Opportunity Wales Objective 2 Project Report

Verified by Visa & MasterCard SecureCode: Fraudulent Chargeback Liability Shift

Author: Mandeep Kaler Version: Final (15/03/07)

Table of Contents
1.0 INTRODUCTION 2.0 THE CHARGEBACK PROBLEM
2.1 What are Chargebacks? 2.2 What are Fraudulent Chargebacks? 2 2 2 3 3 3 4 5 6

3.0 VERIFIED BY VISA AND MASTERCARD SECURECODE

3.1 Fraudulent Transaction Liability Shift 3.2 Customer point of view: Verified by Visa & MasterCard SecureCode 3.3 The 3 Domain (3D) Secure Model 3.4 Authentication Plug-in Software

4.0 ADVANTAGES AND DISADVANTAGES OF VERIFIED BY VISA AND MASTERCARD SECURECODE 8

4.1 Fraudulent Chargeback Reduction 4.2 Implementation and Maintenance Costs 4.3 Exceptions to Chargeback protection 4.4 Customer Limitations 4.5 Business Limitations 4.6 Credit Card Issuing Bank problems 8 8 9 9 11 12 12 13 14

5.0 CONCLUSION 6.0 REFERENCES APPENDIX

Table 1: Credit Card Companies offering Verified by Visa to Customers in the UK 14 Table 2: Credit Card Companies offering MasterCard SecureCode in the UK 14 Table 3: Payment Service Providers offering Verified by Visa and MasterCard 15 SecureCode

eCommerce Innovation Centre, Cardiff University 2007

1.0 Introduction
With the increase in on-line sales within the Welsh SME community, Credit Card fraud is a problem which can put companies out of business. SMEs suffer the most when an item has been purchased using stolen Credit Card details and the legitimate cardholder wants their money back. The money is taken from the SMEs account and refunded to the customer with a fine. As well as losing money on transactions, businesses who have a high incidence of Chargebacks can lose the ability to accept payment as they are deemed too risky by the Payment Service Providers. Internet fraud was an estimated 117.1 million in 2005 for the UK (APACS, 2006). Some customers may believe that fraud occurs when criminals intercept card details during the process of entering and transmitting payment details over the internet. Secure Socket Layer protocol (SSL) which is used for encryption, is a proven tool which addresses this issue. The majority of the details used for Card Not Present (CNP) Fraud were obtained by skimming, raiding bins, or unsolicited eMails or telephone calls. The biggest problem for businesses when selling on-line is to confirm the identity of the customer at the time of the sale. Credit Cards were designed for face to face transactions with the signature or Personal Identification Number (PIN) being authenticated by the merchant at the point of sale. With the distance selling involved for Internet transactions, it is difficult to for the merchant to determine whether they are dealing with the cardholder or a criminal with the cardholders details. Visa and MasterCard recognised these problems were putting smaller companies out of business and giving customers a negative perception of trading on-line safely. They have both tried to address it by implementing a system which would involve an added customer authentication to reduce fraud and make any fraudulent Chargebacks the Credit Card issuing banks responsibility.

2.0 The Chargeback Problem

2.1 What are Chargebacks? In order to understand the shift in liability, the problem of the Chargeback needs to be explained. A Chargeback refers to a dispute between a customer and a business it has purchased an item from. The customer asks their Credit Card company for a refund on a good or service purchased at a shop. The item or service may not have been delivered, be damaged or may differ from what was advertised. If the Credit Card company agrees the customer is entitled to the money, they will require the business to refund the payment as well as pay a Chargeback fee of around 20 once the customer has sent the item back. In this scenario the business loses out as they have not delivered a product or service as agreed, delivered an incorrect or damaged product or produced a bad service.

eCommerce Innovation Centre, Cardiff University 2007

2.2 What are Fraudulent Chargebacks? A fraudulent Chargeback is when stolen Credit Card details are used to purchase goods or services. The payment is taken and items are sent out. When the cardholder notifies that their card has been stolen or there are unauthorised transactions on their statement, their Credit Card provider will take the money back from the merchants account and impose a Chargeback fee. A business may find themselves in a position where they have taken an order, received payment and sent the order; then several weeks later they have to refund the payment as well as pay an additional fine with no chance of the items being returned. This is referred to as a Fraudulent Chargeback and it differs to a normal Chargeback as the business may have provided a good service and is probably not responsible for the cardholders details being stolen but has to absorb the cost. The Credit Card companies are quite powerful when it comes to Chargebacks and on-line payment providers protect themselves in several ways. They can pass Chargeback responsibilities onto the business; Hold money for a certain period after a transaction, the first month after the transaction has a higher possibility of Chargeback than subsequent months; Ask a business to take out a bond to cover Chargeback; Automatically take money from any current transactions without the companies consent; Take away the ability for businesses to accept payment on-line if they have had too many Chargebacks and are deemed too risky; Operate a shared list of excluded businesses, which is distributed to other payment providers. This could lead to a business never receiving an Internet Merchant Account during its lifetime. Despite these problems, the model of Chargebacks is beginning to change with Verified by Visa and MasterCard SecureCode shifting the liability onto the Credit Card issuer.

