Who Needs 3D Secure? Verified By Visa and MasterCard SecureCode Examined

In the noble quest to fight online fraud, online retailers are feeling the pressure from credit card companies and banks to implement 3D secure technologies – namely Verified by Visa and MasterCard SecureCode. In some countries, merchant participation is mandatory to process certain cards.

3D Secure offers an extra layer of protection for cardholders and merchants. Customers are asked to enter an additional password after checkout completion to “verify” they are truly the cardholder. But, like any extra step in a checkout process, 3D Secure can have a negative impact on conversion rates. Cardholders frequently forget passwords they’ve created, and balk at long processes and forms.

Every online retailer must make a decision to adopt, avoid or abandon 3D Secure technology. How can you determine if it’s right for your business? How can you minimize the impact on conversion rates if you have implemented 3D Secure?

How 3D Secure Works

Developed by Visa and licensed by MasterCard, 3D Secure stands for “Three Domain Secure” – the domains being the acquiring bank (retailer’s bank), the issuing bank (the cardholder’s bank) and the infrastructure that supports the 3D Secure protocol.

On participating sites, after completing the merchant’s checkout process, the customer is asked to provide a password (if previously enrolled) or to set up his or her Verified By Visa or MasterCard SecureCode credentials. The customer is either redirected to the issuing bank’s website for authorization, or kept within the merchant’s own checkout process through a frame.

Cards not eligible, such as Discover and American Express (which has its own authentication product, Safekey, available only in the UK and Singapore), Visa gift cards and business credit cards with multiple names on the account are detected by the system and not prompted to enroll or enter a password.

An unenrolled Visa, Maestro or MasterCard customer is allowed to opt out of the scheme a minimum of 3 times (depending on the card issuer), up to an unlimited number of opt outs. In some cases, the card issuer may make a risk-based decision to require authentication the first, second or third time). If a cardholder opts out the maximum number of times, he or she will no longer be presented with a “No thanks” button, and may not be able to shop online with online retailers that use 3D Secure until enrolled (this depends on the card issuer).

With Visa, the online retailer may decide whether to process an order for an opt-out or incorrect password, and is protected from chargebacks simply from making the attempt to authenticate through the Visa Attempts program. MasterCard does not offer the same protection if the cardholder opts out.

Pros and Cons of 3D Secure

Pros

Liability shift. Typically, when a transaction is disputed, it’s the merchant who pays the price. 3D Secure ensures liability shifts from the merchant to the issuing bank. This alone may make worldwide implementation of 3D Secure worthwhile for your business.

Chargeback protection. Verified by Visa ensures you’ll never receive a chargeback on your merchant account. This can help prevent “friendly fraud,” where a customer knowingly makes a purchase and files a chargeback, knowing the bank will side with the customer. (MasterCard does not support chargeback blocking).

Interchange benefits. These include lower interchange fees, and in some cases longer payment terms with your acquiring bank.

Increased online shopping. Fear of online fraud holds many consumers back from shopping online. Verified by Visa claims its product increases online shopping, and suggests customers are more willing to purchase through a site that uses 3D Secure.

Cons

Customers hate it. It’s not just merchants that moan about 3D Secure. If there’s any doubt – check out the live stream of Tweets griping about Verified by Visa. Many are NSFW.

@anyagrace laments: “Lloyds TSB Click Safe/Verified by Visa is the absolute bane of my life. I create a new password every time and it just gets longer and longer.” This message was retweeted by several of her followers.

Customers don’t understand it. In markets where it’s not mandated, customers are not always sure what to do. When faced with an extra step in the checkout process – many will just give up and seek out a seller that doesn’t use it.

Card blocking . Livid customers who have been locked out of online shopping will increase the number of complaint calls to your customer service line. They may also vow to never transact with you in the future.

Not to mention, 3D Secure is not all that secure…

Does 3D Secure Really Make Online Shopping Safer?

For unenrolled cards, the first person to use the card online gets to set the password. Identity thieves often know a victim’s date of birth or last digits of a social security number required for activation with the issuing bank. Cyberthieves are also well aware how easy it is to reset a 3D Secure password. They can also be easy to guess. Verified by Visa, for example, suggests “your password should be easy for you to remember” – which ultimately makes it less secure.

Another well publicized problem, 3D Secure has been prone to phishing. To increase confidence, during registration Verified by Visa asks the cardholder to choose a phrase that will appear in the window, such as “happy birthday.”

