Verified by Visa & MasterCard SecureCode: Fraudulent Chargeback Liability Shift

Opportunity Wales Objective 2 Project Report

Verified by Visa & MasterCard SecureCode: Fraudulent Chargeback Liability Shift

Author: Mandeep Kaler Version: Final (15/03/07)

© eCommerce Innovation Centre, Cardiff University 2007

1

Table of Contents

1.0 INTRODUCTION 2

2.0 THE CHARGEBACK PROBLEM 2

2.1 What are Chargebacks? 22.2 What are Fraudulent Chargebacks? 3

3.0 VERIFIED BY VISA AND MASTERCARD SECURECODE 3

3.1 Fraudulent Transaction Liability Shift 33.2 Customer point of view: Verified by Visa & MasterCard SecureCode 43.3 The 3 Domain (3D) Secure Model 53.4 Authentication Plug-in Software 6

4.0 ADVANTAGES AND DISADVANTAGES OF VERIFIED BY VISA AND MASTERCARD SECURECODE 8

4.1 Fraudulent Chargeback Reduction 84.2 Implementation and Maintenance Costs 84.3 Exceptions to Chargeback protection 94.4 Customer Limitations 94.5 Business Limitations 114.6 Credit Card Issuing Bank problems 12

5.0 CONCLUSION 12

6.0 REFERENCES 13

APPENDIX 14

Table 1: Credit Card Companies offering Verified by Visa to Customers in the UK 14Table 2: Credit Card Companies offering MasterCard SecureCode in the UK 14Table 3: Payment Service Providers offering Verified by Visa and MasterCard SecureCode 15


2

1.0 IntroductionWith the increase in on-line sales within the Welsh SME community, Credit Card fraud is a problem which can put companies out of business. SMEs suffer the most when an item has been purchased using stolen Credit Carddetails and the legitimate cardholder wants their money back. The money is taken from the SMEs account and refunded to the customer with a fine. As well as losing money on transactions, businesses who have a high incidence of Chargebacks can lose the ability to accept payment as they are deemed too risky by the Payment Service Providers.

Internet fraud was an estimated £117.1 million in 2005 for the UK (APACS, 2006). Some customers may believe that fraud occurs when criminals intercept card details during the process of entering and transmitting paymentdetails over the internet. Secure Socket Layer protocol (SSL) which is used for encryption, is a proven tool which addresses this issue. The majority of the details used for Card Not Present (CNP) Fraud were obtained by skimming, raiding bins, or unsolicited eMails or telephone calls.

The biggest problem for businesses when selling on-line is to confirm the identity of the customer at the time of the sale. Credit Cards were designed for face to face transactions with the signature or Personal Identification Number (PIN) being authenticated by the merchant at the point of sale. With the distance selling involved for Internet transactions, it is difficult to for the merchant to determine whether they are dealing with the cardholder or a criminal with the cardholders’ details.

Visa and MasterCard recognised these problems were putting smaller companies out of business and giving customers a negative perception of trading on-line safely. They have both tried to address it by implementing a system which would involve an added customer authentication to reduce fraud and make any fraudulent Chargebacks the Credit Card issuing bank’s responsibility.

2.0 The Chargeback Problem2.1 What are Chargebacks?In order to understand the shift in liability, the problem of the Chargebackneeds to be explained. A Chargeback refers to a dispute between a customer and a business it has purchased an item from. The customer asks their Credit Card company for a refund on a good or service purchased at a shop. The item or service may not have been delivered, be damaged or may differ from what was advertised. If the Credit Card company agrees the customer is entitled to the money, they will require the business to refund the payment as well as pay a Chargeback fee of around £20 once the customer has sent the item back. In this scenario the business loses out as they have not delivered a product or service as agreed, delivered an incorrect or damaged product or produced a bad service.


3

2.2 What are Fraudulent Chargebacks?A fraudulent Chargeback is when stolen Credit Card details are used to purchase goods or services. The payment is taken and items are sent out. When the cardholder notifies that their card has been stolen or there are unauthorised transactions on their statement, their Credit Card provider will take the money back from the merchants account and impose a Chargebackfee. A business may find themselves in a position where they have taken an order, received payment and sent the order; then several weeks later they have to refund the payment as well as pay an additional fine with no chance of the items being returned. This is referred to as a Fraudulent Chargeback and it differs to a normal Chargeback as the business may have provided a good service and is probably not responsible for the cardholders details being stolen but has to absorb the cost.The Credit Card companies are quite powerful when it comes to Chargebacks and on-line payment providers protect themselves in several ways.

