I’m not sure if you know this: global card payment fraud tripled from 2011 to 2020, from $9.84 billion to $32.39 billion.
And the United States is the most fraud-prone country in the world. The U.S. accounts for more than a third of all global fraud losses.
Credit card issuing companies are continuously looking for solutions to protect consumers, merchants, and issuers from rising payment fraud.
Senior vice president of Visa's North American region, Mike Lemberger, said the company is working with financial institutions and merchants to fight fraud. Visa reportedly stopped $25 billion worth of fraud cases last year with A.I. technology.
And in that bid to curtail fraud, Visa developed a security layer for CNP transactions, popularly known as “Verified by Visa.” In this article, we'll look at what Verified by Visa is and how it affects the chargeback process.
Stoked? Let's take a deep dive!
What is Verified by Visa?
Verified by Visa, VbV, for short, is a cutting-edge cyber security service that protects cardholders and retailers from online fraud. Most credit card transactions are quickly validated behind the scenes using the buyer's protected personal information. To authenticate the cardholder's identity, an authentication—such as a one-time protocol code—is provided to their device as necessary. Many in the industry know this technology protocol as 3D Secure.
How to use Verified by Visa 3D Secure fraud prevention
For starters, it's crucial to reiterate that the Verified by Visa technology platform is based on the Three-Domain (3-D) Secure technology platform. The European Banking Authority certified 3D Secure as an SCA-compliant technique for two-factor authentication.
The 3-D Secure Protocol splits the authentication process into three components or domains:
- Issuer Domain: Issuers, ACS processors, and cardholders are all part of the Issuer Domain
- Acquirer Domain: Acquirers, gateway/merchant processors, and merchants are all part of the Acquirer Domain.
- Interoperability Domain: The interoperability domain refers to Visa-operated systems that connect the issuer and acquirer domains.
Celo Communications AB first created this protocol for Visa Inc. in 1999. Between 2000 and 2001, Gemplus created a new upgraded version of 3-D Secure.
Enters 3D Secure 1
The original version of 3D Secure 1 or 3DS1 provides PSD2 (Europe’s Second Payment Services Directive) SCA compliance. It gave merchant fraud liability protection 3DS1 until October 2021. 3D Secure guarantees liability shifts from the merchant to the issuing bank when a customer files a Chargeback. It ensures you’ll be covered from fraudulent chargebacks on your merchant account, which was crucial in preventing “friendly fraud.”
How does 3DS work?
3DS operates like a PIN code for Card-Not-Present transactions.
Here’s how it works:
- Cardholder enters merchant's website.
- Cardholder attempts payment via merchant checkout page.
- 3DS SDK sends transaction and fingerprinting data to the Issuer for authentication.
- Issuers EMV 3DS and RBA determines risk level. The Issuer can then approve, decline or request additional authentication for the transaction at this point.
- Issuer sends a request to the cardholder for additional auth before approving or declining payment. If all documentation checks out, the Issuer authenticates payment. If they think it’s a high-risk transaction, Issuer declines authentication.
Because 3DS1 was released before smartphones, the user experience is diverse at best and annoyingly bad at worst. It frequently uses a pop-up window for customers to enter their information, making the merchant checkout page appear even less secure and prone to cyber-criminal attacks.
In short, people didn't like it very much.
EMV Co. built later updates of the protocol under the name EMV 3-D Secure, which they released in 2016 to address some of the original system's flaws.
3D SECURE 2 to the rescue
Technology is only as good as the leverage it provides. And as noted earlier, 3DS 1 hasn’t lived up to expectations. Hence, card networks decided to eclipse that framework.
Visa began phasing out 3D Secure 1 and related technology on 15 October 2021. Visa said they “will continue to support 3DS 1.0.2 transaction processing, including the 3DS 1.0.2 Directory Server (D.S.), but stop supporting 3DS 1.0.2 Attempts Server for non-participating issuers. After 15 October 2021, Visa will respond with a Verify Enrollment Response (VERes) = N to all authentication requests when the Issuer does not support 3DS 1.0.2 (e.g., BIN range does not have access control server [ACS] URL listed in the D.S.).”
Mastercard equally took a similar route in November 2021.
What does the deprecation of 3DS 1.0.2 mean for fraud liability standards?
Visa and Mastercard eclipsed the 3D Secure 1.0.2 protocol and hastened migration to EMV 3D Secure (AKA, 3DS 2.1+) by no longer offering a liability shift for transactions processed using 3DS 1.0.2 framework. If a merchant continues to use 3DS 1.0.2, they will bear responsibility for any fraud, even on 3DS-protected transactions.
Visa said, “If an issuer continues to support 3DS 1.0.2 after 15 October 2021, it will be able to respond to merchants with a fully authenticated response and Cardholder Authentication Verification Value (CAVV), and merchants will obtain fraud liability protection. These transactions will be blocked from fraud-related disputes1 in Visa Resolve Online.”
What are the benefits of Verified by Visa?
3DS promises a better user experience, seamless data transfer for better fraud protection, and enhanced functionality on several payment portals.
3D Secure 2 gives you increased security for online transactions as it’s compliant with PSD2, helps you detect fraudulent transactions before they are completed, and increases customer trust in online shopping at your store. It also promises lower interchange fees on credit cards for qualified purchases and supports larger, verified purchases.
That said, it’s crucial to point out that the 3DS framework was primarily designed to detect and prevent criminal fraud. While it serves that purpose to some degree of satisfaction, 3DS isn’t intended to solve chargebacks because of its underlying chargeback prevention limitations.
For one, it’s intended to address chargebacks involved with Visa card transactions. Further, it can only help prevent unauthorized transactions without limiting cases from other chargeback touchpoints.
In conclusion, Verified by Visa is not a silver bullet for chargeback mitigation. It’s one crucial strategy for fraud mitigation, but it doesn’t go all the way. If you want to create a complete chargeback and fraud mitigation strategy, see how we can help you here.