Visa International

Merchant Best Practices to Reduce Inadvertent

Authentication Window Closures
Verified by Visa
August 2003
1 - Background

The 3-D Secure Protocol allows for two types of authentication page displays to be
presented to cardholders: inline or pop-up pages. Pop-ups are presented to the
cardholder as a separate, smaller window on top of the Merchant checkout page. An
inline page uses the full browser window to display the authentication page.

Research has shown that cardholders, mistaking the new windows for advertising, will
often close pop-up windows indiscriminately. Cardholders with slower connections to
the Internet are even more likely to close pop-up windows, often doing so before the
window has completed loading in the browser. These actions may cause the transaction
to yield unpredictable results, potentially impacting the cardholder experience.
Over the last 6 to 12 months, as the rate of pop-up advertising has increased, pop-up
suppression software (also sometimes referred to as pop-up killers) has similarly
gained increased market awareness and usage. In addition to stand-alone applications,
some online service providers and browsers have begun to incorporate pop-up
suppression as a standard feature of their service.

March 2003

Visa *Confidential*

Notice: This document contains Visas proprietary information for use by Visa Members and their Processors solely in
support of Members Visa card programs. Disclosure to third parties or any other use is prohibited without the prior written
permission of Visa International.

2 - Use of Inline Page instead of Pop-Up

Best Practice

Visa strongly recommends that Merchants configure the authentication page as an

inline page, rather than as a pop-up. This recommendation applies to all new
Merchant implementations, as well as to implementation upgrades.
This change will prevent problems commonly associated with pop-up suppression
software and also avoid situations where cardholders inadvertently close the Verified
by Visa pop-up.
Consumer research also supports this recommendation. The Vividence Corporation,
an Internet market research company, conducted a study for Visa International in
May 2003 with 200 Internet users and found high levels of ease of use and
satisfaction for both inline and pop-up approaches 59% of the panel expressed no
preference between inline or pop-up approaches. For those panelists expressing a
preference, however, 83% strongly preferred inline approaches.
Research Panel Responses
No Preference between Inline and Pop-Up

Percent

Percentage expressing a Preference

59%
41%

For those with a preference:

Percentage who prefer Inline Approach
Percentage who prefer Pop-up Approach

83%
17%

Source: Visa International, May 2003.

March 2003

Visa *Confidential*

Notice: This document contains Visas proprietary information for use by Visa Members and their Processors solely in
support of Members Visa card programs. Disclosure to third parties or any other use is prohibited without the prior written
permission of Visa International.

3 - Best Practices for Inline Page Implementations

Best Practice

Merchants are recommended to implement an inline approach without the use of

frames. Examples and the reasons are discussed below. The first screen shot is an
inline page and the second screen is a framed inline page.

Inline Page
The Best Practice
recommendation is a
standard inline page. This
approach has the following
benefits:

Cardholder can verify

connectivity with Issuer
Access Control Server URL

1.
2.

Cardholder can verify SSL session with Issuer ACS

Cardholder can verify

the Issuer ACS URL.
Cardholder can check
the SSL lock to ensure
connection with Issuer
ACS.

Both of features provide

increased cardholder
confidence for entering
sensitive information, like a
password.

Alternate Inline Approach

- Framed Inline Page
An alternate approach is a
framed inline page. This
approach is permitted, but
not recommended as a
Best Practice.

Merchant URL

Merchant SSL certificate information

March 2003

Visa *Confidential*

While this approach has the

advantage of keeping the
Merchants name in front of
the cardholder, there may
be consumer concerns
regarding the confidentiality
of information entered into
the page when the
cardholder sees the
Merchant URL in the
window and Merchant
name in the SSL lock.

Notice: This document contains Visas proprietary information for use by Visa Members and their Processors solely in
support of Members Visa card programs. Disclosure to third parties or any other use is prohibited without the prior written
permission of Visa International.

3.1 - Use of Inline Page with a Framed Window

Requirement

If a Merchant uses the alternate framed inline approach, the frame opened for the
Issuer ACS to present the Verified by Visa window must be large enough to
present the entire 390 pixel width by 400 pixel length authentication page, without
scrolling, over a standard range of browser resolutions. Merchants that elect to
implement an inline page with a frame may place a frame at the top of the page
and/or on the side of the page, as illustrated below.
Merchant promotional
messages not permitted

Recommended
text

Framed Inline Page

with Top Frame
Frame must allow at
least 390 pixels width by
400 pixels height to
display, without requiring
the customer to scroll to
see the authentication
page.

Must leave
room for full
Verified by
Visa page
without
scrolling

Recommended
text

Framed Inline Page

with Side Frame

Merchant
promotional
messages not
permitted

Frame must allow at

least 390 pixels width by
400 pixels height to
display, without requiring
the customer to scroll to
see the authentication
page.
Must leave
room for full
Verified by
Visa page
without
scrolling

March 2003

Visa *Confidential*

Notice: This document contains Visas proprietary information for use by Visa Members and their Processors solely in
support of Members Visa card programs. Disclosure to third parties or any other use is prohibited without the prior written
permission of Visa International.

Recommended
Text

Merchants may provide a brief communication to customers outside of the frame

for the authentication page, as shown below. The text will be seen by Visa
cardholders that are both activated for Verified by Visa and non-activated where an
attempted authentication response is returned to the Merchant. Any text must not
refer to Verified by Visa or providing additional security as this message could be
very confusing to non-activated customers.
If a communication is presented the following text is recommended:
Processing, please wait. Do not click the refresh or back button or this
transaction may be interrupted or terminated.
Merchants must not display promotional messages to cardholders. It is important
that cardholders have confidence in the authentication session with their card
issuer.

March 2003

Visa *Confidential*

Notice: This document contains Visas proprietary information for use by Visa Members and their Processors solely in
support of Members Visa card programs. Disclosure to third parties or any other use is prohibited without the prior written
permission of Visa International.