Payer Authentication Solutions For Verified by VISA

First Atlantic CommerceFirst Atlantic Commerce

Payer Authentication SolutionsPayer Authentication Solutions

For Verified by VISA For Verified by VISA

andand

MasterCard SecureCode® MasterCard SecureCode®

Agenda1. What is 3-D Secure Payer Authentication?

2. Why have the Card Associations introduced 3-D Secure?

3. How does it work?

4. Who’s protected and how?

5. How does chargeback liability shift work?

6. What are the benefits in using 3-D Secure?

7. What 3-D Secure services does FAC offer?

What is 3-D Secure Payer Authentication?

Payer authentication enables all parties in an e-commerce payment transaction to transmit confidential and valid payment data, and provides verification to the merchant that the buyer is the authorized owner of a particular card account.

Why is this so important to online merchants?

Why have the Card Associations introduced 3-D Secure?

Until recently, Internet based card transactions have been classified as ‘card-not-present’ and ‘no signature present’ so it has been virtually impossible to prove that the actual cardholder is the person performing the payment transaction at an Internet merchant site.

The result? 78% of all e-commerce chargebacks are from ‘unauthorised transaction’ reason codes commonly referred to as the “I didn’t do it” chargebacks.

Why have the Card Associations introduced 3-D

Secure?

This changes with the introduction of 3-D Secure™ services which provides Internet merchants with the ability to verify the consumer’s true identity through a secure, electronic, non ‘face-to-face’ authentication process.

To press the importance of eliminating card and chargeback fraud on Internet transactions the Card Associations have also instituted chargeback liability shift to protect merchants from online fraud and habitual chargeback offenders.

Why is it called 3-D Secure Payer Authentication?

3-D Secure has been named by VISA and MasterCard because there are 3 interoperability domains involved in the authentication process.

– Issuer Domain – Interoperability Domain – Acquirer Domain

Also involved in the authentication process are the cardholder, the merchant, the payment gateway and the bank’s processor

Why is it called 3-D Secure Payer Authentication?

Issuer Domain

The ACS server where issuers enroll theircardholders and where cardholder

passwords are stored

Cardholder

$

Issuing Bank

Interoperability Domain

The Card Association DirectoryServer(s) that stores the

registration information of theenrolled merchants, acquiring

banks and issuers

$

Acquiring Bank

Acquirer Domain

The server that contains the MPIsoftware that communicates with

the Directory Server and the issuerACS server to complete

authentication of the consumerwhen a transaction is performed.

Merchant with MPI

How does it work?

From an Issuers Point of View

• Issuers must license 3-D Secure “Access Control Server” software from a certified vendor;

• Issuers then register BINs directly with Verified By VISA and MasterCard SecureCode depending on what card brands they issue;

• Issuer BINS are installed on the ACS server and cardholders are requested to register their card number with VbV and SecureCode by selecting a unique password and ‘secret phrase’

How does it work?

From an Acquirers Point of View

• Acquirers enroll with VISA and SecureCode to register their acquiring BINs/ICAs. Acquirers must identify how they will support the MPI to enable 3-D Secure (in house or service provider?)

• Merchants are enrolled by their acquiring bank and registered on the MPI (hosted by FAC) and Directory Server.

• The Card Associations set up specific parameters in BASE I and INET to ensure 3-D Secure transactions are flagged correctly for both interchange price reductions and chargeback handling.

• The MID, merchant name, BIN and security certificate are all that are enrolled on the Directory Server. No MCC!

How does it work?

From the Card Associations Point of View

• The Directory Server is the ‘traffic cop’ that manages and monitors BINS and 3-D Secure messages between Issuer, Acquirer and Merchant.

• The Directory server receives authentication requests from FAC once a merchant is integrated.

• The Directory Server determines if the card number is in an enrolled Issuer BIN range, directs requests for cardholder authentication to the appropriate Issuer (ACS) and then responds back to the merchant starting the process of payer authentication directly with the consumer.

How does it work?

From the Card Associations Point of View

• All “attempted” payer authentication requests, whether validated or not, are stored on the Authentication History Server (at VISA and MasterCard) providing data for acquirers and issuers in the event of a transaction dispute.

