VERIFIED BY VISA (VbV) TECHNICAL OVERVIEW
Verified by Visa is an authentication tool that is intended to validate that the authorized credit card holder is the one actually attempting to make a purchase. The key benefit to this program for merchants is that it provides a liability shift for covered transactions.
Key considerations when implementing or buying this functionality include:
The current consumer authentication tools offered by Visa are meant for and work only on e-commerce transactions. You need to have fraud processes to handle your MOTO traffic.
For these programs to work the merchant, issuer and acquiring bank must all be participating in the program. So make sure your acquiring bank is set up to support the e-commerce indicator, and check on their certification requirements.
You still need to perform other fraud checks. This tool only covers certain Visa transactions. There are legitimate cases in which you may not be able to complete the authentication process with the consumer and you still need to make sure overall fraud rates are kept within standards.
Companies doing little transactional volume should consider using an outsourced service bureau to perform this service.
Make sure you are checking and providing all of the correct data points: You have to note it as e-commerce with the ECI, and you must check the AVS, you must check for enrollment, you need the CAVV/AVV, show the order was checked for enrollment and you need the XID the unique transaction number.
You will have to get a digital certificate from Visa, which takes about two weeks. See your acquiring bank to get the form.
HOW DOES IT WORK?
The process used by the consumer authentication services to authenticate consumers is pretty simple. The consumer enrolls with the issuing bank and is given a password, PIN or device to authenticate themselves. When the consumer makes a purchase online the consumer is asked to give that password, PIN or device to authenticate. Depending on issuer implementations and mandates in certain countries, 2 Factor Authentication (2FA), a One-Time Password (OTP) or other dynamic authentication mechanisms may be required.
The purchase sequence can be broken down into five stages, first the consumer goes through the check-out procedure, the same way they do today, providing the same data fields they do today. When the buy button is pressed on their system, using the commercially available software on the market, it sends a message to Visa and card issuer, to find out if the consumer is participating in the VbV authentication program. If the consumer is participating in the program, the service will send a pop-up window to the consumer. The pop-up looks like it is coming from the consumer’s issuing bank. The pop-up asks the consumer to enter their password, OTP or PIN. The issuing bank then validates this password or PIN and returns the results to the merchant.
The benefits to merchants are that transactions covered by Verified by Visa shift the liability of fraud losses from the merchant to the card issuer. However, the requirements for eligible transactions can differ by region or country. Since 2003 Verified By Visa has provided a liability shift for transactions when the consumer authenticates through VbV, but also for transactions where the merchant attempts VbV authentication but the consumer is not enrolled in the program. Although, if the consumer is enrolled but they can’t authenticate you get no liability shift.
Only certain reason codes are covered for the liability shift with Verified by Visa. This includes:
Reason Code 83 - Fraudulent Transaction CNP
Reason Code 75 - Cardholder Does Not Recognize Transaction
Reason Code 23 - Invalid Travel & Entertainment
Reason Code 61 - Fraudulent Transaction MO/TO/EC
Several countries have mandates related to Verified by Visa. In the UK Visa Europe requires all issuers to use dynamic tokens for their VbV implementations. In Italy all online merchants must implement Verified by Visa. In Australia all card issuers will be required to enroll Visa cardholders in VbV by April, 2013.
From a security perspective, all communication between the consumer and issuing bank is secured, you as a merchant will not see or ask for this password. The pop-up window the end user receives contains a secret message that only the consumer knows and that shows the consumer that the pop-up window is real and not a fake that someone made to try and steal their password.
There has been a fraud case in which fraudsters acquired account information and then called the issuing bank and changed the address information and signed up for Verified by Visa. The fraudsters then made a lot of fraudulent transactions. But merchants will be covered as long as they followed the rules.
HOW DO YOU USE THE RESULTS?
For Visa orders, when you are using this technology, you should implement the following:
For orders in which the consumer is participating in the program, the order type is a covered type, and the consumer successfully authenticates, accept the order.
For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are within their normal order tolerances, accept the order.
For orders in which the consumer is not participating in the program, the order type is a covered type, the merchant has checked for enrollment, and the order characteristics are not in-line with their normal orders, review the order or perform further fraud checks favoring sales conversion.
For orders in which the consumer is participating in the program, cannot successfully authenticate and the order characteristics are in line with their normal orders; perform other fraud-screening checks or manually review the order favoring risk aversion.
For non-covered orders perform traditional checks.