Reliable cardholder authentication in e-commerce transactions is critical for reducing fraud and chargeback levels — the two biggest issues web-based merchants have to deal with.
Although not as straightforward as in card-present transactions, the process of validating the identity of cardholders in a non-face-to-face setting can be designed in a way that produces consistently accurate results.
What Do Verified by Visa and MasterCard SecureCode Do?
To help you in your efforts, both Visa and MasterCard have developed authentication tools, based on the 3-D Secure protocol, which are available to all e-commerce merchants and all cardholders. These services are Verified by Visa and MasterCard SecureCode.
How Do the Authentication Services Work?
In order to participate in these programs, the merchant must first install them on its server. Your processing bank should be able to assist you with the implementation. Once installed, the authentication tools can only be used with cards that have been activated with the programs.
During the card activation process, the cardholder selects a unique password that is later used during the authentication process. Activation can be done in one of several ways:
- On the issuer’s website. Card issuers typically offer Verified by Visa and MasterCard SecureCode activation on their websites.
- Activation banners and buttons. Visa, MasterCard, card issuers, and participating merchants may display activation banners or buttons that enable cardholders to activate their card by clicking on the banner or button and following the prompts.
- During shopping. Cardholders may also activate their cards during shopping, on the merchant’s website.
Provided a credit or debit card is activated with the respective authentication service, it is automatically recognized when used for purchases at participating e-commerce websites. Then the validation process goes through the following stages:
- Once a customer is ready to complete an order and make a payment at the e-commerce checkout, he or she enters the card number.
- At this time a new window opens up with the Verified by Visa or MasterCard SecureCode verification page and the cardholder is asked for his or her preselected password. After the password is submitted, the card issuer will authenticate the transaction and confirm that the cardholder is authorized to make the purchase. There is an option for retrieving forgotten passwords as well. If the issuer does not participate in the authentication program, no interaction takes place. Crucially, however, the merchant is still protected from certain fraud-related chargebacks.
- The issuer verifies its cardholder’s identity, sends a response to the merchant with the authentication result and the transaction can be completed. If the authentication fails, the merchant should request an alternative payment method.
- When the verification process is complete, the merchant includes the issuer’s authentication response with the transaction authorization request.
The two authentication tools are not identical and there are slight differences in the two authentication processes, but these are the essentials. If you decide to make these services part of your fraud prevention strategy (and you should), contact your processor who should be able to help you integrate them into your system. If your processor does not support them, this by itself should be a sufficient reason for replacing it.
Image credit: Four51.com.