As a consumer, it is alarming to know that global card payment fraud tripled from 2011 to 2020, increasing from $9.84 billion to $32.39 billion.
And the United States is the most fraud-prone country in the world. The U.S. accounts for more than a third of all global fraud losses.
Credit card issuing companies are continuously looking for solutions to protect consumers, merchants, and issuers from rising online payment fraud.
Senior vice president of Visa's North American region, Mike Lemberger, said the company is working with financial institutions and merchants to fight fraud. Visa reportedly stopped $25 billion worth of fraud cases last year with A.I. technology.
And in that bid to curtail fraud, Visa developed an extra security layer for CNP transactions, popularly known as “Verified by Visa.” In this article, we'll look at what Verified by Visa is and how it affects the chargeback process.
Stoked? Let's take a deep dive!
What is Verified by Visa?
Verified by Visa, VbV, for short, is a cutting-edge cyber security service that protects cardholders and retailers from online fraud. Most credit card transactions are quickly validated behind the scenes using the buyer's protected personal information. To authenticate the cardholder's identity, an authentication—such as a one-time protocol code—is provided to their device as necessary. Many in the industry know this technology protocol as 3D Secure.
How to use Verified by Visa 3D Secure fraud prevention
For starters, it's crucial to reiterate that the Verified by Visa technology platform is based on the Three-Domain (3-D) Secure technology platform. The European Banking Authority certified 3D Secure as an SCA-compliant technique for two-factor authentication that ensure strong customer authentication.
The 3-D Secure Protocol splits the authentication process into three components or domains:
- Issuer Domain: Issuers, ACS processors, and cardholders are all part of the Issuer Domain
- Acquirer Domain: Acquirers, gateway/merchant processors, and merchants are all part of the Acquirer Domain.
- Interoperability Domain: The interoperability domain refers to Visa-operated systems that connect the issuer and acquirer domains.
Celo Communications AB first created this protocol for Visa Inc. in 1999. Between 2000 and 2001, Gemplus created a new upgraded version of 3-D Secure.
Enters 3D Secure 1
The original version of 3D Secure 1 or 3DS1 provides PSD2 (Europe’s Second Payment Services Directive) SCA compliance. It gave merchant fraud liability protection 3DS1 until October 2021. 3D Secure guarantees liability shifts from the merchant to the issuing bank when a customer files a Chargeback. It ensures you’ll be covered from fraudulent chargebacks on your merchant account, which was crucial in preventing “friendly fraud.”
How does 3DS work?
3DS operates like a PIN code for Card-Not-Present transactions.
Here’s how it works:
- Cardholder enters merchant's website.
- Cardholder attempts payment via merchant checkout page.
- 3DS SDK sends transaction and fingerprinting data to the Issuer for authentication.
- Issuers EMV 3DS and RBA determines risk level. The Issuer can then approve, decline or request additional authentication for the transaction at this point.
- Issuer sends a request to the cardholder for additional auth before approving or declining payment. If all documentation checks out, the Issuer authenticates payment. If they think it’s a high-risk transaction, Issuer declines authentication.
Because 3DS1 was released before smartphones, the user experience is diverse at best and annoyingly bad at worst. It frequently uses a pop-up window for customers to enter their information, making the merchant checkout page appear even less secure and prone to cyber-criminal attacks.
In short, people didn't like it very much.
EMV Co. built later updates of the protocol under the name EMV 3-D Secure, which they released in 2016 to address some of the original system's flaws.
3D SECURE 2 to the rescue
Technology is only as good as the leverage it provides. And as noted earlier, 3DS 1 hasn’t lived up to expectations. Hence, card networks decided to eclipse that framework.
Visa began phasing out 3D Secure 1 and related technology on 15 October 2021. Visa said they “will continue to support 3DS 1.0.2 transaction processing, including the 3DS 1.0.2 Directory Server (D.S.), but stop supporting 3DS 1.0.2 Attempts Server for non-participating issuers. After 15 October 2021, Visa will respond with a Verify Enrollment Response (VERes) = N to all authentication requests when the Issuer does not support 3DS 1.0.2 (e.g., BIN range does not have access control server [ACS] URL listed in the D.S.).”
Mastercard as a card issuer equally took a similar route in November 2021. Payment processors as moving toward this route for better customer experience in long terms.
