Downloaded 62 times
Uploaded byAdigital
What's 3D costing your business?
The document discusses the costs and challenges businesses face with 3D Secure payment systems, including fraud management and chargeback liabilities. It highlights the enrollment rates and dropout trends across various countries, emphasizing the mixed effectiveness of 3D Secure in preventing fraud. The content also outlines technical challenges and consumer expectations regarding security during online transactions.
More Related Content
Similar to What's 3D costing your business?
What's 3D costing your business?
- 1. What’s 3D Secure costingyour business? Amleto Montinari Director of Strategy Chase Paymentech Europe Limited Chase Paymentech Europe Limited, trading as Chase Paymentech, is a subsidiary of JPMorgan Chase Bank, N.A. (JPMC) and is regulated by the Central Bank of Ireland.
- 2. Background to ChasePaymentech 200+ Years 15 Years 50% of global ecommerce transactions* 222 500 Merchants *approximately based upon 2009 figures
- 3. Agenda Benefits and Challengesof 3D Secure Discovering if there is a trend involving 3D Secure Reviewing present challenges and future developments
- 4. Let’s look atthe costs of fraud..... Man Potential for hours Chargebacks RFI associated costs Chargeback costs False Lost Man Potential fines Potential inability to Positives revenue hours process cards
- 5. Fraud Management Systemsare the answer to fraud management…or are they? £ € $ £ € £ $ Requests for Lost Product Information Chargebacks
- 6. But Some Say… “CNP fraud Cardholder dropped in the Authentication is UK by 19% to the answer £266.4m in 2009”
- 7.
- 8. While The DataSay… Relation between 3D Secure Enrollment and Lost checkouts 25% Spain 20% Dropped checkout rate because of Australia France Germany Secure Enrollment 15% United States Canada 10% Italy 5% United Kingdom 0% 10% 20% 30% 40% 50% 60% 70% Cancel Button Hit Rate for 3D Secure Enrollment – Liability Shift Still Applies Merchant Positive – 3D Secure enrolment is not The Efficient Markets – 3D Secure enrolment is mandated and customer awareness does not matter as mandated and customers enrol customers do not have to enrol Merchant Negative – 3D Secure enrolment is mandated and customers do not enrol
- 9. Agenda Benefits and Challengesof 3D Secure Discovering if there is a trend involving 3D Secure Reviewing present challenges and future developments
- 10. Is There aTrend? Maestro India Italy Singapore Sweden Amex France UK & EU • 2009 • 2009 • 2010 • 2010 • 2011 • Next • 2008 one?
- 11. Learn to live with 3D Secure
- 12. Agenda Benefits and Challengesof 3D Secure Discovering if there is a trend involving 3D Secure Reviewing present challenges and future developments
- 13. “Technical” challenges Consumers like No visibility on authentication results
- 14. 1. Technical Challenges Cardholder Merchant Card# PAReq to ACS PARes with AAV Authentication SecureCode AAV AAV ACS 3D Secure Directory Authorization AAV in UCAF field 0100 EPS-Net 0110 Issuer Acquirer
- 15. 1. 3DS chargebackliability matrix Visa o Reason Code 75 – Cardholder Does Not Recognize Transaction o Reason Code 83 – Fraudulent Transaction, Card Not Present MasterCard & Maestro o Reason Code 37 – No Cardholder Authorisation o Reason Code 63 - Cardholder Does Not Recognize Transaction Consumer Cards: Applies when: 1. Authorization Request is Approved 2. ECI 5 (Fully Authenticated) or ECI 6 (Authentication Attempted) is performed and, 3. CAVV, (Visa “Card Authentication Verification Value”), AAV, (MasterCard “Accountholder Authentication Value”) is obtained with an ECI of 5. Not required for ECI of 6. 4. √ = Chargeback Liability Shift for Visa, MasterCard and Maestro. Card Issuance United States Canada European Central Europe, Latin America. So. Asia Location Union Middle East & America and Pacific Africa Caribbean Merchant Location United States √* √ √ √ √ √ Canada √ √ √ √ √ √ European Union √ √ √ √ √ √ Central Europe, Middle East & √ √ √ √ √ √ Africa Latin America. So. America and √ √ √ √ √ √ Caribbean Asia Pacific √ √ √ √ √ √ * As of 14 October 2011 for MasterCard and Maestro
- 16. 1. 3DS chargebackliability matrix contd. Commercial Cards: Applies when: 1. Authorization Request is Approved 2. ECI 5 (Fully Authenticated) is performed. (ECI 6 DOES NOT provide liability shift except as noted) and, 3. CAVV, (Visa “Card Authentication Verification Value”), AAV, (MasterCard “Accountholder Authentication Value”) is obtained with an ECI of 5. Not required for ECI of 6. 4. √ = Chargeback Liability Shift for Visa, MasterCard and Maestro. Card Issuance United Canada European Central Europe, Latin America. So. Asia Pacific Location States Union Middle East & America and Africa Caribbean Merchant Location United States √ √ √ √ √ √ Canada √ √ √ √ √ √ European Union √ √ ECI 5 or 6 – √ √ √ MC and Visa Central Europe, Middle East √ √ √ ECI 5 or 6 – MC √ √ & Africa Only Latin America. So. America √ √ √ √ ECI 5 or 6 – MC √ and Caribbean Only Asia Pacific √ √ √ √ √ ECI 5 or 6 – MC and Visa
- 17. 2. Fraud AlertReports
- 18. 3. Cardholders arelooking for signs of security N =546 N =548 N =536 N = 576 Special security 88% 84% 77% 82% code Security symbol in 83% 87% 84% 83% browser Q20: To what extent do you agree with each of the following statements? • When making an online purchase I prefer entering a special security code to ensure safety of my payment details. • When making an online purchase I expect to see a security symbol in my browser.
