3-D Secure: Verified by VISA / Mastercard SecureCode™
Everyone involved in electronic commerce whether a merchant, bankcard Acquirer, processor or payment gateway know the challenges faced with authenticating card-not-present Internet-based payments. You can't obtain and validate a customer's signature, nor can you record the contents of the magnetic stripe on the card. Internet transactions are anonymous and no amount of security, fancy consumer web site registration processes or passwords can 100% guarantee that the actual cardholder is the person performing the payment transaction. According to MasterCard and VISA International, up to 70% of e-commerce chargebacks are "cardholder unauthorized" due to cardholders saying "I didn't do it". Whether the consumer did participate in the transaction or not, there is no legitimate proof (unless a signature is obtained via fax) and merchants are left holding the loss for the sale (as well as the goods or service) as a result of yet another Card Association Issuer program called Zero Liability! Chargeback rates for Internet purchases and Internet related fraud cases constitute a significant percentage of all industry related fraud cases. To reduce the number of disputed online purchases, there is a need for a means to enable Issuers to verify that the actual cardholder is the person performing the Internet purchase. This process has been termed 'Payer Authentication'.
In early 2001, VISA introduced a security protocol called 3-D Secure to improve transaction performance online and to accelerate the growth of electronic commerce through increased consumer confidence. The overriding objective of 3-D Secure is to provide Issuers with the ability to actually authenticate cardholders during an online purchase in order to reduce the likelihood of fraudulent usage of payment cards and to improve transaction performance to benefit merchants, consumers and acquirers. VISA's branded 3-D Secure program is commonly known as 'Verified By VISA'. MasterCard soon followed suit and introduced their payer authentication program called SecureCode™.
3-D Secure in a nutshell stands for 'Three Domain Model' for secure payment systems. The model divides payments into three distinct 'domains'. The Issuer Domain including systems and functions of the Issuer and its cardholders; The Acquirer Domain including functions of the Acquirer and its merchants; and The Interoperability Domain systems and functions that enable the Issuer Domain and the Acquirer Domain to interoperate and authenticate each other worldwide. The Interoperability between Issuers and Acquirers is achieved through the use of a common protocol operated through a globally shared VISA or MasterCard Directory Server. The Directory server receives authentication requests from enrolled merchants querying a specific card number; determines if the card number is in an enrolled Issuer BIN range, directs requests for cardholder authentication to the appropriate Issuer access control server (ACS) and then responds back to the merchant indicating whether payment authentication is available for the queried cardholder account. Finally all attempted payer authentication requests, whether validated or not, are stored on the Authentication History Server (at VISA and MasterCard) providing data for Acquirers and Issuers in the event of a dispute. All sounds pretty simple, right?
Who Benefits from Payer Authentication and How?
ALL merchants are eligible to participate in SecureCodes™ and Verified by Visa. However, merchants showing up in the Global Merchant Chargeback Monitoring Program, because they are generating an excessive number of chargebacks, are not eligible for the liability shift which is the single key benefit to merchants participating in 3-D Secure. In order to be protected by the liability shift merchants have to be off the Chargeback Monitoring program for a period of at least three consecutive months. This does not mean that the merchant or Acquirer should not participate in the program. On the contrary, participating in Verified by Visa and SecureCode™ will help the merchant establish the suitable business conditions to reduce the amount of chargebacks they currently receive and thus achieve a faster goal of removing themselves from the report and garnering the benefits of the chargeback liability shift. Contrary to popular belief VISA and MasterCard do not screen merchants and select who can and cannot participate. The merchant MCC code is not provided with the registration, however, the Acquirer BIN, Merchant ID, name and password are required. If the Acquirer enrolls the merchant, they can take advantage of 3-D Secure.
Chargeback Liability Shift who qualifies and how?
A few points need to be made regarding chargeback liability shift. Not ALL chargeback reason codes qualify for immediate representment only certain Reason Codes qualify and these vary from Region to Region. The primary codes including MasterCard RC 4837 and 4863 ("Cardholder Not Authorized" and "Cardholder Not Recognized") and VISA's RC 23 and 83 constitute more than 70% of all ecommerce related disputed transactions so the liability shift at minimum protects the largest percentage chargeback risk codes. Also, ISO's and merchants should be aware that the liability shift differs significantly between VISA and MasterCard. In April 2003, VISA implemented chargeback liability shift for certain chargeback reason codes on all authentication transactions and attempted authentications, meaning merchants that implement Verified By VISA in their web sites are eligible for chargeback rights (RC 23 and 83) if a 3-D Secure authentication is attempted but the Issuer and/or the cardholder is A few points need to be made regarding chargeback liability shift. Not ALL chargeback reason codes qualify for immediate representment only certain Reason Codes qualify and these vary from Region to Region. The primary codes including MasterCard RC 4837 and 4863 ("Cardholder Not Authorized" and "Cardholder Not Recognized") and VISA's RC 23 and 83 constitute more than 70% of all ecommerce related disputed transactions so the liability shift at minimum protects the largest percentage chargeback risk codes. Also, ISO's and merchants should be aware that the liability shift differs significantly between VISA and MasterCard. In April 2003, VISA implemented chargeback liability shift for certain chargeback reason codes on all authentication transactions and attempted authentications, meaning merchants that implement Verified By VISA in their web sites are eligible for chargeback rights (RC 23 and 83) if a 3-D Secure authentication is attempted but the Issuer and/or the cardholder is not enrolled. There some exceptions to this however, including commercial cards, anonymous prepaid cards, and new channels. Transactions that fall into these categories are not eligible for liability shift with VISA.
