3-D Secure Payer Authentication

3-D Secure Payer Authentication

A.K.A Verified by Visa & MasterCard SecureCode

Introduction: The Industry and The Goals

Payer Authentication is the newest and most powerful tool available to ecommerce merchants today. Payer Authentication provides merchants with the electronic equivalent of a signed sales receipt. Under the umbrella of Visa’s 3-Domain Secure initiative, internet merchants can participate in Payer Authentication. Visa’s program is called Verified by Visa. MasterCard and Japanese Credit Bureau (JCB) also have 3-D Secure programs: MasterCard SecureCode and J/Secure. All three programs operate exactly the same way, they validate that the consumer shopping on your website is the legitimate cardholder.

Why would the payment associations (Visa, MasterCard, JCB) want to do this? They are worried about brand erosion.

The benefits of payer authentication are pretty substantial. First and foremost is guaranteed payment on all fully authenticated transactions. Even if the transaction is later determined to be fraudulent. The merchant will NOT be charged back. In fact, the chargeback is actually blocked from being submitted to the merchant’s acquiring bank by Visa and MasterCard, so there is not even an awareness at the merchant bank level that a chargeback occurred. More importantly, the number of chargebacks that a merchant records with their acquirer will drop dramatically. Typical participating merchants see a drop of 60-70 percent in their monthly chargeback rates.

Even more monumental in concepts than the guaranteed payments is the shift in liability from the merchant to the card issuing bank. Never before in the history of card-not-present (CNP) transactions, have the payment networks ever offered a way for merchants to avoid liability for CNP transactions they accept. It has ALWAYS been the merchants liability. Those days are now over. This is ground-breaking stuff here folks.

Now, how about a little lower margin for doing busy more securely? Visa says sure. Just for installing Verified by Visa software on your site, Visa will lower your interchange rate by 5 basis points. I know, I know, basis points are confusing, what does that really mean? Well it works out to $0.05 for every $100.00 you process. A nickel doesn’t seem like a lot, but it adds up when you are processing $1,000,000 a month or more in sales. Why did Visa do this? Well they want to motivate merchants to participate, and the 5 basis points is intended to help offset the cost that merchants pay for the payer authentication service (typically between 5 and 10 cents per transaction).

Common Misconceptions

Misconception #1: Not enough cardholders are enrolled.

This is irrelevant. 300 million plus US Visa cards are enrolled. Visa is offering merchants guaranteed payment on all Visa cards* regardless of whether the cardholder is enrolled or not. This means that from day one, with Verified by Visa enabled on your site, a merchant can cut their transaction liability by 50-60 percent, just on their Visa transactions.

MasterCard does not offer attempts processing liability coverage at this time, but 5-10 percent of MasterCard transactions are guaranteed payment, and their adoption rate is growing every day.

When a merchant combines the coverage of Visa and MasterCard together, they are typically getting guaranteed payment on 60-70 percent of their overall transaction volume. They are also eliminating 7 out of 10 chargebacks.

Misconception #2: Not enough banks offer the service.

Completely untrue. 45 of the top 50 U.S. issuing banks, and over 10,000 issuing banks now have the software up and running, worldwide.

Misconception #3: If it is such a good program, why aren’t the big name merchants doing it?

Good question. These merchants would like to know why you don’t consider them big names:

Walmart.com, JCPenney.com, Hotwire.com, 1800Flowers.com, CompUSA.com, TigerDirect.com, NewEgg.com, Etronics.com, Crutchfield.com, OfficeMax.com, JetBlue.com, NorthwestAirlines, eCost.com, Zales.com, BlueNile.com, FogDog.com, PlayStation.com, LizClaiborne, Wilsons Leather, eBags.com, Nickelodeon, Cooking.com, and about 30,000+ others worldwide that I don’t have room to list here.

Misconception #4: I have heard that Verified by Visa/MasterCard SecureCode cause higher “abandonment” rates?

First of all, lets define abandonment: Abandonment is the process by which a customer leaves/aborts the CHECKOUT process prior to a final submission of the order – including items for purchase, billing and shipping method, and payment information.

Pay attention to this: payer authentication occurs AFTER CHECKOUT (or shopping cart) has been completed, but PRIOR TO AUTHORIZATION of the credit card (it works with both real-time and batch authorization).

Understanding the definition of abandonment explains why Verified by Visa contributes to absolutely zero ‘shopping cart abandonment’. It can’t. Fundamentally, Verified by Visa, as a process that a consumer would see, does not begin until the checkout has been COMPLETED.