3.0 Verified By Visa and MasterCard SecureCode

3.1 Fraudulent Transaction Liability Shift If fraud occurs on a Verified By Visa or SecureCode transaction then the Merchant no longer has to refund the customer whose card details have been used as it would have under the old system. As the card details and the password have been verified, the bank which issues the Credit Card (for example Barclaycard or NatWest) will now be responsible for refunding the customer on a fraudulent transaction. This would mean the possibility of a business never receiving a Fraudulent Chargeback and the associated Chargeback fine if customers use this system.

eCommerce Innovation Centre, Cardiff University 2007

3.2 Customer point of view: Verified by Visa & MasterCard SecureCode When making a purchase, the customer will be required to enter a username and password with their Credit Card details in order to authenticate their purchase. This works in a similar way to making a face to face retail card purchase which requires a PIN. The idea being that unlike the other Credit Card details such as the card number, signature and CSV (3 digit number on the back of the card), which are written on a Credit Card, the password is not kept with the card and should not be written down. Again similar to a PIN, Visa and MasterCard will not contact you asking for the password. To help customers avoid entering card details into phishing sites, a personal greeting has been added as seen in Figure 2 (on page 5). The personal greeting is written by the customer upon enrolment which is stored on Visa or Mastercards systems. If the greeting was to differ from the original written by the customer, then the customer should cancel the transaction and contact their Credit Card provider. The following diagrams show an example of an on-line MasterCard SecureCode transaction. When a customer is shopping on-line, they submit their order as usual (see Figure 1 below). Figure 1: Submitting Order Screen

(Source: MasterCard SecureCode Demo, 2004) Once they have entered their details, they will either see a MasterCard/Visa pop-up box as seen in Figure 2 (on page 5) or a box which is embedded into the Web page of the shop as shown in Figure 3 (on page 5). Notice that the last four digits of the Credit Card number are displayed as well as a personal greeting which would have been set-up during enrolment. Once the SecureCode has been entered, and successfully verified, the process is complete.

eCommerce Innovation Centre, Cardiff University 2007

Figure 2: MasterCard SecureCode Pop-up Box

Figure 3: MasterCard SecureCode Embedded Web Page

A list of Credit Card providers offering MasterCard SecureCode and Verified by Visa to customers can be found in Table 1 and 2 of the appendix. 3.3 The 3 Domain (3D) Secure Model The main reason for the shift is due to the 3D secure model which is at the centre of the Visa and MasterCard initiatives. The model is not a technical payment system, it is a model which establishes who is responsible at different sections of the on-line transaction. These responsibilities are separated into an Issuer Domain, an Acquirer Domain and an Interoperability Domain as shown in Figure 4 (on page 7).

eCommerce Innovation Centre, Cardiff University 2007

The Issuer Domain concerns cardholders and their Credit Card issuing banks. The Credit Card issuer is responsible for verifying and enrolling their card members. They must also authenticate their cardholders during on-line purchases. The Acquirer Domain concerns merchants and their banks. Acquirers are responsible for ensuring that merchants are signed up and are following the conditions of their contract. They must also provide authenticated transaction processing. The Interoperability Domain concerns the communication between issuing and acquiring organisations using Visas or MasterCards infrastructure. Visa or MasterCard are responsible for this domain. 3.4 Authentication Plug-in Software Businesses who want to use Verified by Visa or MasterCard SecureCode must use software called a plug-in. The plug-in software is provided by Payment Service Providers who process Internet Credit Card transactions. A list of Payment Service Providers who offer Verified By Visa and MasterCard SecureCode plug-in software and their associated cost can be found in Table 3 of the appendix. The software must be approved by Visa and MasterCard before it can be used and it must be integrated with the businesses server which causes little difference to the customer facing sales process. An extra popup window will appear to the customer when making a purchase which will require a password as shown in Figure 2 and 3 on (page 5). If the customer is not enrolled on the program but is eligible, they will be offered the chance to enrol onto the program while making the purchase. In Figure 4 (on page 7) is a simplified representation of the 3D Secure model. The Acquirer domain is the only part which concerns the merchant and as long as the Merchant has the software referred to as a plug-in installed to pass information onto the Visa or MasterCards systems, they are fulfilling their duty in the 3D secure model.

