Who Needs 3D Secure? Verified By Visa and MasterCard SecureCode Examined
In the noble quest to fight online fraud, online retailers are feeling the pressure from credit card companies and banks to implement 3D secure technologies – namely Verified by Visa and MasterCard SecureCode. In some countries, merchant participation is mandatory to process certain cards.
3D Secure offers an extra layer of protection for cardholders and merchants. Customers are asked to enter an additional password after checkout completion to “verify” they are truly the cardholder. But, like any extra step in a checkout process, 3D Secure can have a negative impact on conversion rates. Cardholders frequently forget passwords they’ve created, and balk at long processes and forms.
Every online retailer must make a decision to adopt, avoid or abandon 3D Secure technology. How can you determine if it’s right for your business? How can you minimize the impact on conversion rates if you have implemented 3D Secure?
How 3D Secure Works
Developed by Visa and licensed by MasterCard, 3D Secure stands for “Three Domain Secure” – the domains being the acquiring bank (retailer’s bank), the issuing bank (the cardholder’s bank) and the infrastructure that supports the 3D Secure protocol.
On participating sites, after completing the merchant’s checkout process, the customer is asked to provide a password (if previously enrolled) or to set up his or her Verified By Visa or MasterCard SecureCode credentials. The customer is either redirected to the issuing bank’s website for authorization, or kept within the merchant’s own checkout process through a frame.
Cards not eligible, such as Discover and American Express (which has its own authentication product, Safekey, available only in the UK and Singapore), Visa gift cards and business credit cards with multiple names on the account are detected by the system and not prompted to enroll or enter a password.
An unenrolled Visa, Maestro or MasterCard customer is allowed to opt out of the scheme a minimum of 3 times (depending on the card issuer), up to an unlimited number of opt outs. In some cases, the card issuer may make a risk-based decision to require authentication the first, second or third time). If a cardholder opts out the maximum number of times, he or she will no longer be presented with a “No thanks” button, and may not be able to shop online with online retailers that use 3D Secure until enrolled (this depends on the card issuer).
With Visa, the online retailer may decide whether to process an order for an opt-out or incorrect password, and is protected from chargebacks simply from making the attempt to authenticate through the Visa Attempts program. MasterCard does not offer the same protection if the cardholder opts out.
Pros and Cons of 3D Secure
Liability shift. Typically, when a transaction is disputed, it’s the merchant who pays the price. 3D Secure ensures liability shifts from the merchant to the issuing bank. This alone may make worldwide implementation of 3D Secure worthwhile for your business.
Chargeback protection. Verified by Visa ensures you’ll never receive a chargeback on your merchant account. This can help prevent “friendly fraud,” where a customer knowingly makes a purchase and files a chargeback, knowing the bank will side with the customer. (MasterCard does not support chargeback blocking).
Interchange benefits. These include lower interchange fees, and in some cases longer payment terms with your acquiring bank.
Increased online shopping. Fear of online fraud holds many consumers back from shopping online. Verified by Visa claims its product increases online shopping, and suggests customers are more willing to purchase through a site that uses 3D Secure.
Customers hate it. It’s not just merchants that moan about 3D Secure. If there’s any doubt – check out the live stream of Tweets griping about Verified by Visa. Many are NSFW.
@anyagrace laments: “Lloyds TSB Click Safe/Verified by Visa is the absolute bane of my life. I create a new password every time and it just gets longer and longer.” This message was retweeted by several of her followers.
Customers don’t understand it. In markets where it’s not mandated, customers are not always sure what to do. When faced with an extra step in the checkout process – many will just give up and seek out a seller that doesn’t use it.
Card blocking . Livid customers who have been locked out of online shopping will increase the number of complaint calls to your customer service line. They may also vow to never transact with you in the future.
Not to mention, 3D Secure is not all that secure…
Does 3D Secure Really Make Online Shopping Safer?
For unenrolled cards, the first person to use the card online gets to set the password. Identity thieves often know a victim’s date of birth or last digits of a social security number required for activation with the issuing bank. Cyberthieves are also well aware how easy it is to reset a 3D Secure password. They can also be easy to guess. Verified by Visa, for example, suggests “your password should be easy for you to remember” – which ultimately makes it less secure.
Another well publicized problem, 3D Secure has been prone to phishing. To increase confidence, during registration Verified by Visa asks the cardholder to choose a phrase that will appear in the window, such as “happy birthday.”
Finally, 3D Secure aims to increase consumer confidence about shopping online by protecting enrolled cards from unathenticated use. But because 3D Secure is not adopted by every issuing bank or every retailer, and because there is an opt-out option, only some are protected - some of the time. 3D Secure also can’t protect the cardholder from a data breach (card number compromised through the retailer's records), which is a major concern among online shopping “hold-outs.”
Where is 3D Secure required?
MasterCard has made it mandatory for merchants who wish to accept Maestro cards in the UK, and Verified by Visa is required in Italy. It is strongly encouraged in other countries, especially those that are high risk for fraud, and may become mandatory in the future. Merchants who refuse to participate may face fines and other penalties if “caught.”