With that said, the initial implementation of Verified by Visa, more than two years ago, had some problems with the authentication process. But those problems have been fixed. First and foremost, pop-up windows are no longer allowed for the authentication screen. Due to pop-up blocking software and the almost instinctive act of a consumer closing pop-up windows, Visa realized that this was not going to be effective. Since then they have mandated the “in-line” presentation method, which presents the Verified by Visa screen within the same browser window. This in-line method has proven to be dramatically more effective reducing authentication abandonment from 20-30 percent, down to less than one percent. The in-line method also allows the merchant to keep their brand on the same page as the authentication screen, which provides additional reassurance to the shopper that they are not being enticed by a ‘phishing’ scam.

Also, Visa and MasterCard strongly encourage the prominent display of the Verified by Visa and MasterCard SecureCode logos, both on the homepage, and the checkout page, so that it is clear to the shopper that this site is protected by these programs.

Finally, the strategic placement of consumer messaging (which is the fancy phrase for providing instructions and guidance to your shoppers in the from of text) has been surprisingly helpful. Amazingly, just telling consumers what they can expect to happen (ex: You may be prompted to enter your password if you are enrolled in Verified by Visa), and what to do if the expected thing does not happen (Ex: please call this 1-800 number if you experience a delay or are unsure how to proceed), has been extremely helpful.

Misconception #5: I have so many passwords, and I can never remember all of them. What happens if I forget mine?

First of all, do you have a debit card? If yes, then what’s your PIN number? Don’t answer that. It’s a rhetorical question (and you never know who might be listening!). But you get the point, right? Why can you instantly recall the PIN number for your debit card amidst the tens, if not hundreds, of passwords you have? Because it’s the key to your bank account – your money. The same goes for payer authentication. In regards to consumer experience, it’s almost identical to entering your PIN number for a debit card purchase. In fact, if you want to make your Verified by Visa password a ‘PIN’ number, instead of a password, go ahead, it’s OK. The point is, we already have a proven and flourishing example of consumers successfully protecting their money with a password (PIN) and payer authentication works exactly the same way – you just enter the password in your web browser instead of an ATM machine.

What are the merchant benefits of Payer Authentication?

Guaranteed Payment.

Yeah, right. Guaranteed payment? Where’s the fine print. What is that supposed to mean?
Exactly what it says. Guaranteed payment. If you are an ecommerce merchant, and you install payer authentication software on your site, Visa and MasterCard will guarantee that you get paid, and can NEVER be chargedback on fully authenticated transactions. For a typical ecommerce merchant, this represents about 25-33 percent of Visa card volume and 5-10 percent of MasterCard volume.

In addition Visa also offers guaranteed payment, including chargeback protection, on what they call “attempts processing”. This means that if the merchant has the Verified by Visa software on their site, even if the shopper is not enrolled (has not set up their password), Visa will guarantee payment on that transaction, and block any chargebacks from coming back to the merchant on that transaction. This represents an additional 60-65 percent of the merchants overall Visa card volume.

When you combine the protection outlined in the above two paragraphs together, that equates to roughly 60-70% of your overall credit card volume being covered by the two programs. That means 60-70% of your overall credit card volume will be guaranteed payment, and will be protected from chargeback liability. Sounds crazy right? See Misconception #3 above to see how crazy it really is.

Chargeback Blocking.

What the heck is chargeback blocking? It’s exactly what it sounds like. Literally, Visa and MasterCard step in between and block chargebacks from being passed by Issuing bank who issues credit cards to consumers, to the Merchant Acquiring bank, who receives funds for settled purchases from issuing banks on behalf of you the merchant.

What this means is that a chargeback is blocked from ever reaching your Merchant Acquiring Bank. This means that the number of chargebacks that show up on your monthly chargeback report are going to drop – dramatically. Typically by 65-70 percent. When the number of chargebacks drops, the fines for those chargebacks (usually $15-25 each) also go away. In addition, since their was no chargeback, you the merchant can keep the funds for that purchase. The issuing bank again is blocked from pulling the funds for that fraudulent purchase out of your merchant account. Why? Because you have done your part. You have the payer authentication software on your site. You are off the hook for those transactions that are protected. But somebody has to pay for that fraudulent transaction, right? Right. Lets’ read on…

Transaction Liability Shift.

