Recently, I spoke with Mark Nelsen, Visa's Head of Risk and Authentication Product Development,
who is responsible for the new Visa Consumer Authentication Service.
Announced November 26, it is a service targeted toward issuers but, in my
view, the larger potential beneficiaries are the e-commerce and m-commerce
merchants who must do no little integration work to take advantage of the
service. A skeptic might call VCAS Son of 3-D Secure. It appears to
be a big improvement, though, on its parent's shortcomings.
Payments Authorization
The payment authorization message is a pillar of the credit and
signature debit transaction flow. But it was built for the card-only
world and, as we all know, its adaptation to the Internet has been
uncomfortable because that key signal, the card, is not available. Only the
easily copied and easily entered magstripe data is at hand. That's been one of
the hardest collisions between the payment network and the Big One, the Internet.
We've known
for quite a while that today's eCommerce transactions have far more data
available to them for stronger risk decisioning. Signals that pour off of
the access device - PC, smartphone or tablet - and data regarding the past
behavior of a particular user ID, password, and payment card number, as it's
used both online and offline, all of these are available to strengthen the risk
assessment. Merchant databases and mobile device signals - lat/long,
phone number, etc. - simply add to that rich data stream.
Much of
that online-generated data, however, has had limited utility because of the
incumbent authorization system's inflexibility. From a practical point of view,
there's little room to add more capability. Changes to well established
data formats break brittle old code.
So, the
desire to leverage that Internet-generated data in risk scoring has been around
for years. A number of third parties - from credit scoring outfits to
device fingerprinting providers and others - have improved the utility of that
data but, thus far, it's been confined to the merchant and acquiring side of
the transaction flow.
That's not
to say that enriching the authorization message hasn't been done by a card
brand. AMEX's enhanced authorization message includes Internet-generated
data such as the accountholder's email address. A merchant who supports
the AMEX approach may see fraud detection performance improve by 30% or more.
A big improvement. Unfortunately, many eCommerce merchants haven't
seen the effort needed to support the AMEX enhanced authorization method as
warranted because AMEX makes up such a small portion of their transaction
volume.
Enter VCAS
The Visa
Consumer Authentication Service is the card brand's effort to pull in the rich
data available from the Internet in order to provide issuers with a more
precise risk score. It does that using the existing 3-D Secure infrastructure,
the one that has often required consumers, as they checkout from a merchant's
site, to enter their online banking credentials. From a consumer
experience and merchant point of view, that's a no-no. US eCommerce
merchants, in particular, have loathed the 3D Secure process due to its negative
impact on shopping cart abandonment rates. Once a fraud score invokes a
separate login / password screen from a bank's online portal, it's too often
"shopping game over."
VCAS allows the issuer to let low-risk transactions to proceed to the next
step, authorization, without prompting the consumer for any additional
information. In cases where a transaction
is deemed high risk, Visa recommends that issuers use VCAS’ one time password
infrastructure or a challenge / response approach.
Bank of America's SafePass is an example of an SMS-based multi factor authentication tool. I use SafePass in specific steps of my online banking life. Should BofA integrate its SafePass method with VCAS, it could prompt me via SafePass if it sees a risky transaction. A SafePass prompt would appear, I'd say "send the text", and enter the value I receive on my mobile into the prompt box. I would not be shown an online portal window requesting my online banking credentials.
Bank of America's SafePass is an example of an SMS-based multi factor authentication tool. I use SafePass in specific steps of my online banking life. Should BofA integrate its SafePass method with VCAS, it could prompt me via SafePass if it sees a risky transaction. A SafePass prompt would appear, I'd say "send the text", and enter the value I receive on my mobile into the prompt box. I would not be shown an online portal window requesting my online banking credentials.
It's easier
than it sounds and should provide a better user experience. I've not found SafePass inconvenient.
In
implementing VCAS, Visa also recommends simply approving more transactions and
putting those the issuer is uncertain about into the review queue. That's fine for physical goods or airline tickets. Not useful for digital products.