Finally, 3D Secure aims to increase consumer confidence about shopping online by protecting enrolled cards from unathenticated use. But because 3D Secure is not adopted by every issuing bank or every retailer, and because there is an opt-out option, only some are protected – some of the time. 3D Secure also can’t protect the cardholder from a data breach (card number compromised through the retailer’s records), which is a major concern among online shopping “hold-outs.”

Where is 3D Secure required?

MasterCard has made it mandatory for merchants who wish to accept Maestro cards in the UK, and Verified by Visa is required in Italy. It is strongly encouraged in other countries, especially those that are high risk for fraud, and may become mandatory in the future. Merchants who refuse to participate may face fines and other penalties if “caught.”

The UK has the highest credit card penetration in Europe, and is often the “sandbox” for new security products like AVS, 3D Secure, contactless payment and reverse authorization. According to Cybersource, 73% of UK online retailers currently use 3D Secure, and another 10% are planning to implement this year.

Couple this with the aggressive awareness and push to enroll from issuing banks, UK shoppers seem to have grown accustomed to the scheme, and the impact on conversion is less dramatic as in other markets.

Nevertheless, some merchants choose to hold out as long as they can on 3D Secure. Either by choosing not to accept Maestro cards in the UK, or taking the risk of being fined.

The Amazon Holdout

Amazon.co.uk is a conspicuous example of an ecommerce site that ignores the “rules” for Maestro cards. There are several reasons why Amazon can get away with this.

Amazon also has a sophisticated fraud prevention and resolution team in house, which involves advanced tools, processes and people. (Next post we’ll look at what makes a solid fraud management system, stay tuned). Amazon may also be less vulnerable to fraud than other merchants because it’s not focused on acquiring new customers. Credit card information is stored in users’ accounts and is updated infrequently.

It’s likely that Amazon would rather pay fines and accept chargebacks than sacrifice the volume of sales that could be lost with the extra layer of friction in checkout. Amazon also has the luxury of passing liability to third party merchants and marketplace sellers, which make up 30% of revenue.

Small and medium businesses are less likely to have a fraud department, and may pose a greater risk to issuing banks. Thus, pressure on SMBs is higher than with larger enterprises, though it also depends on the volume of chargebacks a merchant receives, whether those costs are easily absorbed or not. Digital goods sellers, for example, have low COGS and overhead may be in a better position.

Recommendations

How do you decide to use 3D Secure? And if you decide to use it, how can you minimize the “damage”?

1. Weigh the risks against the rewards of not using 3D Secure.

To get a true understanding of the benefit or detriment of using 3D Secure, you must take into account your current chargeback rate and volume, the manual work involved in investigating and settling claims, your credit card processing fee expense, the percentage of sales from cards that require the scheme, and the potential fines you may incur by not participating. Don’t focus solely on a decreased conversion rate or revenue.

Consider your cost of goods sold. Fraud hits hardest when margins are slim. Also, higher ticket items and certain product categories are more vulnerable to fraud. Reducing risk for such products may warrant a site-wide implementation of 3D Secure.

2. Consider selective implementation.

Certain countries carry higher risk for fraud, which may warrant implementation in those countries if you’re a global business with localized websites. For other countries where 3D Secure is not mandated and awareness and adoption is low, the conversion/revenue loss may outweigh the benefit.

There is a case for A/B testing 3D Secure in different markets, provided it’s not mandated in that region. However, you cannot test in one market and apply the results to others. For example, UK cardholders are more accepting of 3D Secure because of its ubiquity, and the conversion impact is expected to be lower than France, the US or Germany.

3. If you decide to use 3D Secure, follow best practices.

Use frames inline. You have the choice to serve up a separate page or embed the frame into your checkout process, with your branding in the page URL and the SSL lock, rather than the bank’s. Though some customers may fear their banking information is being shared with the retailer, Visa’s own research shows higher rates of authentication using this approach.

Educate customers about 3D Secure

Verified by Visa and MasterCard SecureCode both have preamble you can use in your checkout that helps the customer who’s not sure what’s going on understand the benefits of the scheme. You can craft your own copy if you wish, but make sure you communicate the increased security the cardholder will enjoy while enrolled in the program in non-jargonny language (and don’t invent words like non-jargonny).

You should mention there is no charge for the service, and include a link to more information (that opens in a new window). Place the messaging where it will be most noticed, close to the frame or Submit Order button.

It’s also very important to inform customers using the Refresh or Back button will disrupt the order. Using a dialog box when such action is taken (the “are you sure you want to do this” type) can help save an order.