eCommerce Innovation Centre, Cardiff University 2007

Figure 4: The 3 Domain Secure Model

The 3 Domain Secure Model Steps 1. The cardholder orders items and initiates payment on the businesses Web site. 2. The plug-in software checks with the Visa/MasterCard directory to check if the customers card is registered for this Verified by Visa/MasterCard SecureCode. 3. If the card is enrolled on the appropriate program, the directory checks that the appropriate Credit Card provider has the Credit Card holders information. 4. The response is sent back to the directory and then back to the plug-in software. 5. The plug-in software sends an authentication request to the Credit Card issuing bank via the customers browser. 6. The Credit Card issuing company gives the customer a personal prompt and asks the customer for a password. 7. The customer enters the password and the Credit Card issuing bank verifies it. 8. The Credit Card issuing bank returns an authentication successful response to the plug-in software.

eCommerce Innovation Centre, Cardiff University 2007

9. 10.

The Credit Card issuing bank sends an authentication record to the Visa or MasterCard directory. The plug-in validates the response and proceeds with the transaction via the businesses Payment Service Provider.

4.0 Advantages and Disadvantages of Verified By Visa and MasterCard SecureCode

4.1 Fraudulent Chargeback Reduction The diagram in Figure 5 below shows the number of Chargebacks and their cost for four Verified by Visa merchants between the months of January and September 2003. All four companies experienced a reduction in fraudulent Chargebacks and their costs. However, it should be noted that Verified by Visa has been better promoted in the USA with TV commercials aimed at customer awareness and mailing campaigns aimed at merchant awareness. Figure 5 Chargeback Reduction

Source: Visa USA Merchant Letter, 2004 In 2003, dabs.com became the first UK on-line retailer to adopt Verified by Visa. Fraud accounted for around 0.2% of their turnover which cost dabs.com between 30,000 and 50,000 a month. After the adoption of Verified by Visa, fraud was reduced to zero for the year 2003 (Visa Dabs.com, 2005). 4.2 Implementation and Maintenance Costs Many Payment Service Providers offer Verified by Visa and MasterCard SecureCode as standard to their merchants, however some charge a setup fee of around 50 and a monthly fee of around 50. A list of UK providers and their costs can be found in Table 3 of the appendix.

eCommerce Innovation Centre, Cardiff University 2007

4.3 Exceptions to Chargeback protection As useful as Chargeback protection is, there are some instances where Chargeback protection is not offered, these are: Any transactions which fail to authenticate, in this case a different payment method is required. If a cardholder does not enrol or use the verification schemes their transactions are not covered by Chargeback protection; Any payments which need to be re-authorised where the cardholder is not available to go through the password input process. For example for backordered products; Sales made using one click buy technology such as Amazon 1-Click as it bypasses the verification process; Businesses who do not take reasonable actions to control/prevent fraud or have fraud rates that exceed a set level (usually 1%); Businesses whose products and/or services fall into a high risk category such as adult entertainment and on-line gaming; In the past Chargeback protection was not offered on purchases made with Procurement cards. However Verified By Visa and MasterCard SecureCode are now accepted within the Welsh Purchasing Card (WPC) and the Government Purchasing Card (GPC) schemes. That being said, it is unlikely that approved suppliers would use this system when dealing with public bodies as fraud is low on Purchasing Card transactions. 4.4 Customer Limitations Not all British Visa and MasterCard customers can enrol on the Verified by Visa and SecureCode schemes. The financial institutions who issue the cards (such as Barclaycard) have to offer the service on their Visa and MasterCard products. At the moment only ten institutions offer the Verified by Visa service in the UK and only nine offer the MasterCard SecureCode Service. These institutions dont automatically enrol new or existing cardholders and appear to do little marketing to encourage cardholders to enrol on this service. The banking industry have promoted Chip and PIN with a thorough marketing campaign, but little has been promoted for Verified By Visa and MasterCard SecureCode. If customers are not aware of the service they cannot use it and according to Visa one in eight Internet transactions uses Verified by Visa (PRNewswire, 2005). A list of Credit Card Issuing Banks that provide Verified By Visa and MasterCard SecureCode can be found in Table 1 and 2 of the appendix. During the checkout process, Visa and MasterCard will send a prompt for customers to sign up for Verified by Visa and Master SecureCode if they are not enrolled. This enrolment asks for personal information and some customers may think this is an attempt by criminals to steal Credit Card details. As shown in Figure 6 and 7 (on page 10), when a customer submits an order, they see the pop-up window asking them to enrol on the MasterCard/Visa program.

