people on our end. Because we don’t work with styreamline we have zero visibility into whether they are properly passing and recieiving the data and your merchant account is configured properly.

http://www.streamline.com/Already_a_customer/Additional_products_&_services/Fraud_screening/default.htm

In the US you must be an ecommerce merchant and your gateway must be set up on an ecommerce account. You must also be using a gateway that is certified to pass the data to the processor.

Have you represented on the fraudulent chargebacks you recieved?

After more than a few phone calls, and clarifications with Streamline’s chargeback department, Davidguo and I got our questions sorted out. Protx / Streamline actually claims that US and Canada MasterCard Secure credit card issuing banks do not participate the 3D Secure scheme that they’re holding, which we have little or no idea what makes them say that since the MasterCard Secure policy should have applied to all acquiring institutes, shouldn’t it? As a result, most of the disputes that were showing up in our mails were those that had passed MasterCard Secure, in which we failed to tighten the security check against their buyers who turned out to be fraudsters. Streamline’s initial misinformation that made us think that all transactions that passed 3D Secure are equally potent hurts us badly. We’re actively seeking to set up new IMA which won’t cause us the same Protx / Streamline non-sense which had us experienced.

SecureCode only protects on enrolled cardholders in the US.

Verified by Visa in the US protects on all cardholders regardless of cardholder participation or issuing bank support.