They can pass Chargeback responsibilities onto the business; Hold money for a certain period after a transaction, the first month after

the transaction has a higher possibility of Chargeback than subsequentmonths;

Ask a business to take out a bond to cover Chargeback; Automatically take money from any current transactions without the

companies consent; Take away the ability for businesses to accept payment on-line if they

have had too many Chargebacks and are deemed too risky; Operate a shared list of excluded businesses, which is distributed to

other payment providers. This could lead to a business never receiving an Internet Merchant Account during its lifetime.

Despite these problems, the model of Chargebacks is beginning to changewith Verified by Visa and MasterCard SecureCode shifting the liability onto the Credit Card issuer.

3.0 Verified By Visa and MasterCard SecureCode3.1 Fraudulent Transaction Liability ShiftIf fraud occurs on a Verified By Visa or SecureCode transaction then the Merchant no longer has to refund the customer whose card details have been used as it would have under the old system. As the card details and the password have been verified, the bank which issues the Credit Card (for example Barclaycard or NatWest) will now be responsible for refunding the customer on a fraudulent transaction. This would mean the possibility of a business never receiving a Fraudulent Chargeback and the associated Chargeback fine if customers use this system.


4

3.2 Customer point of view: Verified by Visa & MasterCard SecureCodeWhen making a purchase, the customer will be required to enter a username and password with their Credit Card details in order to authenticate their purchase. This works in a similar way to making a face to face retail card purchase which requires a PIN. The idea being that unlike the other Credit Card details such as the card number, signature and CSV (3 digit number on the back of the card), which are written on a Credit Card, the password is not kept with the card and should not be written down.

Again similar to a PIN, Visa and MasterCard will not contact you asking for the password. To help customers avoid entering card details into phishing sites, a personal greeting has been added as seen in Figure 2 (on page 5). The personal greeting is written by the customer upon enrolment which is stored on Visa or Mastercard’s systems. If the greeting was to differ from the original written by the customer, then the customer should cancel the transaction and contact their Credit Card provider.

The following diagrams show an example of an on-line MasterCard SecureCode transaction. When a customer is shopping on-line, they submit their order as usual (see Figure 1 below).

Figure 1: Submitting Order Screen

(Source: MasterCard SecureCode Demo, 2004)

Once they have entered their details, they will either see a MasterCard/Visapop-up box as seen in Figure 2 (on page 5) or a box which is embedded into the Web page of the shop as shown in Figure 3 (on page 5). Notice that the last four digits of the Credit Card number are displayed as well as a personal greeting which would have been set-up during enrolment. Once the SecureCode has been entered, and successfully verified, the process is complete.


5

Figure 2: MasterCard SecureCode Pop-up Box

Figure 3: MasterCard SecureCode Embedded Web Page

A list of Credit Card providers offering MasterCard SecureCode and Verified by Visa to customers can be found in Table 1 and 2 of the appendix.

3.3 The 3 Domain (3D) Secure ModelThe main reason for the shift is due to the 3D secure model which is at the centre of the Visa and MasterCard initiatives. The model is not a technical payment system, it is a model which establishes who is responsible at different sections of the on-line transaction. These responsibilities are separated into an Issuer Domain, an Acquirer Domain and an Interoperability Domain as shown in Figure 4 (on page 7).


6

The Issuer Domain concerns cardholders and their Credit Card issuing banks. The Credit Card issuer is responsible for verifying and enrolling their card members. They must also authenticate their cardholders during on-line purchases.

The Acquirer Domain concerns merchants and their banks. Acquirers are responsible for ensuring that merchants are signed up and are following the conditions of their contract. They must also provide authenticated transaction processing.

The Interoperability Domain concerns the communication between issuing and acquiring organisations using Visa’s or MasterCard’s infrastructure. Visa or MasterCard are responsible for this domain.

3.4 Authentication Plug-in SoftwareBusinesses who want to use Verified by Visa or MasterCard SecureCode must use software called a plug-in. The plug-in software is provided by Payment Service Providers who process Internet Credit Card transactions. A list of Payment Service Providers who offer Verified By Visa and MasterCard SecureCode plug-in software and their associated cost can be found in Table 3 of the appendix.

