Internet Payments
Payer
Authentication
To "3-D Secure" or "Not to 3-D Secure"

The unpublished benefits and pitfalls of Verified By VISA and MasterCard SecureCode™.
by Andrea Wilson

   Everyone involved in electronic commerce whether a merchant, bankcard Acquirer, processor or payment gateway know the challenges faced with authenticating card-not-present Internet-based payments. You can't obtain and validate a customer's signature, nor can you record the contents of the magnetic stripe on the card. Internet transactions are anonymous and no amount of security, fancy consumer web site registration processes or passwords can 100% guarantee that the actual cardholder is the person performing the payment transaction. According to MasterCard and VISA International, up to 70% of e-commerce chargebacks are "cardholder unauthorized" due to cardholders saying "I didn't do it". Whether the consumer did participate in the transaction or not, there is no legitimate proof (unless a signature is obtained via fax) and merchants are left holding the loss for the sale (as well as the goods or service) as a result of yet another Card Association Issuer program called Zero Liability! Chargeback rates for Internet purchases and Internet related fraud cases constitute a significant percentage of all industry related fraud cases. To reduce the number of disputed online purchases, there is a need for a means to enable Issuers to verify that the actual cardholder is the person performing the Internet purchase. This process has been termed 'Payer Authentication'.
   In early 2001, VISA introduced a security protocol called 3-D Secure to improve transaction performance online and to accelerate the growth of electronic commerce through increased consumer confidence. The overriding objective of 3-D Secure is to provide Issuers with the ability to actually authenticate cardholders during an online purchase in order to reduce the likelihood of fraudulent usage of payment cards and to improve transaction performance to benefit merchants, consumers and acquirers. VISA's branded 3-D Secure program is commonly known as 'Verified By VISA'. MasterCard soon followed suit and introduced their payer authentication program called SecureCode™.
   3-D Secure in a nutshell stands for 'Three Domain Model' for secure payment systems. The model divides payments into three distinct 'domains'. The Issuer Domain ­ including systems and functions of the Issuer and its cardholders; The Acquirer Domain ­ including functions of the Acquirer and its merchants; and The Interoperability Domain ­ systems and functions that enable the Issuer Domain and the Acquirer Domain to interoperate and authenticate each other worldwide. The Interoperability between Issuers and Acquirers is achieved through the use of a common protocol operated through a globally shared VISA or MasterCard Directory Server. The Directory server receives authentication requests from enrolled merchants querying a specific card number; determines if the card number is in an enrolled Issuer BIN range, directs requests for cardholder authentication to the appropriate Issuer access control server (ACS) and then responds back to the merchant indicating whether payment authentication is available for the queried cardholder account. Finally all attempted payer authentication requests, whether validated or not, are stored on the Authentication History Server (at VISA and MasterCard) providing data for Acquirers and Issuers in the event of a dispute. All sounds pretty simple, right?

There's always a catch ­ Fees!

   In order to facilitate this entire process, a number of rather complicated and expensive tasks must be completed, starting with enrollment of both the Issuing bank and Acquiring Bank's BINs and ICAs with their respective Regional Card Associations. Principal Member contractual enrollment must occur before the cardholder or the merchant are able to take advantage of Verified By VISA or SecureCode™, however this subtle point is clearly missed in the information provided by both VISA and MasterCard in their online web sites dedicated to the benefits of their respective programs. Registration for the Issuer and Acquirer varies from region to region as do the registration fees. In the U.S. Region, Acquiring banks are encouraged to enroll their merchant portfolios in 3-D Secure to reduce the number of fraudulent user chargebacks and provide a more secure environment for consumers to use their cards for an online purchase. As of January 2004, registration for U.S. Acquiring banks is free ­ same in the EU and CEMEA regions where 3-D Secure is now mandated for all e-commerce Acquiring programs. However, in the Latin America Caribbean Region, Acquirer enrollment fees for 3-D Secure are approx $40,000 per annum. Asia Pacific Region also encourages Acquiring banks to enroll in 3-D Secure without a penalty associated with registration. Issuer enrollment is encouraged and free in the U.S., EU and CEMEA Regions, however additional fees are required for enrollment of the Issuer in the LAC Region.
   In order to engage 3-D Secure services Acquirers and merchants must also purchase or license certified software from a qualified list of vendors provided in the respective Verified By VISA and SecureCode™ web sites. Software vendors must develop the required software and be 'certified' through a lengthy process by both VISA and MasterCard to license 3-D Secure payer authentication software to both Issuers and Acquirers.
   This software is not inexpensive ranging up to $50,000 for the Acquiring component and up to $25,000 for the Issuer component.
   Both must be purchased/licensed and then installed by the vendor (onsite installation and consultancy fees are an added expense) on specific hardware, networked for security with redundant real-time fail-over, which is required in order to support 3-D Secure transaction requests. The estimated equipment costs for servers to support 3-D Secure software is approximately $35,000 (includes two rack mounted high speed servers, firewall, security software/certificates, routers, cables etc). Once the certified vendor software is installed, functional testing is required by both VISA and MasterCard (called the PIT test), which is scheduled through the bank's regional Card Association once enrollment by the Member in 3-D Secure is complete and applicable registration fees are paid. MasterCard levies PIT testing fees to merchants/ Acquirers of approximately $600 per test (only one PIT test is required by SecureCode™ per acquirer). VISA does not (yet) charge Acquirers for the PIT test, but vendors are charged for the software certification process.