• VISA and MasterCard have implemented payer authentication scenarios based on the responses from the ACS server and the MPI software that determine liability shift protection for Issuer and Acquirers.

How does it work?

The Payer Authentication Process

• Issuers and Acquirers register independently and the service is not interdependent;

• Issuers can be enrolled but not their cardholders; alternatively neither can be enrolled - this drives the merchant chargeback liability shift conditions;

• Likewise, Acquirers can be enrolled but not their merchants leaving the liability for fraud with the merchant if payer authentication is not completed prior to the payment authorisation.

How does it work?


• FAC’s MPI software communicates with the merchant’s payment page and passes the authentication requests to the Directory Server(s) to validate Issuer enrollment;

• The Directory Server queries to determine if the Issuer BIN is enrolled and if yes, communicates with the Issuer ACS server to validate if cardholder is registered;

• If both enrolled, the Directory Server responds via FAC’s MPI and sends the message to the merchant to generate the ‘pop up’ window for the consumer to enter their password information.

How does it work?


• Authentication of the consumer takes place directly between the consumer and the ACS server through a secure browser connection;

• The ACS provides the payer authentication response back to FAC’s MPI.

• Merchant proceeds with the payment authorisation depending on the authentication response codes provided by the MPI.

Who’s protected and how?

Consumers

• Once enrolled in 3-D Secure consumers can be protected from fraudulent use of their card at an Internet merchant site;

• This builds consumer confidence in the payment mechanisms online prompting greater use and increased spending

Merchants

• Benefit from chargeback liability shift on disputed payment transactions if they are enrolled in 3-D Secure and made an attempt to authenticate the cardholder during the payment process; The issuer nor the cardholder need to be enrolled in order for protection to be guaranteed!


Merchants cont’d

• VISA supports chargeback liability shift on 3-D Secure attempts and completed authentication requests.

• MasterCard in USA and Canada do not support ‘attempts’ and require full UCAF authentication in order to transfer chargeback liability shift from merchant to consumer.


Merchants cont’d

• MasterCard in EU, SAMEA, LACR and AP support CB liability shift on SecureCode ‘attempts’ on intra-regional transactions (cardholder and merchant in same region) if the SecureCode request is attempted (with or without completion) and a valid payment transaction authorisation is obtained.

?

Acquirers

• Once the Acquirer BINS are enrolled in VbV and SecureCode, all 3-D Secure based transactions are flagged in interchange as either attempts or completions;

• These flags (ECI, XID, CAVV) located in the authorisation message, prevent Issuers from charging back transactions for certain Reason Codes;

• These transactions are also flagged for lower interchange fees – up to 40 basis points depending on transaction type.

How does chargeback liability shift work?

How does chargeback liability shift work?Authorisation Field Data – VISA

• CAVV - Cardholder Authentication Verification Value is a unique value derived by the Issuer in response to an authentication request from a 3-D Secure merchant – this is sent back to the MPI by the ACS server

• XID - Transaction Identifier - Unique tracking number set by the merchant and sent to the ACS during the authentication process

• ECI – Electronic Commerce Indicator – provided by the MPI and submitted with the authorisation request to BASE I. Values are 5 (full authentication), 6 (attempted authentication), 7 and 8 (failed authentication or password).

The payment gateway AND the processor must support these three 3DS fields in the authorisation message Format into BASE I and settlement records into BASE II.

How does chargeback liability shift work?Authorisation Field Data – MasterCard

• UCAF - Cardholder Authentication Field is a unique value transmitted in response to an authentication request from a 3-D Secure merchant. Values are YES, NO

• UCAF CIV – UCAF Collection Indicator Value provided in the authorisation message in response to the merchant’s 3-D Secure request. Values are 0, 1, 2

• ECI – Electronic Commerce Indicator – provided by the MPI and submitted with the authorisation request to INET. Values are 1 or 2

• SPA and hidden fields are no longer required.

The payment gateway AND the processor must support these UCAF 3DS fields in the authorisation messageformat for INET.