The software must be approved by Visa and MasterCard before it can be used and it must be integrated with the businesses’ server which causes little difference to the customer facing sales process. An extra popup window will appear to the customer when making a purchase which will require a password as shown in Figure 2 and 3 on (page 5).

If the customer is not enrolled on the program but is eligible, they will be offered the chance to enrol onto the program while making the purchase. In Figure 4 (on page 7) is a simplified representation of the 3D Secure model.The Acquirer domain is the only part which concerns the merchant and as long as the Merchant has the software referred to as a plug-in installed to pass information onto the Visa or MasterCard’s systems, they are fulfilling their duty in the 3D secure model.


7

Figure 4: The 3 Domain Secure Model

The 3 Domain Secure Model Steps1. The cardholder orders items and initiates payment on the businesses

Web site.2. The plug-in software checks with the Visa/MasterCard directory to

check if the customer’s card is registered for this Verified by Visa/MasterCard SecureCode.

3. If the card is enrolled on the appropriate program, the directory checks that the appropriate Credit Card provider has the Credit Card holder’s information.

4. The response is sent back to the directory and then back to the plug-in software.

5. The plug-in software sends an authentication request to the Credit Card issuing bank via the customer’s browser.

6. The Credit Card issuing company gives the customer a personal prompt and asks the customer for a password.

7. The customer enters the password and the Credit Card issuing bank verifies it.

8. The Credit Card issuing bank returns an authentication successful response to the plug-in software.


8

9. The Credit Card issuing bank sends an authentication record to the Visa or MasterCard directory.

10. The plug-in validates the response and proceeds with the transaction via the businesses Payment Service Provider.

4.0 Advantages and Disadvantages of Verified By Visa and MasterCard SecureCode4.1 Fraudulent Chargeback ReductionThe diagram in Figure 5 below shows the number of Chargebacks and their cost for four Verified by Visa merchants between the months of January and September 2003. All four companies experienced a reduction in fraudulent Chargebacks and their costs. However, it should be noted that Verified by Visa has been better promoted in the USA with TV commercials aimed at customer awareness and mailing campaigns aimed at merchant awareness.

Figure 5 Chargeback Reduction

Source: Visa USA Merchant Letter, 2004

In 2003, dabs.com became the first UK on-line retailer to adopt Verified by Visa. Fraud accounted for around 0.2% of their turnover which cost dabs.com between £30,000 and £50,000 a month. After the adoption of Verified by Visa, fraud was reduced to zero for the year 2003 (Visa Dabs.com, 2005).

4.2 Implementation and Maintenance CostsMany Payment Service Providers offer Verified by Visa and MasterCard SecureCode as standard to their merchants, however some charge a setup fee of around £50 and a monthly fee of around £50. A list of UK providers and their costs can be found in Table 3 of the appendix.


9

4.3 Exceptions to Chargeback protectionAs useful as Chargeback protection is, there are some instances where Chargeback protection is not offered, these are:

Any transactions which fail to authenticate, in this case a different payment method is required. If a cardholder does not enrol or use the verification schemes their transactions are not covered by Chargeback protection;

Any payments which need to be re-authorised where the cardholder is not available to go through the password input process. For example for backordered products;

Sales made using ‘one click buy’ technology such as Amazon 1-Click as it bypasses the verification process;

Businesses who do not take reasonable actions to control/prevent fraud or have fraud rates that exceed a set level (usually 1%);

Businesses whose products and/or services fall into a high risk category such as adult entertainment and on-line gaming;

In the past Chargeback protection was not offered on purchases made with Procurement cards. However Verified By Visa and MasterCard SecureCode are now accepted within the Welsh Purchasing Card (WPC) and the Government Purchasing Card (GPC) schemes. That being said, it is unlikely that approved suppliers would use this system when dealing with public bodies as fraud is low on Purchasing Card transactions.

4.4 Customer LimitationsNot all British Visa and MasterCard customers can enrol on the Verified by Visa and SecureCode schemes. The financial institutions who issue the cards (such as Barclaycard) have to offer the service on their Visa and MasterCard products. At the moment only ten institutions offer the Verified by Visa service in the UK and only nine offer the MasterCard SecureCode Service. These institutions don’t automatically enrol new or existing cardholders and appear to do little marketing to encourage cardholders to enrol on this service.