Security Audit and Merchant Enrollment

   When 3-D Secure functional testing is completed, VISA and MasterCard require the Site Data Protection and CISP/AISP (Account Information Security Program) audits to be completed to ensure adequate and standardized security is in place for all members managing 3-D Secure solutions. Again, a list of qualified vendors are provided by the Card Associations to perform these security audits at consultancy costs averaging approx $25,000 per audit. Any changes required as a result of the audit are at the Member's expense and must be completed prior to receiving final sign-off on the CISP/SDP. The bank's approximate bill before galloping out of the starting gate? $135,000. Plus consultancy and time costs.
   Once the Acquiring bank has installed the 3-D Secure software, they must enroll their cardholders and their merchants by providing information to both VISA and MasterCard for input to the respective 3-D Secure Directory and ACS Servers. The Acquiring bank is required to securely connect to the merchant's payment page to engage the 3-D Secure process on behalf of their merchant(s). In order for all this to work, merchants are also required to implement "MPI" plug in software that is integrated with the web storefront check-out page. The MPI performs a number of essential functions including positioning of the required 'pop up window' for the cardholder's password, transmission of cardholder messages to the VISA Directory Server, receipt of Issuer enrollment messages from the VISA Directory Server, transmit and receive cardholder payer authentication messages to and from the Issuer ACS server, and finally, provide the results in the merchant's authorization message for processing and settlement. Merchant MPI software is also not free (if you check vendors online) and usually comes as a bundled solution with the Acquiring 3-D Secure software. Pricing ranges from a small annual merchant fee to per authentication fees depending on the software vendor. Acquirers must factor these additional costs into their already burgeoning 3-D Secure budget.

A Clear Business Case for 3-D Secure Hosting Solutions

   It's not rocket science to comprehend why the uptake by Acquirers for Verified By VISA and SecureCode™ has not been significant except in the regions where the program is currently mandated. The entry-level costs associated with implementation of 3-D Secure are significant and the over-riding 'published benefits' of 3-D Secure do not currently justify these costs. The simple answer is outsourcing of 3-D Secure as a hosted solution on behalf of both Banks and Merchants. The hosted solution model seems ideal for Acquirers who already leverage 3rd party providers for processing and payment gateway solutions ­ and merchants benefit from a simple 'do it all for me' authentication solution for instant fraud reduction, instant fee reduction and greater profit margins! The benefits of outsourcing mean considerable reduction in up-front software licensing and equipment costs associated with implementation of 3-D Secure for Acquirers and merchants and allow the Acquirer to leverage the security, resources and management of a qualified CISP/SDP 3-D Secure provider.

Who Benefits from Payer Authentication and How?

   ALL merchants are eligible to participate in SecureCode™ and Verified by Visa. However, merchants showing up in the Global Merchant Chargeback Monitoring Program, because they are generating an excessive number of chargebacks, are not eligible for the liability shift which is the single key benefit to merchants participating in 3-D Secure. In order to be protected by the liability shift merchants have to be off the Chargeback Monitoring program for a period of at least three consecutive months. This does not mean that the merchant or Acquirer should not participate in the program. On the contrary, participating in Verified by Visa and SecureCode™ will help the merchant establish the suitable business conditions to reduce the amount of chargebacks they currently receive and thus achieve a faster goal of removing themselves from the report and garnering the benefits of the chargeback liability shift. Contrary to popular belief VISA and MasterCard do not screen merchants and select who can and cannot participate. The merchant MCC code is not provided with the registration, however, the Acquirer BIN, Merchant ID, name and password are required. If the Acquirer enrolls the merchant, they can take advantage of 3-D Secure.

