How Much Protection Does 3-D Secure Offer?
Verified by Visa and SecureCode are the two companies’ branded deployments of 3-D Secure technology. The tool prompts customers to enter a unique identification code during checkout. Some merchants decline to use it, worrying it will increase friction and shopping cart abandonment. However, the technology offers some incredible advantages.
What is 3-D Secure?
3-D Secure is an XML-based protocol, designed to help block fraudulent card use online. Although using the same basic technology, the tool goes by different names depending on the card scheme:
To use any of these fraud prevention tools, you simply need to contact your merchant processor and ask for permission. You’ll need to install a plug-in, but the process is fairly painless.
3-D Secure technology works like an online PIN code. The issuing bank asks cardholders to register their card with VbV, SecureCode, or other program, depending on the brand of the card. When they do so, the cardholder creates a unique personal identification number.
Later, at checkout with a participating merchant, the 3-D Secure tool prompts customers to enter their unique code. During this process, the cardholder is temporarily redirected away from the site, to a separate domain operated by the card scheme, to provide their credentials. Once the issuing bank validates the personal code, the shopper will be allowed to continue with the checkout. In theory, only cardholders will know the code. Fraudsters shouldn’t know this number and, therefore, won’t be able to complete the transaction.
Benefits of 3-D Secure Outweigh Costs
Let’s be clear up front: yes, this creates friction in the transaction process. For many sellers, the idea of adding extra steps to checkout is simply not worth the potential reward. However, VbV and SecureCode are highly-effective fraud deterrents. They make it much more difficult for criminals to complete fraudulent transactions.
Even beyond that, though, the tool offers another incredible benefit: a fraud liability shift.
Sellers are not liable for fraudulent purchases conducted involving VbV. As long as you manage to authenticate your customer using Verified by Visa, or attempt to authenticate but the customer is not enrolled in the program, liability for fraudulent activity shifts to the issuer. It’s the same as EMV chip technology for card-present merchants, in that if you use VbV during checkout, and a fraudster manages to pull-off an attack, none of the losses come out of your pocket.
You enjoy similar protections with SecureCode as well. Page 248 of the Mastercard Chargeback Guide released in May 2018 specifies that, if you use 3-D Secure during a transaction, that sale is not eligible for a chargeback involving any of the following reason codes:
- 4837—No Cardholder Authorization
- 4849—Questionable Merchant Activity
- 4863—Cardholder Does Not Recognize—Potential Fraud
Even with other reason codes, SecureCode could still be admissible as compelling evidence.
Clearly, 3-D Secure could impact billions of dollars in chargebacks filed every year due to alleged criminal fraud. That’s not to say you should hinge all your fraud prevention on one tool, though. If you fail to keep up with fraud prevention best practices, you could still be held liable for fraudulent activity.
Exceptions to the Rules
Of course, there are other stipulations involved. As mentioned above, you may still be liable for dispute involving Mastercard chargeback reason codes not specified above.
As for Visa, some merchants are not liable for the protection offered by the liability shift due to their merchant category code, or MCC.
Your MCC is a code assigned by Visa based on a general description of your business model, and the range of products you carry. All merchants who offer travel services are grouped together under the same four-digit code, and all merchants who sell products based on a telemarketing business model share an MCC. This allows Visa to identify groups of merchants based on their industry.
This may seem insignificant at first glance, but your MCC can impact whether you’re protected from fraud liability. Even if you, the merchant, deploy Verified by Visa, you can still be found liable for disputes if you operate under any of the following MCCs and are located in the US:
- MCC 4829— Wire Transfer Money Orders
- MCC 5967— Direct Marketing: Inbound Teleservices Merchant
- MCC 6051— Non-Financial Institutions: Foreign Currency, Money Orders [not Wire Transfer], Stored Value Card / Load, and Travelers Cheques
- MCC 6540— Non-Financial Institutions: Stored Value Card Purchase / Load
- MCC 7801— Government Licensed Online Casinos (Online Gambling)
- MCC 7802— Government-Licensed Horse / Dog Racing
- MCC 7995— Betting, including Lottery Tickets, Casino Gaming Chips, Off-Track Betting, and Wagers at Race Tracks
Why Single Out These Product Categories?
MCCs 4829, 5967, and 6051 have been ineligible for protection for years. Prior to April 2018, transactions involving any of those three MCCs were ineligible for protection against fraud involving chargeback reason codes 75 (Transaction Not Recognized) and 83 (Fraud: Card-Absent Environment).
In April 2018, though, Visa added MCCs 6540, 7801, 7802, and 7995, alongside their Visa Claims Resolution initiative. The company did this because businesses operating in these verticals are considered “high-risk” in nature.
The point of this designation isn’t to judge or to punish merchants for their products or business model. This doesn’t necessarily reflect on individual businesses. Being designated as a high-risk merchant refers specifically to the relative risk of your customers filing chargebacks, based on average incidents experienced by other businesses in the same vertical.
Basically, Visa anticipates more fraud incidents and more unrecognized transactions in these product and service categories. Thus, they anticipate more chargebacks.
Beyond VCR: Surveying the Impact of Visa Claims Resolution
We asked a wide range of merchants about the effects they are seeing from Visa's VCR initiative. Download your copy of our report to see what our research uncovered.Free Download
Still Value, Regardless of Liability
Of course, with or without chargeback liability protection, taking advantage of 3-D Secure technology is still a good idea. As discussed above, it’s an opt-in process, so the friction added at checkout is negligible, but the protection provided is roughly the same as an in-store PIN purchase.
Plus, coming in April 2019, current 3-D Secure rules will extend to 3-D Secure 2.0 technology on Visa transactions. After April 12, Visa offers merchants full chargeback protection if they deploy Verified by Visa using 3-D Secure 2.0 technology. All other card schemes will make a similar move in due time.
The new generation of 3-D Secure utilizes rich data transmission during transactions, enabling the technology to offer:
- App-based, mobile purchases
- More dynamic, informed, and faster risk-based decisioning
- More options for authentication beyond passcode
- Seamless checkout integration
3-D Secure 2.0 directly addresses a few key complaints about the original tool. Namely, with 3-D Secure 2.0, the customer doesn’t need to enter their passcode upfront. 3-D Secure uses risk-based decisioning to classify a transaction as high- or low-risk. With a high-risk sale, the transaction bounces back, prompting the customer to enter their code for authorization.
This change addresses the most common objection to 3-D Secure tools (that they increase friction). Even then, it’s still not perfect.
Part of a Larger Strategy
3-D Secure offers valuable insurance for some transactions, plus strong protections against fraud for all. You can’t rely on it alone to insulate yourself against chargebacks, though.
As mentioned before, chargeback liability is contingent on you abiding by best practices. This includes using multiple recommended fraud tools, which can include (just to name a few):
- Fraud scoring
- CVV verification
- Address verification
Also, while 3-D Secure is effective against criminal fraud, there’s no guarantee it will work against friendly fraud. For example, if a customer experiences buyer’s remorse, then files a chargeback in response claiming the item never arrived or was not as described, 3-D Secure won’t really help.
For true chargeback protection, only a specialized chargeback management provider will do the trick. These experts will help you separate chargebacks by their source—criminal fraud, friendly fraud, and merchant error—then deploy the solution you need to see long-term chargeback reduction and revenue recovery.
Want to learn more? Click below to speak with one of our chargeback experts today.