How VCAS Works
Rather than
breaking apart the existing AUTH message, VCAS operates before the traditional
AUTH message. VCAS consists of two merchant-generated XML messages and
two responses from the issuer.
The first
message asks the issuer whether or not the account number participates in 3-D
Secure. Some BIN ranges, supporting anonymous cards for example, don't
participate in 3-D Secure. A Yes/No response is returned by the issuer.
If the PAN
is covered by 3-D Secure, a second message is sent, requesting authentication
of the transaction. The issuer then determines the risk using a VCAS
provided score and its own models based on risk. If the issuer
approves the transaction without needing further authentication, it returns in
its positive response a consumer authentication verification value (CAVV).
This key
generated value is then placed by the merchant into the traditional AUTH message
as proof of authentication back to the issuer. With the CAVV in hand, the
transaction liability remains with the issuer, just as it would for a point of sale,
card present transaction. This is a significant change for online
retailers who eat the merchandise loss in e-commerce transactions.
Among the
various elements it looks at, the VCAS system includes device identification
inputs and historical transaction analysis in order to provide the
authentication risk score. Given the abundance of data signals, Visa
predicts the vast majority of transactions will be scored as low risk, avoiding
the need to invoke any 3D Secure screens.
Merchant
integration isn't trivial. Merchant must deploy 3D Secure technology
either through integration within its own systems or via a third party
provider. It must install a Merchant Plug-in (MPI) to establish a secure
communications channel between the merchant, the network and the issuer.
It's About the Merchant AND the Financial Institution.
Visa's been working on recruiting financial institution support for VCAS. But it's early days for merchants. They'll have work to do. And Visa isn't sharing performance metrics yet. Those metrics will vary widely depending upon the merchant category.
Given
Visa's transaction footprint, however, Visa is hoping VCAS will accelerate merchant adoption of 3D Secure
technology. The liability change should help.
There is
some connection to its V.me digital wallet service. The two programs
share the same analytical environment using the same data sources.
VCAS is a
solution for issuers. But roll-out is dependent upon merchant uptake.
Visa needs issuers first but merchants have to follow to make this
useful. With EMV coming to US, issuers are going to have to strengthen
the e-commerce channel's fraud protection because, as in other EMV markets,
Internet, mobile and other card not present channels will become the preferred
target for fraud
Visa's
CyberSource acquisition is making inroads into Visa's mainline services set.
At the time of the acquisition, CyberSource customers were able to
benefit from analysis of a card number's offline, in-store, at the POS,
behavior (we've got to dump that false distinction of offline and online
transaction origination soon). The history of what that card number has
done at the POS is now available for VCAS risk scoring. Given Visa's
transaction reach across both channels and branded cards, that behavioral
analysis should be meaningful to merchants.
So, for the time being, Visa's VCAS
focus is on the issuers. I suppose issuers are the prerequisite
participants because they have to be able to respond with the CAVV for the
scheme to work. But eCommerce merchants are the ultimate users.
They have to install the 3D Secure infrastructure and build the XML
files, and more into their checkout process. A VCAS Impact on Mobility?
If a mobile
merchant integrates to VCAS, the liability shift for those transactions goes
away. The issuer is liable just as with card present POS-based
transaction origination. If that's the case, the delta between card present and
card not present transaction costs starts to look less like a barrier.
Card not present risk just gets better for the eCommerce and mobilized
merchant. With that CAVV value in hand, both directly entered and
card-on-file based transactions look better. Merchant-specific mobile
apps look a lot better whether they're used at home, in the parking lot, or in
the store aisle. If the checkout counter is going the way of the dodo at
specialty retail, so could the merchant's own mobile POS terminal. Just let the
customer handle the whole transaction. Apple's already doing that.
With a
strong mobile risk model, what does that do to the NFC value proposition?
If those responsible for building the NFC ecosystem don't hurry up and
accelerate its growth, they might need to revisit their business plan.
Again.
No comments:
Post a Comment