Chargeback Liability Shift ­ who qualifies and how?

   A few points need to be made regarding chargeback liability shift. Not ALL chargeback reason codes qualify for immediate representment ­ only certain Reason Codes qualify and these vary from Region to Region. The primary codes including MasterCard RC 4837 and 4863 ("Cardholder Not Authorized" and "Cardholder Not Recognized") and VISA's RC 23 and 83 constitute more than 70% of all ecommerce related disputed transactions so the liability shift at minimum protects the largest percentage chargeback risk codes. Also, ISO's and merchants should be aware that the liability shift differs significantly between VISA and MasterCard. In April 2003, VISA implemented chargeback liability shift for certain chargeback reason codes on all authentication transactions and attempted authentications, meaning merchants that implement Verified By VISA in their web sites are eligible for chargeback rights (RC 23 and 83) if a 3-D Secure authentication is attempted but the Issuer and/or the cardholder is A few points need to be made regarding chargeback liability shift. Not ALL chargeback reason codes qualify for immediate representment ­ only certain Reason Codes qualify and these vary from Region to Region. The primary codes including MasterCard RC 4837 and 4863 ("Cardholder Not Authorized" and "Cardholder Not Recognized") and VISA's RC 23 and 83 constitute more than 70% of all ecommerce related disputed transactions so the liability shift at minimum protects the largest percentage chargeback risk codes. Also, ISO's and merchants should be aware that the liability shift differs significantly between VISA and MasterCard. In April 2003, VISA implemented chargeback liability shift for certain chargeback reason codes on all authentication transactions and attempted authentications, meaning merchants that implement Verified By VISA in their web sites are eligible for chargeback rights (RC 23 and 83) if a 3-D Secure authentication is attempted but the Issuer and/or the cardholder is not enrolled. There some exceptions to this however, including commercial cards, anonymous prepaid cards, and new channels. Transactions that fall into these categories are not eligible for liability shift with VISA.
   MasterCard's SecureCode™ payment guarantee is not based on attempts by the merchant to authenticate the cardholder. The MasterCard SecureCode global liability shift prevents Issuers from initiating chargebacks based on reason code 4837 and 4863 when: enrolled. There some exceptions to this however, including commercial cards, anonymous prepaid cards, and new channels. Transactions that fall into these categories are not eligible for liability shift with VISA. MasterCard's SecureCode™ payment guarantee is not based on attempts by the merchant to authenticate the cardholder. The MasterCard SecureCode global liability shift prevents Issuers from initiating chargebacks based on reason code 4837 and 4863 when:

  • The merchant is 3-D Secure compliant (UCAF-enabled);
  • The issuer provided the 3-D Secure compliant (UCAF) data for the transaction ­ Issuer and cardholder both must be enrolled;
  • All other electronic commerce authorization request message and clearing requirements were satisfied; and
  • The authorization request response reflected the Issuer's approval of the transaction.

   MasterCard Regions vary in their implementation of the chargeback liability shift and in Regions where 'merchant only liability shift' does not exist (Canada, LACR, USA) MasterCard has opted to mandate Issuer participation in SecureCode™ instead. The date SecureCode™ have advised for compliance with Issuer enrollment in the programme is November 2004, however more information from MasterCard is expected in relation to compliance deadlines.
   Where chargeback liability shift is important is with 'inter-regional' transactions where the merchant resides in one jurisdiction and the cardholder in another. Since most Internet based transactions are global, this is a very important consideration. For example, in the CEMEA region where 3-D Secure is mandated for e-commerce Acquiring and merchants have the benefit of the one way liability shift (one of the regions where this is implemented), a U.S. consumer could lose a MasterCard dispute if the merchant is enrolled in 3-D secure yet the Issuer and/or cardholder is not, and a SecureCode attempt is made during the check-out process. However, if the merchant and the cardholder are both in the same region (intra-regional) than all entities must participate in order for the liability shift to take effect. This complicated "does liability shift apply or not" policy is being resolved with MasterCard's mandate of Issuer enrollment starting in November 2004. For VISA the answer is simple ­ if the Issuer and/or cardholder is not enrolled, and a merchant attempts a Verified By VISA request and the transaction is then disputed, the merchant has automatic chargeback liability rights (except those few exceptions noted above). All in all this should have a significant impact in the merchant's profitability and the Acquiring bank's objective for overall reduced risk.