Transaction Liability is the end result of chargeback blocking. If fraud occurs on a transaction, and the merchant is no longer required to reimburse the consumer for that fraud because the merchant was employing payer authentication, then who will? The bank that issue the credit card. Yep. You read that right. All banks that issue Visa or MasterCard credit cards are now liable for all ecommerce transactions that are protected with payer authentication by merchants. When did this happen? Well, it’s actually always been this way with Verified by Visa and MasterCard SecureCode. Now are we starting to understand why the biggest merchants in the world want these programs on their websites?

So why would issuing banks allow this to happen? Aren’t they now exposed to a huge amount of fraud? That’s partially true, but banks, as members of Visa and MasterCard, are bound by the rules of the card associations they are members of. Also, issuing banks realize in the long run, these programs will strengthen the brand of their cards, and make consumers more willing to shop online. And as you know, issuing banks love it when you use your credit card.

The ecommerce channel today represents only 2-3 percent of the overall commerce in the U.S. However, it is the fastest growing payment channel. Issuing banks realize that ecommerce is really still in it’s infancy, or maybe now more like a toddler. It’s learning to walk, but its still stumbling around like a drunken sailor trying to get his sea-legs. It may not be perfect, but it’s getting better, and becoming ubiquitous. Pretty soon it will be so big, it will be too big to fix, so banks are willing to scrape their knees a little now, and get the problems fixed. When ecommerce eventually is 5, 10, 20, or 50 percent of US commerce, consumers will feel good about using their credit card to shop online, and not be afraid of identity theft and fraud.

Accept International Transactions.

Do you accept transactions today from Nigeria? No? Not surprising. Nobody does. However, what about Canada, or Mexico, or England, or Germany, or Australia, or Japan. There are most certainly customers in these and many other countries that we would be happy to do business with, if we only could feel safe about accepting the transaction. But there’s no Address Verification System (AVS) for these countries, so what can we do?

Well, if you enable Verified by Visa/MasterCard SecureCode on your ecommerce site, not only can you accept transactions from these countries and all over the world, you can do so with exactly the same benefits and protections that you get on U.S. issued credit cards.

A conservative approach for a merchant who is hesitant to test the international markets may be to simply offer to accept international orders ONLY if they are made with a Verified by Visa or MasterCard SecureCode credit card. That seems fair enough. Talk about expanding your markets!

Reduce Overall Cost of Doing Business (operational overhead).

This benefit probably takes the longest to realize, but can be pretty substantial. Ask yourself this question: How much manpower, time and resources do I spend preventing/screening transactions for fraud, and dealing with chargebacks that I have received? Whatever the answer is, now cut that manpower, time and resource allocation by 60-70 percent, and that’s what payer authentication has to offer your business in terms on reducing your costs of doing business.

Verified by Visa and MasterCard SecureCode make your business more efficient. They reduce the time you spend as a business trying to be a security expert, and give you more time and resources to focus on selling your products, which is what a “merchant” should be doing. It’s a beautiful thing!

Verified by Visa Chargeback Reason Codes Covered

U.S. Visa Credit and Debit Cards – Full & Attempted Authentication
23: Invalid Travel & Entertainment
61: Fraudulent Mail Order/Telephone Order/eCommerce
75: Cardholder does not recognize transactions

Visa International Credit and Debit Cards - Full & Attempted Authentication
23: Invalid Travel & Entertainment
83: Fraudulent Mail Order/Telephone Order/eCommerce

MasterCard SecureCode Chargeback Reason Codes Covered

U.S. MasterCard & Maestro Cards – Full Authentication
4837: Cardholder non-authorization
4863: Cardholder not recognized

Which merchants can benefit the most from these programs?

If you accept credit cards as payment online for merchandise, then you can benefit. It does not matter if you are a small business run out of your basement, or if you are selling millions of dollars a year in merchandise. Every merchant can benefit from these programs. More specifically, merchants that are in high risk categories for fraud: jewelry, consumer electronics, software, DVDs; merchants whose items can be easily pawned or fenced: sporting goods, tools, tobacco, ticketing; merchants who sell ‘soft’ products: games, music, content, airtime/phone minutes

So where can I go to get this software?

Visa and MasterCard both have published vendor lists on their websites. You should also talk to your Merchant Acquiring Bank, your Payment Gateway, and/or your Payment Processor to find out if they already have a vendor that they recommend or are partnered with.

