Another Run at 3-D Secure and Issuer Liability in eCommerce: Visa Consumer Authentication Service

Recently, I spoke with Mark Nelsen, Visa's Head of Risk and Authentication Product Development, who is responsible for the new Visa Consumer Authentication Service.  Announced November 26, it is a service targeted toward issuers but, in my view, the larger potential beneficiaries are the e-commerce and m-commerce merchants who must do no little integration work to take advantage of the service.  A skeptic might call VCAS Son of 3-D Secure.  It appears to be a big improvement, though, on its parent's shortcomings.

Payments Authorization 

The payment authorization message is a pillar of the credit and signature debit transaction flow.  But it was built for the card-only world and, as we all know, its adaptation to the Internet has been uncomfortable because that key signal, the card, is not available. Only the easily copied and easily entered magstripe data is at hand. That's been one of the hardest collisions between the payment network and the Big One, the Internet.

We've known for quite a while that today's eCommerce transactions have far more data available to them for stronger risk decisioning.  Signals that pour off of the access device - PC, smartphone or tablet - and data regarding the past behavior of a particular user ID, password, and payment card number, as it's used both online and offline, all of these are available to strengthen the risk assessment.  Merchant databases and mobile device signals - lat/long, phone number, etc. - simply add to that rich data stream.  

Much of that online-generated data, however, has had limited utility because of the incumbent authorization system's inflexibility. From a practical point of view, there's little room to add more capability.  Changes to well established data formats break brittle old code.  

So, the desire to leverage that Internet-generated data in risk scoring has been around for years.  A number of third parties - from credit scoring outfits to device fingerprinting providers and others - have improved the utility of that data but, thus far, it's been confined to the merchant and acquiring side of the transaction flow.

That's not to say that enriching the authorization message hasn't been done by a card brand.  AMEX's enhanced authorization message includes Internet-generated data such as the accountholder's email address.  A merchant who supports the AMEX approach may see fraud detection performance improve by 30% or more.  A big improvement.  Unfortunately, many eCommerce merchants haven't seen the effort needed to support the AMEX enhanced authorization method as warranted because AMEX makes up such a small portion of their transaction volume.

Enter VCAS

The Visa Consumer Authentication Service is the card brand's effort to pull in the rich data available from the Internet in order to provide issuers with a more precise risk score.  It does that using the existing 3-D Secure infrastructure, the one that has often required consumers, as they checkout from a merchant's site, to enter their online banking credentials.  From a consumer experience and merchant point of view, that's a no-no.  US eCommerce merchants, in particular, have loathed the 3D Secure process due to its negative impact on shopping cart abandonment rates.  Once a fraud score invokes a separate login / password screen from a bank's online portal, it's too often "shopping game over."  

VCAS allows the issuer to let low-risk transactions to proceed to the next step, authorization, without prompting the consumer for any additional information.  In cases where a transaction is deemed high risk, Visa recommends that issuers use VCAS’ one time password infrastructure or a challenge / response approach.  

Bank of America's SafePass is an example of an SMS-based multi factor authentication tool.  I use SafePass in specific steps of my online banking life.  Should BofA integrate its SafePass method with VCAS, it could prompt me via SafePass if it sees a risky transaction.  A SafePass prompt would appear, I'd say "send the text", and enter the value I receive on my mobile into the prompt box.  I would not be shown an online portal window requesting  my online banking credentials.

It's easier than it sounds and should provide a better user experience.  I've not found SafePass inconvenient.

In implementing VCAS, Visa also recommends simply approving more transactions and putting those the issuer is uncertain about into the review queue.   That's fine for physical goods or airline tickets.  Not useful for digital products.

How VCAS Works

Rather than breaking apart the existing AUTH message, VCAS operates before the traditional AUTH message.  VCAS consists of two merchant-generated XML messages and two responses from the issuer.

The first message asks the issuer whether or not the account number participates in 3-D Secure. Some BIN ranges, supporting anonymous cards for example, don't participate in 3-D Secure.  A Yes/No response is returned by the issuer.

If the PAN is covered by 3-D Secure, a second message is sent, requesting authentication of the transaction.  The issuer then determines the risk using a VCAS provided score and its own models based on risk.  If the issuer approves the transaction without needing further authentication, it returns in its positive response a consumer authentication verification value (CAVV).  

This key generated value is then placed by the merchant into the traditional AUTH message as proof of authentication back to the issuer.  With the CAVV in hand, the transaction liability remains with the issuer, just as it would for a point of sale, card present transaction.  This is a significant change for online retailers who eat the merchandise loss in e-commerce transactions.

Among the various elements it looks at, the VCAS system includes device identification inputs and historical transaction analysis in order to provide the authentication risk score.  Given the abundance of data signals, Visa predicts the vast majority of transactions will be scored as low risk, avoiding the need to invoke any 3D Secure screens.

Merchant integration isn't trivial.  Merchant must deploy 3D Secure technology either through integration within its own systems or via a third party provider.  It must install a Merchant Plug-in (MPI) to establish a secure communications channel between the merchant, the network and the issuer.

It's About the Merchant AND the Financial Institution.

Visa's been working on recruiting financial institution support for VCAS.  But it's early days for merchants.  They'll have work to do.  And Visa isn't sharing performance metrics yet.  Those metrics will vary widely depending upon the merchant category.  

Given Visa's transaction footprint, however, Visa is hoping VCAS will accelerate merchant adoption of 3D Secure technology. The liability change should help.

There is some connection to its V.me digital wallet service.  The two programs share the same analytical environment using the same data sources.  

VCAS is a solution for issuers.  But roll-out is dependent upon merchant uptake.  Visa needs issuers first but merchants have to follow to make this useful.  With EMV coming to US, issuers are going to have to strengthen the e-commerce channel's fraud protection because, as in other EMV markets, Internet, mobile and other card not present channels will become the preferred target for fraud

Visa's CyberSource acquisition is making inroads into Visa's mainline services set.  At the time of the acquisition, CyberSource customers were able to benefit from analysis of a card number's offline, in-store, at the POS, behavior (we've got to dump that false distinction of offline and online transaction origination soon).  The history of what that card number has done at the POS is now available for VCAS risk scoring.  Given Visa's transaction reach across both channels and branded cards, that behavioral analysis should be meaningful to merchants.

So, for the time being, Visa's VCAS focus is on the issuers.  I suppose issuers are the prerequisite participants because they have to be able to respond with the CAVV for the scheme to work.  But eCommerce merchants are the ultimate users.  They have to install the 3D Secure infrastructure and build the XML files, and more into their checkout process.  

A VCAS Impact on Mobility?

If a mobile merchant integrates to VCAS, the liability shift for those transactions goes away.  The issuer is liable just as with card present POS-based transaction origination. If that's the case, the delta between card present and card not present transaction costs starts to look less like a barrier.  Card not present risk just gets better for the eCommerce and mobilized merchant.  With that CAVV value in hand, both directly entered and card-on-file based transactions look better.  Merchant-specific mobile apps look a lot better whether they're used at home, in the parking lot, or in the store aisle.  If the checkout counter is going the way of the dodo at specialty retail, so could the merchant's own mobile POS terminal. Just let the customer handle the whole transaction.  Apple's already doing that.  

With a strong mobile risk model, what does that do to the NFC value proposition?  If those responsible for building the NFC ecosystem don't hurry up and accelerate its growth, they might need to revisit their business plan.  Again.