Incentives are boosting retailers’ acceptance of the password-protected payment plans
By Lauri Giesen
The retailer verdict on Visa’s Verified by Visa and MasterCard’s SecureCode?
So far, Internet retailers report, these programs look promising in terms of
reducing fraudulent credit card transactions and increasing consumer confidence
in shopping online. But there are still bugs to be worked out and more cards
need to be involved before the real benefits can be gained.
The two programs initiated by Visa and MasterCard require consumers to enter
a password when making a credit card purchase online. The password authenticates
the identity of the cardholder. For retailers, these programs hold a number
of potential benefits. For starters, MasterCard and Visa are optimistic that
they can reduce fraudulent transactions by preventing a shopper from using someone
else’s card number without permission. For another, they believe that consumers
who had held back on shopping online due to fraud concerns will go ahead if
they know their card numbers are protected.
Even beyond such theories, there are some up-front benefits for participating
retailers. Visa promises that retailers will no longer be responsible for fraudulent
transactions on sales run through the program, even when the issuer does not
participate, as long as the retailer does its part. Furthermore, Visa is offering
a lower interchange rate to retailers on transactions secured by its program—5
basis points below the standard card-not-present rate. MasterCard offers protection
when both issuer and retailer participate. MasterCard won’t discuss its interchange
rate.
Increasing participation
But for both programs to reach their full potential, a large number of card
issuers, cardholders and retailers need to participate. And some view that as
the biggest obstacle. Still, Visa, which got the jump on MasterCard by implementing
its program a little more than a year ago, reports that worldwide, 7,000 merchants
are participating. In the U.S., Visa has 3,000 merchants with 9,000 issuers
who have 200 million to 250 million cards registered in the program out of 450
million Visa cards in the U.S. MasterCard reports 9,000 worldwide merchants
participating in SecureCode with 2,511 issuers worldwide.
But the number of registered cards is different from the number of participating
cards, critics say, and that’s where retailers’ biggest complaint lies. For
a card account to participate in Verified by Visa or MasterCard SecureCode,
the cardholder must choose a password and then remember to use it when making
an online purchase. Not enough cardholders are participating to make the programs
meaningful, some critics say.
There are other problems as well. Some retailers say credit card issuers are
still making errors in authorizing transactions—such as rejecting sales because
the address given by the purchaser did not match the incorrect address in the
issuer’s files even if the password is correct. Furthermore, retailers with
very high fraud rates can’t even participate in Visa’s program because the association
requires that participating retailers not be on Visa’s “watch list” of merchants
with excessively high chargebacks and fraudulent transactions. To make that
list, a retailer has to have at least 100 chargebacks per month and a monthly
chargeback rate of at least 1% of all transactions for four months. “The retailers
who need this the most aren’t even eligible to participate,” says Avivah Litan,
consultant with Stamford, Conn.-based Gartner Group.
Visa executives say there are currently only five retailers in the U.S. on
the watch list. Furthermore, Visa explains that the average online chargeback
rate in the U.S. is 0.3% and a retailer would have to have more than three times
the average rate to be kept out of the program. “We know there are retailers
out there that have processing problems and we’re telling them to clean up their
problems first and then they can participate,” says Jim McCarthy, Visa USA senior
vice president of emerging products.
Learning from own experience
But despite their complaints, many retailers say these programs are catching
fraudulent transactions, citing their own cases of criminals being caught trying
to use a registered card without the proper password. Furthermore, participating
retailers say they spend fewer resources checking out transactions authorized
through the programs and therefore more time investigating other transactions
that have a greater potential to be fraudulent. Finally, retailers say there
are indications that consumers are more comfortable shopping online when they
know their card numbers are protected.
“The market adoption is finally getting there,” says Jeff Foster, executive
vice president of Retail Decisions, a company that works with retailers to reduce
payment fraud. “Six months ago, that was not the case as everyone was waiting
for someone else to try it first. But the early retailers have proven it can
be effective and now we see a lot more retailers giving it a try.”
Foster says many retailers were initially concerned that they would see high
abandonment rates because consumers would forget their passwords and give up
on trying to make a purchase. But he says early indications are that the programs
are not causing higher abandonment rates at participating retailers.