Verified by Visa Merchant Information Site: http://usa.visa.com/business/accepting_visa/ops_risk_management/vbv_marketing_support.html

Verified by Visa Consumer Information Site: https://usa.visa.com/personal/security/vbv/index.html

MasterCard SecureCode Merchant Information Site:

MasterCard SecureCode Consumer Information Site: http://www.mastercard.com/securecd/welcome.do

Michael Roche
Senior Manager, Market Development
CardinalCommerce Corporation
P: 877.352.8444 ext 124
F: 440.352.1646

Bump :slight_smile:

Great article… I stuck it…

3d to the next level

If a customer, using Verified by Visa, makes a purchase and is later very dissatisfied with the result yet the merchant refuses to issue a refund, can the customer still issue a chargeback and get his money back? If not, why should a customer join such a program that decreases his protection? (I know the customer’s protection is increased in the form of anti-fraud, but I think some people are more concerned with the ability to issue charge-backs.)

Verified by Visa is a tool used by banks and merchants. A shopper using VbV on a participating site will submit their PIN, which they created, and the merchant and the bank know that the person using the card is really the actual cardholder, so regardless of the ticket size, or the bill to ship to, it can be sent out right away.

Consumers enroll in VbV because it makes it easier for them to shop online, and its far more secure. Many sites offering VbV, recognize enrolled cardholders as the best type of online transcation because it is “almost” like a brick and mortar transaction. Therefore they are offering benefits to these shoppers, quicker service, better customer service etc.

If a cardholder recieves a “service,” and they are unhappy with the service, and they can’t recieve a refund, and they are enrolled in the program…it would be a fraudulent chargeback. So your question is a little strange. VbV is designed to ELIMINATE fraud in the Visa Network, not customer service standards.

Breaking News

Once Again…You Heard It First Here at SitePoint.com

Breaking News: MasterCard® Lowering Interchange for SecureCodeTM Merchants

MasterCard announced new interchange rates for merchants participating in the MasterCard SecureCode program, with the rates going into effect on or around October 1, 2005; timed right before the crucial holiday shopping season.

MasterCard has taken a bold step in offering substantial reductions for participating SecureCode merchants. The new interchange rates will apply differently for MasterCard credit cards and MasterCard debit cards, and merchants should discuss this with their Acquiring bank to understand exactly how these changes will affect them.

For MasterCard credit cards, the interchange rate for merchants (Merit 1) not participating in SecureCode will increase by 5 basis points, from 1.90% + $0.10 to 1.95% + $0.10. For fully authenticated SecureCode credit card transactions, the interchange rate will drop from 1.95% + $0.10 to 1.73% + $0.10, a difference of 22 basis points. For MasterCard credit cards transactions that are not fully authenticated in SecureCode, the interchange rate for merchants will drop from 1.95% + $0.10 to 1.63% + $0.10, a difference of 32 basis points.

For MasterCard debit cards, the interchange rate for merchants (Merit 1) not participating in SecureCode will remain at 1.64% + $0.16. For fully authenticated SecureCode debit card transactions, the interchange rate will drop from 1.64% + $0.16 to 1.15% + $0.15, a difference of 49 basis points and $0.01. MasterCard debit cards transactions that are not fully authenticated in SecureCode, the interchange rate for merchants will drop from 1.64% + $0.16 to 1.05% + $0.15, a difference of 59 basis points and $0.01.

The lower interchange rate for MasterCard SecureCode transactions creates a huge incentive for both Acquirers and their merchants to participate. Merchants are constantly looking for ways to lower their costs, lower their fraud exposure and to lower their chargebacks. MasterCard SecureCode now presents a single approach to resolve these issues.

These benefits are not only limted to large merchants, and you can get these interchange savings if you shop around for your merchant account.

All my clients have been waiting for this. Should cut down online fraud whcih at the moment is rife in many sectors.

what happens when a customer does not have a password? I have been to your links and am I over looking this.

For Visa: When a cardholder, or a cardholder’s bank isn’t participating…the cardholder sees nothing. What occurs on the backend is an “attempted authentication.” Visa protects you on an attempted authentication.

Go to webstore.cardinalcommerce.com

Use the “attempts” card number provided so you can see the shopping experience of a non-enrolled but fully protected Visa cardholder.

For MasterCard: MasterCard only protects on enrolled cards so you will only be protected when a shopper is enrolled, and authenticates themself with their bank at the end of the checkout.

Thanks for the quick reply awesome.

What about “Guaranteed Payment.”? Does it really make a change?