eCommerce Innovation Centre, Cardiff University 2007

Figure 6: Submitting Order Screen

The customer will be asked for personal information to establish their identity as shown in Figure 7. Figure 7: MasterCard SecureCode Enrolment Pop-up

The customer completes the registration by creating their password and makes a purchase as shown in Figure 8 (on page 11).

eCommerce Innovation Centre, Cardiff University 2007

10

Figure 8: Creating a MasterCard SecureCode

A customer who wants to make a purchase and is confronted with the above registration process may be concerned that this is an attempt at phishing fraud and could cancel the enrolment and the transaction completely. Poor education by the Credit Card issuing banks has led to this and therefore it is important for businesses to have a section on their Web-site dedicated to payment which describes Verified By Visa and MasterCard SecureCode as well as its advantages. 4.5 Business Limitations Businesses wishing to use the MasterCard and Visa services may discover a problem with regards to customer awareness as mentioned above. Businesses need to install a plug-in which should be provided by a Payment Service Provider but not all Payment Service Providers offer this service which needs to approved by Visa or MasterCard. Also if Visa/MasterCard fails the authentication, a Merchant cannot accept payment from the rejected card. Instead merchants must ask for another form of payment, which could lead to legitimate orders being rejected. However merchants are beginning to take notice of the extra protection offered from the liability shift and starting to adopt it. According to Cybersource, 49% of fraud management methods involved Verified by Visa or MasterCard SecureCode during 2006. For 2007, 23% of merchants plan to adopt Verified by Visa and MasterCard SecureCode (Cybersource 2007). Cybersource (2006) notes that most merchants operate an average of four different fraud prevention techniques as some fraud may still make it through and some legitimate orders may be rejected. MasterCard seemed to have recognised the problem of Merchant and cardholder awareness and is trying to encourage the adoption of MasterCard SecureCode by only allowing businesses to process Maestro Debit Card payments if they support MasterCard SecureCode from the 20th of June 2007.

eCommerce Innovation Centre, Cardiff University 2007

11

4.6 Credit Card Issuing Bank problems The biggest problem for the authentication programs is that Credit Card issuing banks will be responsible for paying authenticated fraudulent Chargebacks and not the Merchants. The Verified By Visa and MasterCard SecureCode programs benefit both the business and the customer by adding an extra security step. However these programs will cost the Credit Card issuing banks money and therefore are not in the financial interests of the bank.

5.0 Conclusion
Verified By Visa and MasterCard SecureCode addresses a problem which can badly damage businesses and consumer confidence when trading over the Internet. Despite this service being available for many years, there is little knowledge of it among UK consumers. Merchants are adopting the technology now that it is becoming supplied at little or no cost by the Payment Service Providers, however Visa, MasterCard and Credit Card issuing banks need to do more to promote these services within the UK. Credit Card companies appear to promote and sell their new identity theft programs and show that they making an effort to fight fraud, but they have little incentive to promote a program which sees them penalised if fraud occurs and would prefer to see Chargebacks forced onto the merchants who trade on-line.

eCommerce Innovation Centre, Cardiff University 2007

12

6.0 References
APACS, 2006, Fraud the Facts 2006, Retrieved 13th March 2007 from http://www.apacs.org.uk/resources_publications/documents/FraudtheFacts20 06.pdf Cybersource, Second Annual UK Online Fraud Report, 2006 Cybersource, 2007, Third Annual UK Online Fraud Report, Retrieved 13th March 2007 from http://www.cybersource.co.uk/resources/fraud_report_2007.php MasterCard, 2004, MasterCard SecureCode Demo, Retrieved 13th March 2007 from http://www.mastercard.com/securecode/flash/securecodedemo.html MasterCard SecureCode Europe, Retrieved 13th March 2007 from http://www.mastercard.com/us/merchant/security/what_can_do/SecureCode/i ndex.html PRNewswire, 6th December 2005, Visa Predicts 39% Increase in ECommerce This Christmas, Retrieved 13th March 2007 from http://www.prnewswire.co.uk/cgi/news/release?id=159869 Visa, 2004, Visa USA Merchant Letter, Retrieved 13th March 2007 from http://www.salescart.com/partners/Cardinal/VBVisaletter.pdf Visa, 2005, Dabs.com Verified By Visa Case Study, Retrieved 13th March 2007 from http://www.visaeurope.com/documents/vbv/verifiedbyvisa_casestudy.pdf Verified by Visa Europe, Retrieved 13th March 2007 from http://www.visaeurope.com/merchant/handlingvisapayments/cardnotpresent/v erifiedbyvisa.jsp

