Should You Use a 3-D Secure Merchant Account?

It doesn’t happen every day, but often enough I would get contacted by a merchant who would explicitly ask for a 3-D Secure merchant account set-up, even if a non 3-D one were available for her business. Typically, these are international merchants operating in some high risk industry or other, who have previously used both types of merchant accounts and have had poor experience with the non-3-D version, which, they felt, had failed to protect them from excessively high chargebacks that weren’t their fault. 3-D solutions, on the other hand, helped them keep chargebacks low and their merchant accounts in good standing.

But if a 3-D Secure merchant account is better at minimizing chargebacks, why would a merchant use anything else? Indeed, why is 3-D Secure type the exception, rather than the norm? Well, the reason is that the 3-D process makes checking out a much more convoluted and cumbersome process than it otherwise is, as it requires cardholders to go through an additional authentication procedure. And this procedure is not as simple as entering the card’s security code or a ZIP code, but it involves registering the card with Visa or MasterCard, as it might be the case, and creating yet another user name and password. Many cardholders are unwilling to do that and the upshot is that a 3-D solution may cause a merchant to lose up to 30 percent of her transaction volume.

So what type of a merchant account should you choose for your own business? Well, the answer is “it depends”. Most of you would be better served by a traditional merchant account. However, if you have a really big problem with fraud-related chargebacks, you would probably be better served by a 3-D solution. Otherwise, you may well have your merchant account terminated. If you happen to go for a 3-D Secure, here is what you need to know about it.

3-D Secure Basics

3-D Secure is an XML-based protocol, which was developed by Visa under the name Verified by Visa, with the objective of improving the security of online payments. Other major card brands later adopted the protocol and developed their own 3-D solutions. MasterCard’s is named MasterCard SecureCode, JCB’s is called J / Secure and American Express’ — American Express SafeKey.

These services authenticate cardholders during a web-based transaction at 3-D participating merchants. At checkout, the merchants would show a brief message to the customer to notify her that she might next be prompted either to activate her card with the relevant 3-D service or, if the account is already activated, to provide her password. Here is how MasterCard SecureCode’s message would look:

The pre-authentication message could be incorporated into the checkout page, as shown below:

If the cardholder should need to activate her 3-D Secure account, she would be prompted to enter her card number and email address, as shown below:

Then the cardholder would be asked to verify her identity by providing her name and card security information, as shown below:

Once authenticated, the cardholder is prompted to create her 3-D account, which would involve things like selecting secret questions and responses, personal greetings and a password, as shown below:

Once that is done, the cardholder’s 3-D Secure registration is complete and she is taken back to the merchant’s checkout page to complete the purchase. From that point on, every time the cardholder uses that card at a merchant participating with the applicable 3-D Secure service, she would be asked to enter her password at checkout. The authentication form would look something like this for MasterCard:

And Visa’s window looks very much the same:

Upon validation of the cardholder, the authentication window would disappear and the transaction authorization would complete as usual.

Things You Should Know

Your processor would help you with the 3-D implementation process, so there is no need for me to write about it here. But I will say a few words about how to set up and use the Electronic Commerce Indicator (ECI), which is not always done correctly.

The ECI indicates the level of security used at checkout when the cardholder provided her payment information. It has to be set to a value corresponding to the authentication results and the characteristics of the merchant checkout process, as follows:

• ECI 5 — the cardholder was authenticated by the issuer, which verified the cardholder’s password or identity information.
• ECI 6 — the merchant attempted to authenticate the cardholder, but either the cardholder or issuer was not participating.
• ECI 7 — the transaction was processed over a secure channel (for example, SSL / TLS), but payment authentication was not performed, or the issuer responded that authentication could not be performed.

However, U.S. merchants which are being monitored for excessive chargebacks or fraud may not be allowed to submit authenticated (ECI 5) and / or attempted authentication (ECI 6) transactions.

In addition to reducing fraud, for authenticated transactions, 3-D Secure services protect you from certain types of chargeback. For example, for Verified by Visa, as issuers authenticate their cardholders’ identities during transactions, the following chargeback reason codes would not apply to successfully authenticated transactions:

• Reason Code 75 — Cardholder Does Not Recognize Transaction.
• Reason Code 83 — Fraud Transaction — Card Absent Environment.

Furthermore, if you attempted to authenticate a cardholder and either the issuer or cardholder was not participating in Verified by Visa, you would still be protected from the above chargebacks for authenticated transactions.

That is, you would be protected, if you proceeded with the transaction, despite the lack of cardholder or (more rarely) issuer participation. In practice, the point of using a 3-D Secure merchant account is to process only successfully authenticated transactions.

The Takeaway

The benefits of using a 3-D Secure merchant account are obvious. However, so is the downside. As you can see from the description of the 3-D verification process, a cardholder’s participation involves going through a full-blown registration process, which the cardholder would have to repeat for each individual credit card. On the merchant side, at checkout, each additional step reduces the conversion rate, i.e. reduces sales. As already noted, research shows that 3-D merchant accounts can be failing to finalize up to 30 percent of sales.

So, whether or not 3-D Secure should be used would depend on your circumstances. If you have a big problem with fraud-related chargebacks, then 3-D is definitely a good option to deal with the issue. For everyone else, however, a regular high-risk merchant account would most likely be the better choice.

Image credit: Visa.