The banking industry have promoted Chip and PIN with a thorough marketing campaign, but little has been promoted for Verified By Visa and MasterCard SecureCode. If customers are not aware of the service they cannot use it and according to Visa one in eight Internet transactions uses Verified by Visa (PRNewswire, 2005). A list of Credit Card Issuing Banks that provide Verified By Visa and MasterCard SecureCode can be found in Table 1 and 2 of the appendix.

During the checkout process, Visa and MasterCard will send a prompt for customers to sign up for Verified by Visa and Master SecureCode if they are not enrolled. This enrolment asks for personal information and some customers may think this is an attempt by criminals to steal Credit Carddetails. As shown in Figure 6 and 7 (on page 10), when a customer submits an order, they see the pop-up window asking them to enrol on the MasterCard/Visa program.


10

Figure 6: Submitting Order Screen

The customer will be asked for personal information to establish their identity as shown in Figure 7.

Figure 7: MasterCard SecureCode Enrolment Pop-up

The customer completes the registration by creating their password and makes a purchase as shown in Figure 8 (on page 11).


11

Figure 8: Creating a MasterCard SecureCode

A customer who wants to make a purchase and is confronted with the above registration process may be concerned that this is an attempt at phishing fraud and could cancel the enrolment and the transaction completely. Poor education by the Credit Card issuing banks has led to this and therefore it is important for businesses to have a section on their Web-site dedicated to payment which describes Verified By Visa and MasterCard SecureCode as well as its advantages.

4.5 Business LimitationsBusinesses wishing to use the MasterCard and Visa services may discover aproblem with regards to customer awareness as mentioned above.Businesses need to install a plug-in which should be provided by a Payment Service Provider but not all Payment Service Providers offer this servicewhich needs to approved by Visa or MasterCard. Also if Visa/MasterCard fails the authentication, a Merchant cannot accept payment from the rejected card. Instead merchants must ask for another form of payment, which could lead to legitimate orders being rejected.

However merchants are beginning to take notice of the extra protection offered from the liability shift and starting to adopt it. According to Cybersource, 49% of fraud management methods involved Verified by Visa or MasterCard SecureCode during 2006. For 2007, 23% of merchants plan to adopt Verified by Visa and MasterCard SecureCode (Cybersource 2007). Cybersource (2006) notes that most merchants operate an average of four different fraud prevention techniques as some fraud may still make it through and some legitimate orders may be rejected. MasterCard seemed to have recognised the problem of Merchant and cardholder awareness and is trying to encourage the adoption of MasterCard SecureCode by only allowing businesses to process Maestro Debit Card payments if they support MasterCard SecureCode from the 20th of June 2007.


12

4.6 Credit Card Issuing Bank problemsThe biggest problem for the authentication programs is that Credit Cardissuing banks will be responsible for paying authenticated fraudulent Chargebacks and not the Merchants. The Verified By Visa and MasterCard SecureCode programs benefit both the business and the customer by adding an extra security step. However these programs will cost the Credit Cardissuing banks money and therefore are not in the financial interests of the bank.

5.0 ConclusionVerified By Visa and MasterCard SecureCode addresses a problem which can badly damage businesses and consumer confidence when trading over the Internet. Despite this service being available for many years, there is littleknowledge of it among UK consumers. Merchants are adopting the technology now that it is becoming supplied at little or no cost by the Payment Service Providers, however Visa, MasterCard and Credit Card issuing banks need to do more to promote these services within the UK. Credit Cardcompanies appear to promote and sell their new identity theft programs and show that they making an effort to fight fraud, but they have little incentive to promote a program which sees them penalised if fraud occurs and would prefer to see Chargebacks forced onto the merchants who trade on-line.


13

6.0 References

APACS, 2006, Fraud the Facts 2006, Retrieved 13th March 2007 from http://www.apacs.org.uk/resources_publications/documents/FraudtheFacts2006.pdf

Cybersource, Second Annual UK Online Fraud Report, 2006

Cybersource, 2007, Third Annual UK Online Fraud Report, Retrieved 13th

March 2007 fromhttp://www.cybersource.co.uk/resources/fraud_report_2007.php

MasterCard, 2004, MasterCard SecureCode Demo, Retrieved 13th March 2007 from http://www.mastercard.com/securecode/flash/securecodedemo.html

MasterCard SecureCode Europe, Retrieved 13th March 2007 fromhttp://www.mastercard.com/us/merchant/security/what_can_do/SecureCode/index.html