eCommerce Innovation Centre, Cardiff University 2007

13

Appendix
Table 1: Credit Card Companies offering Verified by Visa to Customers in the UK Bank Web Address Abbey Service in development Barclaycard www.barclaycard.co.uk/barclaycardsecure/index.html Barclays https://verifiedbyvisa.barclays.co.uk/barclays/registration/welc ome.jsp?partner=debit.visa Bank Bank of www.bankofscotlandhalifax.co.uk/bankaccounts/secure.asp Scotland Capital One www.capitalone.co.uk/web/raid/templates/gen_temp_10_001. jsp?page_id=2010&context_id=2&pageId=2010 Halifax www.halifax.co.uk/bankaccounts/secure.asp HSBC https://secure6.arcot.com/vpas/hsbc/index.html Lloyds TSB https://www.securesuite.co.uk/lloyds/registration/welcome.jsp Mint http://www.mint.co.uk/credit_cards01.asp?page=CARDS/CR EDIT_CARDS/FEATURES_AND_BENEFITS/MINT_SECUR E NatWest www.natwest.com/global_options.asp?id=GLOBAL/SECURIT Y/CREDIT_CARD_SAFETY
The Royal https://www.securesuite.co.uk/rbs/registration/welcome.jsp Bank of Scotland Above Web sites retrieved on the 13th of March 2007

Table 2: Credit Card Companies offering MasterCard SecureCode in the UK Bank Web Address Barclaycard www.barclaycard.co.uk/barclaycardsecure/index.html Bank of www.bankofscotlandhalifax.co.uk/creditcards/secure.shtml Scotland Capital One http://www.capitalone.co.uk/web/raid/templates/gen_temp_10 _001.jsp?page_id=2010&context_id=2&pageId=2010 Halifax www.halifax.co.uk/creditcards/secure_home.shtml HSBC https://enrollment.securecode.com/vpas/hsbcuk/enroll/index.j sp?locale=en_US&bankid=3 Lloyds TSB https://www.securesuite.co.uk/lloyds/registration/welcome.jsp Mint https://www.mintsecure.co.uk/rbs/registration/welcome.jsp?pa rtner=mint NatWest www.natwestsecure.org/ Royal Bank of https://www.securesuite.co.uk/rbs/registration/welcome.jsp Scotland Above Web sites retrieved on the 13th of March 2007

eCommerce Innovation Centre, Cardiff University 2007

14

The examples of costs given for payment services in Table 3 are meant as a guide and the latest prices should be confirmed with the appropriate payment companies.

Table 3: Payment Service Providers offering Verified by Visa and MasterCard SecureCode Provider WorldPay-World Direct & Bank Direct ChronoPay ePDQ from Barclaycard Business HSBC Bank Secure ePayments Splash plastic card Wirecard AG SECPay Verified by Visa Included as standard Included as standard 50 initial fee and 10 monthly fee Included as Standard 50 initial fee and 10 monthly fee Included as Standard MasterCard SecureCode Included as standard Included as standard Included as standard Included as Standard Not Supported Included as Standard Web address www.worldpay.co.uk www.chronopay.com www.epdq.co.uk www.hsbc.co.uk/1/2/busin ess/cardspayments/secureepayments/ www.splashplastic.com www.wirecard.com www.secpay.com www.bt.com/epayments www.datacash.com www.protx.com www.securetrading.com www.ci-card.com

Included as Included as Standard Standard BT Buynet Included as Included as Standard Standard DataCash Initial fee of Initial fee of 3000 3000 Protx VSP Included as Included as Standard Standard SecureTrading Ltd Included as Included as Standard Standard CI-CARD Included as Not Supported Standard Above Web sites retrieved on the 13th of March 2007

eCommerce Innovation Centre, Cardiff University 2007

15