The UK has the highest credit card penetration in Europe, and is often the “sandbox” for new security products like AVS, 3D Secure, contactless payment and reverse authorization. According to Cybersource, 73% of UK online retailers currently use 3D Secure, and another 10% are planning to implement this year.
Couple this with the aggressive awareness and push to enroll from issuing banks, UK shoppers seem to have grown accustomed to the scheme, and the impact on conversion is less dramatic as in other markets.
Nevertheless, some merchants choose to hold out as long as they can on 3D Secure. Either by choosing not to accept Maestro cards in the UK, or taking the risk of being fined.
The Amazon Holdout
Amazon.co.uk is a conspicuous example of an ecommerce site that ignores the “rules” for Maestro cards. There are several reasons why Amazon can get away with this.
Amazon also has a sophisticated fraud prevention and resolution team in house, which involves advanced tools, processes and people. (Next post we’ll look at what makes a solid fraud management system, stay tuned). Amazon may also be less vulnerable to fraud than other merchants because it’s not focused on acquiring new customers. Credit card information is stored in users’ accounts and is updated infrequently.
It’s likely that Amazon would rather pay fines and accept chargebacks than sacrifice the volume of sales that could be lost with the extra layer of friction in checkout. Amazon also has the luxury of passing liability to third party merchants and marketplace sellers, which make up 30% of revenue.
Small and medium businesses are less likely to have a fraud department, and may pose a greater risk to issuing banks. Thus, pressure on SMBs is higher than with larger enterprises, though it also depends on the volume of chargebacks a merchant receives, whether those costs are easily absorbed or not. Digital goods sellers, for example, have low COGS and overhead may be in a better position.
How do you decide to use 3D Secure? And if you decide to use it, how can you minimize the “damage”?
1. Weigh the risks against the rewards of not using 3D Secure.
To get a true understanding of the benefit or detriment of using 3D Secure, you must take into account your current chargeback rate and volume, the manual work involved in investigating and settling claims, your credit card processing fee expense, the percentage of sales from cards that require the scheme, and the potential fines you may incur by not participating. Don’t focus solely on a decreased conversion rate or revenue.
Consider your cost of goods sold. Fraud hits hardest when margins are slim. Also, higher ticket items and certain product categories are more vulnerable to fraud. Reducing risk for such products may warrant a site-wide implementation of 3D Secure.
2. Consider selective implementation.
Certain countries carry higher risk for fraud, which may warrant implementation in those countries if you’re a global business with localized websites. For other countries where 3D Secure is not mandated and awareness and adoption is low, the conversion/revenue loss may outweigh the benefit.
There is a case for A/B testing 3D Secure in different markets, provided it’s not mandated in that region. However, you cannot test in one market and apply the results to others. For example, UK cardholders are more accepting of 3D Secure because of its ubiquity, and the conversion impact is expected to be lower than France, the US or Germany.
3. If you decide to use 3D Secure, follow best practices.
Use frames inline. You have the choice to serve up a separate page or embed the frame into your checkout process, with your branding in the page URL and the SSL lock, rather than the bank’s. Though some customers may fear their banking information is being shared with the retailer, Visa’s own research shows higher rates of authentication using this approach.
Educate customers about 3D Secure
Verified by Visa and MasterCard SecureCode both have preamble you can use in your checkout that helps the customer who’s not sure what’s going on understand the benefits of the scheme. You can craft your own copy if you wish, but make sure you communicate the increased security the cardholder will enjoy while enrolled in the program in non-jargonny language (and don’t invent words like non-jargonny).
You should mention there is no charge for the service, and include a link to more information (that opens in a new window). Place the messaging where it will be most noticed, close to the frame or Submit Order button.
It’s also very important to inform customers using the Refresh or Back button will disrupt the order. Using a dialog box when such action is taken (the “are you sure you want to do this” type) can help save an order.
4. Do your due diligence when selecting an implementation vendor.
To achieve the above, it’s important your 3D Secure implementation vendor provides both the ability to modify the elements under your control and analytics tools that include strong analytics tools. For example, you’ll want to keep track of transactional data, the percentage of orders protected, and the number of times customers “saw” a 3D Secure frame.
5. Understand that fraud management is more than 3D Secure.
3D Secure is only one weapon in the fraud-fighting arsenal. Next post we’ll look at other fraud management tools that make up a strong fraud prevention program.
I want to thank the various fraud management experts who were interviewed for this research:
Peter Caparso, North American President, Adyen
Julie Fergerson, VP Emerging Technologies, Ethoca
Richard Maxwell, Senior Technical Consultant, Javelin Group
Robert Pearson, Vice President, Ecommerce, Best Buy Canada
Chris Lake, Econsultancy
Jeff Sawitke, SVP, Chief Product Officer with Verifi
Andras Csere, Principal Analyst (Security and Risk), Forrester Research