4. Do your due diligence when selecting an implementation vendor.

To achieve the above, it’s important your 3D Secure implementation vendor provides both the ability to modify the elements under your control and analytics tools that include strong analytics tools. For example, you’ll want to keep track of transactional data, the percentage of orders protected, and the number of times customers “saw” a 3D Secure frame.

5. Understand that fraud management is more than 3D Secure.

3D Secure is only one weapon in the fraud-fighting arsenal. Next post we’ll look at other fraud management tools that make up a strong fraud prevention program.

Special thanks…

I want to thank the various fraud management experts who were interviewed for this research:

Peter Caparso, North American President, Adyen
Julie Fergerson, VP Emerging Technologies, Ethoca
Richard Maxwell, Senior Technical Consultant, Javelin Group
Robert Pearson, Vice President, Ecommerce, Best Buy Canada
Chris Lake, Econsultancy
Jeff Sawitke, SVP, Chief Product Officer with Verifi
Andras Csere, Principal Analyst (Security and Risk), Forrester Research

Looking for help with your ecommerce strategy and site optimization? The Elastic Path research and consulting division is available to enterprises selling digital goods and services. For more information, visit us at http://elasticpath.com/ecommerce-consulting/ or contact us at consulting@elasticpath.com.

Related Articles

15 Responses to “Who Needs 3D Secure? Verified By Visa and MasterCard SecureCode Examined”

  1. Great that you cover this topic. One of the problems with 3D secure is that online banking customers have been educated for years “never to give out their online banking password to other sites”.
    While we deliberately excluded 3d secure from our checkout usability research we did talk about 3d secure with some of the test subjects after the test session. Many of them seemed to mix the concept of 3D secure passwords and online banking passwords. This could explain some of the increased checkout abandonment rate 3D Secure often introduce.

  2. Good article about the pros and cons.

    What really needs to happen is for the AVS system to (1) actually work 100% of the time and (2) work against SHIPPING addresses (i.e., customers would maintain a list of approved shipping addresses at their bank).

    Additionally, customers should be able to generate “fake” account numbers that are linked to their real credit card number, except that they get limited limited to authorizations from a single merchant (the first merchant who happens to do an authorization against it). (Discover had a good idea but failed by making them usable anywhere and making them expire when the parent card expires.) Customers would then be able to control which merchants continue to have access to their cardholder data by “revoking permission” for a particular account number via their bank’s Web site, much like one controls permission for Twitter or Facebook apps to access their profile information.

    Of course, this would require collaboration between merchants, banks, and processors, which means instead we get programs like CVN and 3D Secure. Since these programs aren’t mandatory in the US, they don’t do enough to prevent fraud. It needs to be either mandated “all in” or not exist at all.

    Just my two cents.

    • Himagain says:

      Now that is a good idea Nicholas.
      Of course, that means it won’t ever happen. :-}

      I liked the token idea (I think PayPal started it) which has a real “feel” of safety to it. I still use it on EBay.
      Having known some “natural” hackers in my time, I’ve simply become more and more paranoid over the years.
      When it is demonstrated to me just how easy it is to break in to what should be immensely secure Sites – nothing tricky – just mainly psychology and human weakness, I still get nervous.

      We do need greater disincentives for crackers – forced enrollment in the US Marines,maybe? (Jails don’t work, most are holiday camps.)

  3. John Q. Public says:

    Overall, good article, especially for those less familiar with 3D-Secure. I do, however take issue with one statement. “3D Secure offers an extra layer of protection for cardholders and merchants.” Well when I put my work hat on and live at a merchant, yes, 3D-Secure offers me a lot of protection. But when I get home and play consumer, charge back protection and liability shift do not work in my interests. As a consumer, I’m best protected by FTC limits on my liability for card not present transactions with no authentication, though those protections are limited to US based credit accounts. There in lies one of the adoption holes. So long as I, personally, am better protected not using 3D-Secure, and so long as some issuers (including at least one major issuer) does not participate, it’s in my interest to use a card on a credit account from a non-participating issuer, so that in the case of a dispute I can turn my issuer on the merchant rather than fighting uphill against an allied issuer and merchant.

    • Hi John, I agree with you partially. As I mentioned, there are many holes that don’t protect the consumer, such as the ease in changing passwords and the ability for identity thieves to open a new card and use it online first and set the password. The opt-out ability doesn’t help this situation. However, you as the cardholder can file a chargeback and the liability shifts from retailer to your issuing bank. If the card was opened fraudulently, the card issuer is liable, and is also liable for allowing the opt-out, as it makes a risk-based decision in real time.