What does the deprecation of 3DS 1.0.2 mean for fraud liability standards?
Visa and Mastercard eclipsed the 3D Secure 1.0.2 protocol and hastened migration to EMV 3D Secure (AKA, 3DS 2.1+) by no longer offering a liability shift for transactions processed using 3DS 1.0.2 framework. If a merchant continues to use 3DS 1.0.2, they will bear responsibility for any fraud, even on 3DS-protected transactions.
Visa said, “If an issuer continues to support 3DS 1.0.2 after 15 October 2021, it will be able to respond to merchants with a fully authenticated response and Cardholder Authentication Verification Value (CAVV), and merchants will obtain fraud liability protection. These debit card transactions will be blocked from fraud-related disputes1 in Visa Resolve Online.”
What are the benefits of Verified by Visa?
3DS promises a better user experience, seamless data transfer for better fraud protection, and enhanced functionality on several payment portals.
3D Secure 2 gives you increased security for online transactions as it’s compliant with PSD2, helps you detect fraudulent transactions before they are completed, and increases customer trust in online shopping at your store. It also promises lower interchange fees on credit cards for qualified purchases and supports larger, verified purchases.
That said, it’s crucial to point out that the 3DS framework was primarily designed to detect and prevent criminal fraud. While it serves that purpose to some degree of satisfaction, 3DS isn’t intended to solve chargebacks because of its underlying chargeback prevention limitations.
For one, it’s intended to address chargebacks involved with Visa card transactions. Further, it can only help prevent unauthorized transactions without limiting cases from other chargeback touchpoints.
In conclusion, Verified by Visa is not a silver bullet for chargeback mitigation. It’s one crucial strategy for fraud mitigation, but it doesn’t go all the way. If you want to create a complete chargeback and fraud mitigation strategy, see how we can help you here. Chargeflow offers merchants a comprehensive chargeback protection with additional layer of security to mitigate the risk of fraud.
Are there any additional fees for using Visa 3D Secure chargeback protection?
The fees for using Visa 3D Secure may vary depending on the financial institution or payment processor that you are using. Some providers may charge an additional fee for using 3D Secure, while others may include it as part of their standard fees. It's best to check with your provider to find out if there are any additional fees for using 3D Secure.
Can I still use Visa 3D Secure if I don't have an SSL certificate?
Yes, you can still use Visa 3D Secure if you don't have an SSL certificate. However, it's important to note that an SSL certificate is required for PCI DSS compliance and is used to encrypt sensitive information such as credit card details during online transactions. Without an SSL certificate, your online store may be at a higher risk of data breaches and fraud.
What should I do if I receive a chargeback on a transaction that was processed using Visa 3D Secure?
If you receive a chargeback on a transaction that was processed using Visa 3D Secure, you should contact your payment processor or financial institution to find out more information about the dispute and to start the chargeback process. They will be able to provide you with more information about the reason for the chargeback and what steps you need to take to dispute it.
Is it mandatory for merchants to use Visa 3D Secure for all online transactions?
It is not mandatory for merchants to use Visa 3D Secure for all online transactions. However, it is highly recommended as it provides an additional layer of security for online transactions, protecting merchants from chargebacks due to fraud. Some acquirers may require merchants to use 3D Secure for certain types of transactions or for transactions above a certain value.
How does Visa 3D Secure protect against chargebacks for card-not-present transactions?
Visa 3D Secure provides an additional layer of security for card-not-present transactions by requiring the cardholder to authenticate themselves with a one-time password or a fingerprint scan before the transaction can be completed. This helps to protect merchants from chargebacks due to fraud, as it ensures that the person making the purchase is the legitimate cardholder.
How does Visa 3D Secure work with other fraud prevention tools and systems?
Visa 3D Secure works in conjunction with other fraud prevention tools and systems, such as fraud detection software, address verification systems, and credit card security codes. Together, these tools and systems help to provide a comprehensive approach to fraud prevention, protecting merchants from chargebacks and other types of fraud.
Is Visa essential to stop chargebacks?
Visa is not essential to stop chargebacks, but it can be an important tool in helping to reduce the risk of chargebacks. Visa 3D Secure is a form of protection for merchants, which can help to prevent chargebacks caused by fraud. However, merchants can still use other forms of prevention methods such as using fraud detection software like Chargeflow, implementing a strong refund policy, or using address verification systems.