3-D Secure™ Enrolment Activation

Andrea Wilson, CEO First Atlantic Commerce asks whether this is the new breeding ground for Issuer merchant fraud reporting.

Veriﬁ ed by Visa (VbV) has been hailed by the banks and the Card Associations as an important step in the ﬁ ght against online card fraud. However, it has been criticized by cardholders who have complained about being forced to input card numbers and other security details at a website that pops up the Issuer enrolment activation window when they are making purchases. Understandably, many people shun the Veriﬁ ed by Visa ‘activation during checkout’ procedure for fear that it’s a phishing scam.

3-D Secure™ is an XML-based protocol used as consumer authentication security for online credit and debit card transactions. It was developed by Visa to improve the security of Internet payments.

Full service website

Cardholders register using a full-function, Issuer- branded Veriﬁ ed by Visa website maintained by Visa. The site allows cardholders to enroll, create a password, and change a pass-word. It also provides cardholders with customer service contact information.

Activation during shopping

Cardholders are prompted to enroll during check- out while shopping at participating Veriﬁ ed by Visa merchant websites. A Veriﬁ ed by Visa pop-up window prompts them to enroll in the service and create a password.

“What started out to be a universally good idea to reduce online credit card fraud has become a security nightmare for consumers, acquiring banks and merchants.”

The challenge for large card issuing banks was (and still is) consumer education and rationale for enrolment. How would the banks get 500,000 or more card numbers registered in Veriﬁ ed by Visa in order to protect the bank and consumers against online fraudulent use? How can that many cardholders be educated on the value of the service for a reasonable cost to the Issuer? The answer became ‘Activation Online’ – a push enrolment process that solved the Issuer’s mass enrolment and cost concerns, but left cardholders frustrated and suspicious… and merchants taking the blame for it all. There are four methods for mass enrolment by Issuers all of which take place online, and are triggered at a website where the merchant is enrolled in 3D-Secure™ authentication by their acquiring bank:

Activation anytime

Cardholders visit Error! Hyperlink reference not valid and enter their card number. If they are not enrolled in the service, they are asked to complete an activation page. After entering the required identity information, the cardholder creates a password and is congratulated for successfully registering for the service.

Mass enrollment

Cardholders are enrolled automatically in the Veriﬁ ed by Visa service and assigned pre-deﬁ ned passwords delivered via a secure mailer.

Activation and enrolment online, however, is plagued with problems, including phishing, hijacked merchant websites and counterfeit or stolen card enrolment fraud. Issuers who mass activate are not adequately informing their cardholders (if at all) that the enrolment will take place online and the cardholder believes the merchant is trying to obtain their personal information so they exit the site and cancel the purchase.

Another problem with mass activation is that Issuers typically revert to third-party providers to support the enrolment process so when the consumer is presented with the pop-up box, the consumer has no idea who the Issuer’s provider is. Take for example, Securesuite.co.uk, a large third-party provider of Veriﬁ ed by Visa Issuer ACS solutions for AIB, Royal Bank of Scotland and MBNA. You cannot Google http://www.securesuite. co.uk and ﬁ nd any information about this provider. You perform a WHOIS query, and you will ﬁ nd out that Securesuite.co.uk is registered by Cyota in New York City. You call the bank and the customer service

staff have never heard of Securesuite.co.uk. Chances are the consumer thinks they are being phished or scammed or it’s the merchant who is trying to obtain personal and security information from you. Either way it’s not good for business, or the reputation of the merchant who remains powerless to prevent the VbV activation via their website.

More of a burgeoning problem is enrolment in VbV by fraudsters who have compromised card numbers either through counterfeiting or card generation software. Online activation has made it simple for fraudsters to register a consumer’s credit card in VbV and then start using it. This is a form of identity theft which is difﬁ cult to quantify. I recently heard of a case in Europe where a consumer’s VbV enrolment had been compromised and the Issuer reported the merchant for fraud with the Card Associations in order to circumvent the chargeback liability shift rights under chargeback rules. The Issuer reported the merchant as fraud but didn’t process a chargeback so the acquiring bank was left dealing with a fraud report impacting the acquirer’s portfolio ratios and the merchant’s credibility… but not a chargeback loss.

What started out to be a universally good idea to reduce online credit card fraud has become a security nightmare for consumers, acquiring banks and merchants. Merchants who register with good intention to reduce fraud transactions at their website are being reported by Issuers to Visa for fraud, when in fact the liability resides squarely with the Issuing banks… and their lack of foresight or planning on how to mass register their consumers in Veriﬁ ed by Visa.