      However, do you disagree that the authentication request will prevent unauthorized use of an enrolled card “for the most part”? It does add an additional layer of security in that regard, that a fraudster/friend/family member without the PIN would not be able to complete the order. I did not mean it offers complete protection, but an additional layer of protection, such as Address Verification Service and Card Verification Value.

      Not all chargebacks are due to fraud. Some are due to non-delivery or damaged goods and goods not as described. In that case, the dispute is not about unauthorized use or fraud. In these cases, the liability is on the retailer again, not the issuing bank.

  4. Himagain says:

    Thanks Linda, I needed that…. It *IS* a jungle/minefield out there and getting worse. A nice concise overview of a big mess.

  5. John’s point “charge back protection and liability shift do not work in my interests” is really well put. I do commend those who realize that this costs everyone. There seems to be a disturbing minority who think it’s not their problem because somebody else pays. It’s an eye-opener, whether you are a consumer, bank, merchant, fraud vendor, or anyone else in the payment chain. Actually Ethoca posted a chart trying to summarize misconceptions about fraud liability (left colume) and reality (right column) at http://www.ethoca.com/fraud-intel/bid/42890/Who-Pays-for-All-the-Card-Fraud-That-You-Don-t-You-Do

    Fraudsters are getting what amounts to a network effect – working together to stay ahead of issuers and merchants. Issuers and merchants need to synch up to thwart them. With smart protocols in place, data sharing enables issuers and merchants to check against each others’ histories, for example, while not sharing the data itself. Then merchants stop more fraud losses, card issuers slash fraud management costs, and consumers have a safer environment in which to shop. And we get fraud out of the system entirely vs shifting liability around.

  6. George Hawkins says:

    One can only imagine that Mastercard is one of the last companies where senior management can be completely computer illiterate (“I leave Internet stuff to my secretary” types), and that they were sold the idea for 3D Secure by the dim-but-well-connected nephew of one of their golfing buddies while knocking back drinks at the club house.

    There’s no other way to explain the retardedness of this “security” measure. I’m amazed the issuing banks let this get anywhere. After financial institutions have spent a fortune trying to inform their customers of the dangers of phishing Mastercard come up with a security measure that’s indistinguishable from a phishing attack – a popup window that appears in the middle of a transaction that is clearly neither from the merchant in question, from the card holder’s bank or from Mastercard itself, or alternatively an odd ill fitting iFrame that looks out of place as it doesn’t match the design of the containing page and which your browser helpful warns you is not from the same source.

    Congratulations Mastercard – I hope you share-holders reward you for your stunning ignorance of e-commerce.

  7. I hate 3D secure so much that whenever I get redirected to a 3D Secure page I abandon the cart immediately and make sure that I don’t use the card any more for online transactions. It adds a huge amount of friction to the checkout process and I’m astonished that it has survived.

    • Michael says:

      This is what we are fighting against. Customers that lack the basic necessities of logic and thinking, yet have credit issued to them.

  8. charles french says:

    Hello,

    Do you know if Paypal requires 3D Secure if you want to pay with your Mastercard ?

    Thanks

  9. marie says:

    Thanks for this article.
    I have to say that 3D secure allowed us to provide online payment to our customers. Our average purchase is 2500€ (luxury items) and without 3D secure (and because we do not have a fraud department!) it was too risky for us to accept cards online and we needed liability shift…
    But I have to agree about education of clients, in France it was a disaster at the beginning of the implementation because no communication was done, customers were dropping out because they did not know what it was. Today it is a little better, customers have learned and e-shops have tried to explain (even if a lot of shops still refuse to install it to avoid loss of orders) and clients are starting to be more confident with it (not thanks to the banks that have not communicated at all about it!). It fills that this system has been created by bankers for bankers without consulting e-shops and e-shoppers!
    And finally, the only advantage for us (e-shop) was the liability shift, but I do no know if it is much more secured, even without our security department we can identify frauds that are 3D success…
    Marie

  10. Ahmed says:

    Thanks for the informative article. I need to obtain a VISA or Mastercharge card covered under 3dSeucre.

  11. Sean says:

    In a market like ours (South Africa) where online shopping is relatively new, 3D Secure is proving to be rather troublesome. This is exacerbated by the fact that the banks here are a law unto themselves and do nothing to educate their clients when issuing cards. We currently have it enabled for our site, but cart abandonment rates are rather alarming, and, so, I will be disabling it

Leave a Reply

© 2014 Get Elastic Ecommerce Blog. All rights reserved. Site Admin · Entries RSS · Comments RSS