The Bottom Line - Financial Savings!

   If you review the documentation provided by both VISA and MasterCard (various sites are dedicated to Verified By VISA and SecureCode™) there is little if any information relating to the benefits to the Acquiring Member bank once the upfront investment is made to implement 3-D Secure. The focus is clearly on Issuing and the benefits to consumers, cardholders and Issuers, yet there is a significant financial benefit to the Acquiring bank ­ None of this seems to be spelled out anywhere and yet, it's the initial investment by the Acquirer, that needs to be made in order for this entire program to be globally effective. Some of these cost savings include:

  • Reduction in eCommerce Acquiring Interchange
    Current CNP ecommerce interchange is approximately 1.6% to 1.8% depending on the Region. With the Acquirer and merchant enrolled, the interchange fees are reduced for 3-D Secure transactions to 1.3% - an approximate savings of 50 basis points;
  • Reduction in High Risk Acquiring Fees
    Currently both VISA and MasterCard require registration of high risk merchants ­ their list constitutes most Internet merchants doing any significant transactional volume. Registration of these merchants costs upwards of $5000 per merchant with the added pain of being placed immediately into the chargeback monitoring program (the radar scope!). With the implementation of 3-D Secure, these high-risk merchants can reduce their excessive risk for "I didn't do it" chargebacks and keep a threshold of less than 1% chargebacks which is the current (ridiculous) minimum acceptable level.
  • Reduction in Discount Rate Fees
    With the reduction in interchange expenses, an Acquirer has the opportunity to be more competitive with their Discount Rates as the overall costs associated with Acquiring are reduced upon implementation. Time will tell if the costs savings are reflected back to the merchant by way of reduced discount fees.
  • Excessive Credit and Chargeback Fees
    These fees start at $25 per item and increase to $100 per item if the merchant continues with greater than 2.0% chargebacks for a period of 3 consecutive months, in addition the Acquirer can also face fines or penalty fees starting from $25,000 per month for maintaining a high chargeback portfolio ­ a significant expense to both the Acquirer and the merchant. MasterCard counts credits in the chargeback totals and fines for excessive credits at the same rate as chargebacks.
  • Acquiring Collateral
    Both VISA and MasterCard require collateral to be on deposit with them in order for an acquirer to engage in 'high risk' Acquiring. This can be as little as $150,000 or as high as $10 million depending on the portfolio volume and risk profile. The costs associated with the Letter of Credit to maintain this deposit can be significant to the Acquirer.
  • Chargeback Fee Income Reduced
The Key Borders

   On the down side of 3-D Secure is the reduction in chargeback fee income, however the trade off seems acceptable if it means longevity for the merchant.

Long Term Portfolio Quality Leveraging 3-D Secure Solutions

   The overall objective of an Acquirer should be to implement and maintain a portfolio of merchants that represent low risk for chargebacks and greater potential for long term profit. Without 3-D Secure and leveraging the chargeback liability shift, merchants continue to be at risk to consumer fraud, chargebacks (whether legit or not) and placement on the global chargeback monitoring programme, the TMF and MATCH. This is not a healthy ecommerce environment and many of us in the industry have recognized this for a long time. The cycle continues to repeat itself with merchants hopping from one Acquirer to the next once terminated due to >1% chargebacks even to the extent of creating a new company and web site to start out 'fresh'. Migrating offshore with new names and web sites has become a regular occurrence.
   The answer must lie in the implementation of 3-D Secure by the Acquirer for every ecommerce merchant so that we can collectively shift the responsibility for much of the ISO industry headaches back on the Issuers to take responsibility for some of the deliberate chargeback fraud that has targeted ecommerce merchants in the past few years. We've been asking the Card Associations repeatedly for solutions to the 'It wasn't me" chargeback problems for a number of years and a solution has finally been presented to us ­ let's all take advantage of it while the financial and business benefits are still squarely in our favour. It's as easy as 1-2-3-D Secure!