MasterCard's SecureCode™ payment guarantee is not based on attempts by the merchant to authenticate the cardholder. The MasterCard SecureCode global liability shift prevents Issuers from initiating chargebacks based on reason code 4837 and 4863 when: enrolled. There some exceptions to this however, including commercial cards, anonymous prepaid cards, and new channels. Transactions that fall into these categories are not eligible for liability shift with VISA. MasterCard's SecureCode™ payment guarantee is not based on attempts by the merchant to authenticate the cardholder. The MasterCard SecureCode global liability shift prevents Issuers from initiating chargebacks based on reason code 4837 and 4863 when:
- The merchant is 3-D Secure compliant (UCAF-enabled)
- The issuer provided the 3-D Secure compliant (UCAF) data for the transaction Issuer and cardholder both must be enrolled
- All other electronic commerce authorization request message and clearing requirements were satisfied
- The authorization request response reflected the Issuer's approval of the transaction
MasterCard Regions vary in their implementation of the chargeback liability shift and in Regions where 'merchant only liability shift' does not exist (Canada, LACR, USA) MasterCard has opted to mandate Issuer participation in SecureCode™ instead. The date SecureCode™ have advised for compliance with Issuer enrollment in the programme is November 2004, however more information from MasterCard is expected in relation to compliance deadlines.
Where chargeback liability shift is important is with 'inter-regional' transactions where the merchant resides in one jurisdiction and the cardholder in another. Since most Internet based transactions are global, this is a very important consideration. For example, in the CEMEA region where 3-D Secure is mandated for e-commerce Acquiring and merchants have the benefit of the one way liability shift (one of the regions where this is implemented), a U.S. consumer could lose a MasterCard dispute if the merchant is enrolled in 3-D secure yet the Issuer and/or cardholder is not, and a SecureCode attempt is made during the check-out process. However, if the merchant and the cardholder are both in the same region (intra-regional) than all entities must participate in order for the liability shift to take effect. This complicated "does liability shift apply or not" policy is being resolved with MasterCard's mandate of Issuer enrollment starting in November 2004. For VISA the answer is simple if the Issuer and/or cardholder is not enrolled, and a merchant attempts a Verified By VISA request and the transaction is then disputed, the merchant has automatic chargeback liability rights (except those few exceptions noted above). All in all this should have a significant impact in the merchant's profitability and the Acquiring bank's objective for overall reduced risk.
The Bottom Line - Financial Savings!
If you review the documentation provided by both VISA and MasterCard (various sites are dedicated to Verified By VISA and SecureCode™) there is little if any information relating to the benefits to the Acquiring Member bank once the upfront investment is made to implement 3-D Secure. The focus is clearly on Issuing and the benefits to consumers, cardholders and Issuers, yet there is a significant financial benefit to the Acquiring bank None of this seems to be spelled out anywhere and yet, it's the initial investment by the Acquirer, that needs to be made in order for this entire program to be globally effective. Some of these cost savings include:
- Reduction in eCommerce Acquiring Interchange
Current CNP ecommerce interchange is approximately 1.6% to 1.8% depending on the Region. With the Acquirer and merchant enrolled, the interchange fees are reduced for 3-D Secure transactions to 1.3% - an approximate savings of 50 basis points
- Reduction in High Risk Acquiring Fees
Currently both VISA and MasterCard require registration of high risk merchants their list constitutes most Internet merchants doing any significant transactional volume. Registration of these merchants costs upwards of $5000 per merchant with the added pain of being placed immediately into the chargeback monitoring program (the radar scope!). With the implementation of 3-D Secure, these high-risk merchants can reduce their excessive risk for "I didn't do it" chargebacks and keep a threshold of less than 1% chargebacks which is the current (ridiculous) minimum acceptable level
- Reduction in Discount Rate Fees
With the reduction in interchange expenses, an Acquirer has the opportunity to be more competitive with their Discount Rates as the overall costs associated with Acquiring are reduced upon implementation. Time will tell if the costs savings are reflected back to the merchant by way of reduced discount fees
- Excessive Credit and Chargeback Fees
These fees start at $25 per item and increase to $100 per item if the merchant continues with greater than 2.0% chargebacks for a period of 3 consecutive months, in addition the Acquirer can also face fines or penalty fees starting from $25,000 per month for maintaining a high chargeback portfolio a significant expense to both the Acquirer and the merchant. MasterCard counts credits in the chargeback totals and fines for excessive credits at the same rate as chargebacks
- Chargeback Fee Income Reduced
The Key Borders
On the down side of 3-D Secure is the reduction in chargeback fee income, however the trade off seems acceptable if it means longevity for the merchant.