PRNewswire, 6th December 2005, Visa Predicts 39% Increase in E-Commerce This Christmas, Retrieved 13th March 2007 fromhttp://www.prnewswire.co.uk/cgi/news/release?id=159869

Visa, 2004, Visa USA Merchant Letter, Retrieved 13th March 2007 fromhttp://www.salescart.com/partners/Cardinal/VBVisaletter.pdf

Visa, 2005, Dabs.com Verified By Visa Case Study, Retrieved 13th March 2007 fromhttp://www.visaeurope.com/documents/vbv/verifiedbyvisa_casestudy.pdf

Verified by Visa Europe, Retrieved 13th March 2007 fromhttp://www.visaeurope.com/merchant/handlingvisapayments/cardnotpresent/verifiedbyvisa.jsp


14

Appendix

Table 1: Credit Card Companies offering Verified by Visa to Customersin the UK

Bank Web AddressAbbey Service in developmentBarclaycard www.barclaycard.co.uk/barclaycardsecure/index.htmlBarclays Bank

https://verifiedbyvisa.barclays.co.uk/barclays/registration/welcome.jsp?partner=debit.visa

Bank of Scotland

www.bankofscotlandhalifax.co.uk/bankaccounts/secure.asp

Capital One www.capitalone.co.uk/web/raid/templates/gen_temp_10_001.jsp?page_id=2010&context_id=2&pageId=2010

Halifax www.halifax.co.uk/bankaccounts/secure.aspHSBC https://secure6.arcot.com/vpas/hsbc/index.htmlLloyds TSB https://www.securesuite.co.uk/lloyds/registration/welcome.jspMint http://www.mint.co.uk/credit_cards01.asp?page=CARDS/CR

EDIT_CARDS/FEATURES_AND_BENEFITS/MINT_SECURE

NatWest www.natwest.com/global_options.asp?id=GLOBAL/SECURITY/CREDIT_CARD_SAFETY �

The Royal Bank of Scotland

https://www.securesuite.co.uk/rbs/registration/welcome.jsp

Above Web sites retrieved on the 13th of March 2007

Table 2: Credit Card Companies offering MasterCard SecureCode in the UK

Bank Web AddressBarclaycard www.barclaycard.co.uk/barclaycardsecure/index.htmlBank of Scotland

www.bankofscotlandhalifax.co.uk/creditcards/secure.shtml

Capital One http://www.capitalone.co.uk/web/raid/templates/gen_temp_10_001.jsp?page_id=2010&context_id=2&pageId=2010

Halifax www.halifax.co.uk/creditcards/secure_home.shtmlHSBC https://enrollment.securecode.com/vpas/hsbcuk/enroll/index.j

sp?locale=en_US&bankid=3Lloyds TSB https://www.securesuite.co.uk/lloyds/registration/welcome.jspMint https://www.mintsecure.co.uk/rbs/registration/welcome.jsp?pa

rtner=mintNatWest www.natwestsecure.org/Royal Bank of Scotland

https://www.securesuite.co.uk/rbs/registration/welcome.jsp



15

The examples of costs given for payment services in Table 3 are meant as a guide and the latest prices should be confirmed with the appropriate payment companies.

Table 3: Payment Service Providers offering Verified by Visa and MasterCard SecureCode


Provider Verified by Visa MasterCard SecureCode

Web address

WorldPay-World Direct & Bank Direct

Included as standard


www.worldpay.co.uk

ChronoPay Included as standard


www.chronopay.com

ePDQ from Barclaycard Business

£50 initial fee and £10 monthly fee


www.epdq.co.uk

HSBC Bank Secure ePayments

Included as Standard


www.hsbc.co.uk/1/2/business/cards-payments/secure-epayments/

Splash plastic card £50 initial fee and £10 monthly fee

Not Supported www.splashplastic.com

Wirecard AG Included as Standard


www.wirecard.com

SECPay Included as Standard


www.secpay.com

BT Buynet Included as Standard


www.bt.com/epayments

DataCash Initial fee of £3000

Initial fee of £3000

www.datacash.com

Protx VSP Included as Standard


www.protx.com

SecureTrading Ltd Included as Standard


www.securetrading.com

CI-CARD Included as Standard

Not Supported www.ci-card.com

Verified by Visa & MasterCard SecureCode: Fraudulent Chargeback Liability Shift

Documents

Transcript of Verified by Visa & MasterCard SecureCode: Fraudulent Chargeback Liability Shift