Chargeback Reason Code VISA USA Credit and Offline Debit

Cards (Check cards)

VISA International Credit and Offline Debit

Cards (Check cards) RC 23 – Invalid T&E authentication and

attempts authentication and

attempts RC 61 – Fraudulent MO/TO authentication and

attempts N/A

RC 75 – Cardholder does not recognize transaction

authentication and attempts

N/A

RC 83 – Fraudulent MO/TO N/A authentication and attempts


Chargeback Reason Code MasterCard International

USA, LACR, Canada Credit and Debit Cards

(Maestro cards)

MasterCard International EU, SAMEA, AP IntraRegional

Credit and Debit Cards (Maestro cards)

RC 4837 – Cardholder non-authorisation

Completed authentication only

authentication attempt or completion if merchant enrolled

and transaction authorised RC 4863 – cardholder

transaction not recognized Completed

authentication only authentication attempt or

completion if merchant enrolled and transaction authorised

Online Chargeback Statistics

• Payer Authentication could reduce VISA online chargebacks by as much as 70%.

All Other31%43%

Code 83:

26%Code 61:Fraudulent MOTO

Transaction

Non-Possession of Card

Online Chargeback Statistics

MasterCard Reason Code 37 represents: – 58% of all chargebacks– 80-84% of all ecommerce chargebacks

Decline Rates are:– 5% for all transactions– 16% of MO/TO Ecommerce Transactions

What are the Problems with 3-D Secure? Activation During Shopping –

Issuers have implemented activation during shopping to facilitate enrollment for their cardholders;

Online activation occurs while shopping at a 3-D Secure enrolled merchant site.

Pop Up window (from Issuer ACS) displays during the check out process requesting the cardholder to “activate now” or “activate later”. Consumer must select one to continue;

If consumer selects to “activate now” ACS continues with cardholder ID validation;

If consumer selects to “activate later” they are returned to the merchant’s check out process to continue with their payment;

Issuers must allow consumer 3 attempts to activate during shopping

What are the Problems with 3-D Secure? Activation During Shopping - “Activate Now”

If consumer selects to “activate now”, verification of the consumer’s ID takes place first (validation of card #, exp date, CVV2 etc)

If ID authentication fails, consumer is advised to contact their bank and pop-up window ‘should’ allow the consumer to continue with the original check out process;

This failed enrollment is flagged as an “attempt” by the MPI and is eligible for chargeback protection in the event of a dispute!

If ID authentication is successful, consumer is guided through the registration process for Verified By VISA or SecureCode and the activation is complete;

Control is then returned to the merchant’s check out page so the consumer can continue with their purchase;

This completed enrollment is flagged as a “completion” by the MPI and is eligible for chargeback protection in the event of a dispute.

What are the Problems with 3-D Secure? Activation During Shopping - Problems can occur

Failed attempts to either validate the consumer’s ID or enrollment problems/failures can cause the pop-up window to get “stuck” open; Consumer must exit manually or leave merchant site resulting in lost sales;

Communication can be disrupted (Internet) causing time-outs, browser session hanging etc resulting in a failed enrollment and potentially a lost sale;

Consumer education is lacking! – Many issuers have not adequately educated their cardholders about “activation during shopping”; Consumer thinks the merchant is requesting information through a pop-up box and exits the session – suspicious!

Consumers could have pop-up killers set on their browser to prevent the pop-up window from opening to initiate the process

What are the Problems with 3-D Secure? Other Problems – Communication via the Internet

Directory Server could be down/unresponsive hence unable to initiate the payer authentication process;

The Issuer ACS server could be down preventing the cardholder from validating if enrolled;

The MPI server could be down preventing the merchant from requesting a 3-D Secure transaction

The Internet connection between the consumer and the merchant could be disrupted (particularly dial up users) during the middle of the enrollment or authentication process causing the enrollment process to fail

FAC’s 3-D Secure Service cGate®SecureVerify

FAC licensed MPI source software from a certified vendor in the UK – CardTech Limited

FAC installed the MPI so that 3-D Secure could be provided to merchants whether they use FAC’s payment gateway services or not;

FAC is the first certified ‘service provider’ of 3-D Secure solutions in the LACR

Certification completed March 21st, 2004

Key Product Features – cGate® SecureVerifyVarious 3DS solutions are available to FAC clients

1. “Advance Authentication” – allows merchants to leverage FAC’s 3-D Secure-only services in advance of the payment authorisation request. Merchant will connect to FAC via a web link to engage payer authentication. 3-D Secure responses are returned to the merchant payment page for onward processing through their payment gateway based on the responses received.