- 19. Something Is Moving Static Dynamic password Password OTP device Dynamic password is generated by Password is provided to you by entering your credit or debit card in your bank and is linked to your a card device (OTP), or use a credit or debit card security or access code device After entering user ID and a password, a transaction can only be Dynamic Password Dynamic Password completed with built-in OTP device another password... via SMS Dynamic password is Dynamic password (TAN-code) generated by your card which is generated via SMS sent to has a keypad and LCD screen your mobile phone. embedded into it
- 20.
- 21. Questions? April
Editor's Notes
- #6 So you deploy a Fraud Mngmt System and all your problems go awayBut do they? Your costs increase, and the nature of your changes. You need a higher ladderYou could add Session Behavior to this list, which is the 20 ft wall.....until fraudsters start to act more like normal customersAll in all, your costs are now significant in terms of people and technology solutions
- #7 Both Visa and MasterCard suggest that now over 60% of total transactions in the UK are fully authenticated3DSA key part of the answer is cardholder authentication as a standard practice for all Card Not Present transactions Thisthe first ever decrease since 1999. This decrease is due to the increasing use of sophisticated fraud screening detection tools as well as the continuing growth in the use of MasterCard SecureCode and Verified by Visa”.So if every Merchant deplyed 3DS, Merchant fraud would cease to exist. It would be like the Retail sector post Chip and PINIs it as simple as this?I will come back to this theory and how the law of unintended consequences is a factor
- #8 Search for 3DS s c c and you get the followingYou don’t get Visa website, you don’t get MCSo now we have seen the 2 schools of thought. Which is correct? Here comes the math
- #9 We presented this in Amsterdam 1 year ago and we got a lot of feedback and requests to repeat because it was the first time quanitiative analysis had been reportedThe data set for this analysis was based on Merchants offering 3DS, not on all e-commConsi – u in the room?Efficient markets – cardholders must enrol after X times, uusally 3 – ADS – where Merchant offers 3DSMerchant Positive – cardholders do not have to enrol, but many Issuers do not pariticpate or dont force c/h to enrol – can click on cancel button 10 times and nothing happens. Merchants can still decide on how to proceed, but bear in mind that Merchants get liabilkity shift if Issuer does not participateMerchant Negative – difference to UK and CA is cardholder behavior. Also, Issuers much less efficient. Spanish Issuers asking for 4 digit PIN (Chip and PIN pin)
- #11 Looks like a global trend mandated by a combination of Govts, Regulators and Card SchemesIn UK for example, we know the Home Office includes e-comm fraud in crime stats. Isnt this an easier crime to fix than murders? Mandate the authentication of all e-comm txns.Its becoming reminicent of Chip and PINThe realitySo what is happening where 3D Secure has been mandated?ITALY: Merchants don’t offer it in many casesSWEDEN: originally declined all transactions without 3D Secure and now consumers know what to do (hopefully)UK: In the UK can almost be considered as a standard practice for consumersINDIA: Card Schemes contacted by the Central Bank of India because some merchants did not offer it
- #14 Here are some fundamental points to agree on:Technical challenges: The technical Implementation across the chain is not homogenous and can create issues for consumersNo visibility on how good 3D is: everybody knows the bad things, but many unknowns existHow much of the drop at checkout is generated by fraudster that cannot simply complete the authentication steps – unknown!What is the real drop at checkout if we exclude the fraudsters? Unknown!How much money is a company effectively saving because of the implementation of 3D Secure? Can be known, but how many really do?Consumers like to go through some sort of authentication, simply what is in place might not be the appropriate way of doing it
- #20 Kevin Smith plug – he has one that worksCard Schemes and Issuers have recognised that static passcodes are weak because they rely on humansYou and I talking, what if card is stolen, still need PIN, but if you get it, can now do retail and e-comm fraud. PIN written on card, post-it note attached to card, ATM etched with PIN, AIB codecard
- #21 Can be a positive strategy to adopt to decrease fraudCan be a negative strategy outside of the UK if you focus on consumer experienceBut in some places and for some cards must be done! And like it or not it is here to stayImprovements are under way to deal with the issues, but it still must be mandated to increase its adoption because the advantages of doing it vs. not are not clear at allSo what is the position of a merchant that does not offer 3D Secure today?