Part of that success in reducing abandonment can be traced to efforts to make
the procedure less cumbersome. “We’ve streamlined the process,” says Bruce Rutherford,
vice president of e-business and emerging technology for MasterCard. “In our
early versions, we had separate pop-up windows for consumers to enter their
passwords. But there was a push to integrate the password request into the same
form that consumers fill out to make their purchase. By not requiring another
form, we think we have reduced the risk of abandonment.”
Visa also originally had merchants using pop-up windows for authorization
and while most retailers have since integrated the password request into their
order forms, Visa is urging the remainder and their payments processors to follow
suit. McCarthy admits pop-up windows can cause consumer confusion or represent
another step that some consumers just won’t take.
Strength in simplicity
Indeed, the simplicity of the programs is one of their strong points. “There
is a challenge ahead of both of them to stimulate adoption, but this is definitely
the right approach,” says James Van Dyke, founder and principal consultant with
Javelin Strategies and Research, San Francisco. “Earlier approaches to offering
secure payments over the Internet failed because they either required an arduous
software installation or they were limited as to what types of computer systems
they could operate on or they required too much work on the part of consumers.”
And outweighing concerns over abandonment is a bigger concern that a lot of
consumers—as high as 40%—aren’t shopping online because they are afraid such
purchases make them vulnerable to identity theft. Giving them added security
is likely to bring more shoppers online and encourage shoppers who had limited
their online purchases to a few retailers they trusted to expand their online
shopping options. “There is no question that the volume of online retail purchases
would be much higher if more consumers were comfortable with shopping online,”
Van Dyke says.
Overall, Foster says, retailers are finding the programs effective in reducing
fraud, but only if those retailers are using other methods to fight fraud as
well. “Everyone is looking for a silver bullet that is going to solve all their
problems and that just isn’t going to happen,” Foster says. “If you sign up
for Verified by Visa and MasterCard’s SecureCode but don’t do anything else
to effectively monitor your fraudulent transactions, it won’t do you any good.
But as part of an overall fraud strategy, these programs can offer additional
protection.”
The retailers’ perspective
But while Foster says Visa and MasterCard have oversold the program by claiming
they will solve all or at least most of the problems retailers face with online
fraud, executives of those card companies say their programs were never intended
to be the sole answer to fraud. “We tell merchants that they need to take other
steps as well to reduce the hacker attacks on their database,” Rutherford says.
“We can help them develop the other tools they need to reduce their vulnerability.”
Because Verified by Visa has been in the market longer, more retailers have
had sufficient experience with it to be able to point out the benefits and weaknesses,
while MasterCard’s SecureCode is still viewed as an unknown. The reaction to
Verified by Visa has been mixed.
One retailer impressed with the program is Joseph Parker, director of loss
prevention of GoodGuys.com, an online seller of electronics. While the retailer
had to temporarily suspend the program due to implementing changes in the site’s
database software, Parker says, “We can’t wait to get back on board.”
Unlike other retailers, GoodGuys.com hasn’t had a problem with limited consumer
use. “When we first went live, only about 5% to 10% of our sales transactions
were coming across with Verified by Visa. But within a week, we were up to 30%
and were up to 50% on some days.”
GoodGuys.com has had no evidence of customer abandonment and customer feedback
has been positive, Parker says. Most important, Good Guys finds it can spend
less time investigating the Verified by Visa transactions than others. “It makes
our job easier,” Parker says. “When we see that Verified by Visa seal, we know
it doesn’t have to be scrutinized as thoroughly.”
Less enamored with the program is Les Schwartz, president of AIM Marketing,
which sells investment books and services online. He likes the concept of the
program but has found so few of his customers have cards registered for the
program that the effect is negligible.
All or nothing
“I’d love for this program to work, but it has to be all or nothing,” Schwartz
says. “If I can’t insist that all my customers use this—and most of them have
cards through banks that aren’t even participating—then it is worthless to me.”
Schwartz was further frustrated when he tried to sign up several of his own
personal credit cards and found the issuers were not participating.
In the middle is Sofia Volpov, president of 1010Tires.com Inc. While Volpov
says Verified by Visa overall has been “useful” and that 50% to 60% of total
sales orders are coming across with the Verified by Visa seal, it hasn’t been
without problems.