The responses identify the enrolment status of the Issuer and/or the cardholder prior to authorising a transaction assisting with determining chargeback liability shift rights in the event of a dispute.

Key Product Features – cGate® SecureVerify

2. “3D Secure with FAC multicurrency payment solutions” – allows merchants to leverage FAC’s 3D Secure services using FAC’s payment gateway and merchant solutions.

• Merchant connects to FAC via a web link from their own payment page to engage payer authentication.

• 3D Secure can be validated for ANY country and any cardholder worldwide regardless of the cardholder’s card currency or language

Key Product Features – cGate® SecureVerify

3. “MPI Software Hosting Solutions” – offers banks who have purchased/licensed their own 3-D Secure software to host their application on FAC’s secure servers.

• FAC is PCI certified 2005 - 2009.• FAC can install, maintain and monitor 3-D Secure hosted MPI

software on behalf of larger acquirers (24X7, fully redundant servers, real-time fail-over).

What are the benefits of using cGateSecureVerify?

Merchant Benefits

Simple set up – no software to purchase, no merchant “plug-in” to install

Immediate access to Verified By VISA and MasterCard SecureCode™ once enrolled

Protection from consumer fraud losses, unauthorized transactions and disputes

Chargeback liability shift for key CB reason codes – even on supported attempts

Increased consumer confidence leading to increased sales


Merchant Benefits cont’d

Increased card acceptance over other payment methods – increased sales!

Lower transaction costs – allowing for more competitive product pricing

Greater income potential from reduced transaction costs and chargeback penalty fees

MasterCard SecureCode™ and Verified By VISA programme benefits, marketing and support


Acquirer Benefits

Better and cheaper than chargeback insurance! Immediate reduction in interchange costs for 3-D Secure™

authenticated ecommerce transactions – up to 40 basis points savings on 3-D Secure™ transactions – even attempted 3-D Secure™ transactions!

Immediate reduction in credit risk, disputed transactions, chargebacks, exception handling expenses, and portfolio losses;

Immediate reduction in back office costs and administration relating to retrieval requests, dispute handling, chargeback investigation and lengthy presentment cases


Acquirer Benefits cont’d

Fast and easy enrollment – no MPI software to purchase – installation and certification are completed on the bank’s behalf;

Reduced capital expenditure in relation to other fraud management and detection services/software;

Guaranteed liability shift from Acquirer to Issuer for key chargeback reason codes.


Processor and Aggregator Benefits

Long term retention of 3-D Secure™ compliant merchants with Acquiring bank(s);

Immediate reduction in disputed transactions, chargebacks, exception handling fees, and portfolio losses;

Immediate reduction in penalty fees and fines associated with high chargeback merchants (>1%);

More negotiable discount rates for 3-D Secure™ authenticated ecommerce transactions – immediate savings across the acquiring business portfolio;

Fast and easy enrolment – no MPI software to purchase – installation and certification are completed on your behalf by FAC!


Processor and Aggregator Benefits

“Pay as you Go” enrolment model – register one, some or all of your entire portfolio!

Acquirers can decide which merchants to set up for 3-D Secure™

Reduction/elimination of high risk merchants from the Global Chargeback Monitoring Programmes;

Overall improvement in merchant portfolio and profitability

First Atlantic CommerceFirst Atlantic Commerce

[email protected]

www.firstatlanticcommerce.comwww.firstatlanticcommerce.com

mailto:[email protected]

Payer Authentication Solutions For Verified by VISA

Business

Transcript of Payer Authentication Solutions For Verified by VISA