Every now and then a merchant would get in touch with us who would explicitly ask for a set-up with Verified by Visa and MasterCard SecureCode, which is known as 3-D Secure merchant account. Sometimes they would do that, even if a non 3-D service was available for her business. Most of the time, these are international merchants doing business in some high risk industry or other, who have previously used both types of merchant accounts and have had less than satisfactory experience with the non-3-D version. The biggest failure they cite, as ever, is that the non-3-D type had failed to protect them from chargebacks that weren’t their fault. 3-D solutions, in contrast, had helped them keep chargebacks low and their merchant accounts in good standing.
So, if a 3-D Secure merchant account is better at minimizing chargebacks, why would a merchant want to use anything else? Indeed, why is 3-D Secure type the exception (at least in the U.S.), rather than the norm? Well, the biggest reason is that the 3-D protocol makes the check-out process much more convoluted and cumbersome than it otherwise is, as it requires customers to go through an additional procedure to verify that they are authorized users of their credit cards.
And this procedure is not as simple as entering a card’s security code or your ZIP code, but it involves registering the card with Visa or MasterCard and creating yet another user name and password in the process. Many cardholders are understandably unwilling to go the extra mile and the end result is that a 3-D solution may cause a merchant to lose up to 30 percent of her transaction volume. Yes, it that big of a difference!
So what type of a merchant account should you choose for your business? The answer is “it depends”. Most of you would be better served by a traditional, non-3-D, merchant account. If, on the other hand, you do have a really big problem with fraud-related chargebacks, you would most likely benefit from a 3-D solution. Otherwise, you may well have your merchant account shut down. If you happen to go for a 3-D Secure, here is what you need to know about Verified by Visa. I will cover MasterCard SecureCode separately, for the sake of clarity.
Verified by Visa Basics
Verified by Visa is based on what is known as 3-D Secure — an XML-based protocol, which was developed by Visa. In fact, Visa named it Verified by Visa. The new protocol had the objective of improving the security of online payments. Other major card brands later adopted the protocol and designed their own 3-D solutions. MasterCard’s is named MasterCard SecureCode, JCB’s is called J / Secure and American Express’ — American Express SafeKey.
These services authenticate cardholders’ identity during a web-based transaction at 3-D participating merchants. At checkout, the merchants would show a brief message to the customer to notify her that she might next be prompted either to activate her card with the relevant 3-D service or, if the account is already activated, to provide her password. Here is how taht message might look:
The pre-authentication message could be incorporated into the checkout page, as shown below:
If the cardholder should need to activate her Verified by Visa account, she would be prompted to enter her card number and email address. Then the cardholder would be asked to verify her identity by providing her name and card security information.
Once authenticated, the cardholder is prompted to create her Verified by Visa account, which would involve things like selecting secret questions and responses, personal greetings and a password.
Once that is done, the cardholder’s 3-D Secure registration is complete and she is taken back to the merchant’s checkout page to complete the purchase. From that point on, every time the cardholder uses that card at a merchant participating with the applicable 3-D Secure service, she would be asked to enter her password at checkout. The authentication form would look something like this for Visa:
Upon validation of the cardholder, the authentication window would disappear and the transaction authorization would complete as usual.
Things You Should Know
Your processor would help you with the VbV implementation process, so there is no need for me to write about it here. But I will say a few words about how to set up and use the Electronic Commerce Indicator (ECI), which is not always done correctly.
The ECI indicates the level of security used at checkout when the cardholder provided her payment information. It has to be set to a value corresponding to the authentication results and the characteristics of the merchant checkout process, as follows:
- ECI 5 — the cardholder was authenticated by the issuer, which verified the cardholder’s password or identity information.
- ECI 6 — the merchant attempted to authenticate the cardholder, but either the cardholder or issuer was not participating.
- ECI 7 — the transaction was processed over a secure channel (for example, SSL / TLS), but payment authentication was not performed, or the issuer responded that authentication could not be performed.
However, U.S. merchants which are being monitored for excessive chargebacks or fraud may not be allowed to submit authenticated (ECI 5) and / or attempted authentication (ECI 6) transactions.
In addition to reducing fraud, for authenticated transactions, 3-D Secure services protect you from certain types of chargeback. For example, for Verified by Visa, as issuers authenticate their cardholders’ identities during transactions, the following chargeback reason codes would not apply to successfully authenticated transactions:
- Reason Code 75 — Cardholder Does Not Recognize Transaction.
- Reason Code 83 — Fraud Transaction — Card Absent Environment.
Furthermore, if you attempted to authenticate a cardholder and either the issuer or cardholder was not participating in Verified by Visa, you would still be protected from the above chargebacks for authenticated transactions.
That is, you would be protected, if you proceeded with the transaction, despite the lack of cardholder or (more rarely) issuer participation. In practice, the point of using a 3-D Secure merchant account is to process only successfully authenticated transactions.
The benefits of using a 3-D Secure merchant account are obvious. However, so is the downside. As you can see from the description of the 3-D verification process, a cardholder’s participation involves going through a full-blown registration process, which the cardholder would have to repeat for each individual credit card. On the merchant side, at checkout, each additional step reduces the conversion rate, i.e. reduces sales. As already noted, research shows that 3-D merchant accounts can be failing to finalize up to 30 percent of sales.
So, whether or not 3-D Secure should be used would depend on your circumstances. If you have a big problem with fraud-related chargebacks, then 3-D is definitely a good option to deal with the issue. For everyone else, however, a regular high-risk merchant account would most likely be the better choice.
Image credit: YouTube / Visa.