I’m not quite sure what you mean.

We use the term guaranteed payment to refer to any payment that isn’t liable for credit card fraud. As online merchants you are liable for credit card fraud on all of your transcations if you aren’t running Verified by Visa and MasterCard SecureCode.

These are the only fraud screening programs that will shift the liability off your your shoulders and on to the shoulders of the the bank.

Well, that doesnt look that good as it was written…

I run dating website, and I do not accept any orders if the card is not enrolled and the authentication status is failed.

But yea, the trouble is that all transactions are with successful authentication, and I keep receiving Retrieval Requests, with reason “Legal process or fraud analysis”, or “Merchant was not willing to provide the service”, for first one they are asking to send a sales draft, and for second i am just sending screen shots that service was established. So finally i have got the call from the bank and I was told that they gonna keep all my funds on hold, I told that i have “guaranteed payment”, they did not care, and i was just told until I dont have signature and card imprint it most likely i lose the dispute. And they are also going to turn my merchant account off, because of retrieval requests!!!even if all transactions were authenticated, furthermore I got the chargeback on authenticated by Verified by Visa transaction and it says:

Your account has been debited for the follwing reason:

Unauthorized charge. Per Visa, no reversal rights without a signed and imprinted or magswiped sales ticket: or copy of order, proof you obtained positive AVS at time of order and signed proof of delivery to the AVS confirmed address.

Reason code 83

I checked out:


And it says that VbV protects me against that, but you see guys, VISA rules says that liability is shifted from merchant to issuing bank, and banks here NEVER want to take the LOSS!!! even on the paperworks i found that cardholder said it was unauthorized charge, so bank changed it to totally other reason: “merchant was not willing to provide the service”.

And my comments: VbV/MCSC looks good until you dont do anything with it :slight_smile:

Are these international transactions?

RC 83 was originally the RC for international fraudulent ecommerce chargbacks. They have since combined 61 and 83 and it is refered to as 83 across the board.

I just need some additional insight and then I can tell you what the problem is.

Nope, that transaction with V83 reason code was made from california.

If you are a US merchant and you sold to a US cardholder Visa will block the chargeback if its reported for any instance of fraud. If you are passing the ECI and CAVV properly through your gateway and processor Visa should have blocked the chargeback.

If you are capturing the authentication information and properly passing the data along during the authorization process this shouldn’t have happened.

Who are you using for your Gateway and Processor?

Hmm, VeriSign and processor is WoodForest National Bank, i’ve just call to the chargeback department, and they can not find anything with that cardholder, neither by case # nor by credit card #.
Anyway as i told you there are interesting stuff like customer filled out that he did not authorize the trans. so bank changed to RC 30 did not rcvd the service, and Chargebacked for RC 83. Anyway AVS/CVV/VbV was with result code Y.

I am wondering what about if we passing AVS and Buyer Authentication, we are still protected ?

And what could be the trouble with Wells Fargo, when the cardholder process the card details for authorization he is promted to enter his password, and here is the trick:

if VbV password is correct - transaction is declined. ALWAYS!!
If the same customer on VbV window clicks cancel(authentication failed) - the transaction is approved.

What could be the reason, i have called to wells fargo, most of them dont even know what is VbV, i have told the story more then 30 times i guess, but finally i’ve reach the department who should know about that, and i was told they can see the reason, but cant tell me, and asked to call me a customer and ask him to process his card one more time, i put the banker on hold and called to the customer to process the card one more time, anyway it was declined again, so banker told me that the trouble comes not from Wells Fargo, but from VISA and connected me to VISA, anyway in VISA the people level is the same i guess like on the streets who cleans them, big accent its almost impossible to understand, i am saying whats going on, they are asking my card details for no reason, anyway i gave them, so they wanted to connect me to bank of america(my card issuer), i like why BOA i have troubles with customers and WF, so after 20 mins of telling him, that he forgot my card, he just told me that VISA is gateway and all the stuff like authorization is being dont in financial institution, and connected me again to Wells fargo, the guy picked up the phone and i told the situation, so he wanted to talk to customer, i told that if all customers will be redirected so i lose alot of money, and customers always hear the busy signal, anyway these cards were authorized, and all others were declined after. What could be the reason for this? If VbV successful - transaction declined, if autentication failed - transaction approved. :slight_smile:


I’m looking into this issue because it is very out of the ordinary. At this time I believe the issue resides with Wells.

Thank you