1010Tires has used the program to prevent instances of outright fraud—such
as several situations where criminals tried to use cards that were registered
but were prevented from making a purchase when they didn’t know the password.
But Volpov says problems still result when issuers give a lot of “qualified”
approvals. Volpov says when she gets a Code 5 notification from a card issuer,
the transaction is approved unconditionally. But she says she often gets Code
6, which indicates the transaction is somewhat vulnerable to problems. “The
problem is that we get way too many Code 6s and not enough Code 5s,” Volpov
says.
McCarthy, however, explains that Code 6 is most likely an indicator that the
cardholder has not registered and used a password, and while Visa and issuers
want to get more Code 5s than Code 6s, the important thing to the merchant is
that they get full liability protection and lower interchange with either authorization.
Another retailer reports that while his company has evidence that more customers
are using the program to shop online, the effectiveness of the program has been
tarnished by instances where approvals were denied by issuers that did not have
correct information. In several such cases, issuers have used old files without
the correct addresses and as a result, denied approvals because the addresses
didn’t match.
Furthermore, notes Litan, the Gartner consultant, for these programs to succeed,
issuers need to train their staffs thoroughly. She recounts calling her card
issuer to question an online purchase that appeared on her own statement. When
she explained that her card was protected by Verified by Visa, the employee
she spoke to did not know what Verified by Visa was. “This has the potential
to be a great service, but issuers have to make sure everyone in their organization
knows about it and gets behind it,” she says.
Most of the retailers that have signed up for Verified by Visa thus far have
been big retailers that have the internal resources to develop the software
links to participate. One of Visa’s priorities now is to work with the large
merchant payment processors and card acquirers to develop common links that
can be used by the small retailers they serve. Wells Fargo Bank, for example,
announced in early December it was developing a link to Verified by Visa for
its global payment gateway to assist retailers for which it provides payments
processing services.
Smart cards
While the password programs are all similar, including the new one announced
by JCB Co. .Ltd. (see box), there are some differences in the rules. All three,
for instance, use the same 3D secure card standard for password-protected transactions.
But outside of the U.S., MasterCard will begin using a smart card-based system
right away.
MasterCard’s European cardholders can use smart card readers as part of their
approval. In this case, cardholders insert their cards in a reader attached
to their computer and enter their password. The reader will determine the identity
of the user offline, then send an encrypted message to the issuer. Already,
two European institutions are piloting the smart card version. For U.S. retailers
selling in Europe, the transactions will all look the same. “The retailer will
never know if a smart card was used,” Rutherford says.
By contrast, while Verified by Visa is smart-card compatible, no issuers are
using smart cards for Internet authentication today and there are no immediate
plans for any to do so. If smart cards are used in the future, they will look
the same as other transactions to the merchant, McCarthy says.
In other rules differences, MasterCard is only giving liability shifts in
the U.S. on transactions on “fully authenticated transactions”—where both the
card issuer and the merchant are participating in the program. And it will allow
all merchants to participate, even those with high chargeback levels.
While MasterCard got started about a year behind Visa, the next year will
be crucial. “We know this won’t happen overnight, but the next two years will
be critical to driving adoption.” Rutherford says.
And for many retailers, greater consumer adoption is what they want most.
Lauri Giesen is a Libertyville, Ill.-based freelance business writer.
JCB joins the password movement
Even though password-protected Internet transactions have still to be proven
in the marketplace, other card organizations are going ahead with similar initiatives.
The latest: Japan-based JCB Co. Ltd. in November announced its J/Secure program
after observing the Visa effort. “We saw this year that merchants were embracing
Verified by Visa and wanted to go ahead with a similar program,” says Julie
Kruger, JCB vice president. JCB will begin its rollout in Japan and Korea in
January and move to U.S. cardholders in the second quarter.
JCB has 48 million cards, 45 million of which are in Japan. Most of the U.S.
cards are corporate cards issued to American employees of Japanese companies.
And unlike Visa and MasterCard, which have to persuade thousands of card issuers
to get on board with their programs, JCB’s job will be easier because it issues
about half of the 48 million cards itself. The remainder are issued by partnering
financial institutions.
