If you’ve bought anything online in the past ten years, you’ve probably seen the Verified by Visa box flash up during the checkout process.
If you can remember the obscure password you set six months ago, you type it in and carry on with your transaction. If you can’t remember it, well, that’s a different story entirely.
However, even though most online consumers have come across Verified by Visa, very few can actually explain what it is and how it works.
In this article, I’m going to dig a little deeper into Verified by Visa and card security systems in general.
So, if you want to know what’s going on in your checkout process, read on!
What is 3D Secure?
3D Secure is the umbrella term for a group of fraud prevention systems offered by card issuers. The main systems are Verified by Visa from Visa, MasterCard SecureCode from MasterCard and SafeKey from American Express.
The three Ds in 3D Secure stands for three domain servers, meaning that there are three parties involved in the verification.
- The merchant (e.g. Waitrose, Cineworld, Costa Coffee, etc.)
- The acquiring bank (Barclays, HSBC, Natwest, etc.)
- The card issuer (Visa, MasterCard, American Express, etc.)
The final party, not name-checked in the name, is the customer or cardholder. But, from a technical perspective at least, they aren’t all that important.
Generally speaking, 3D Secure systems sit on top of normal online payment protocols and deliver enhanced card security checks.
However, how they work and what they require of the customer varies between each service.
And that brings us on to the focus of the article — Verified by Visa.
What is Verified by Visa?
Verified by Visa is the 3D Secure service from — surprise, surprise — Visa. It’s probably the most well-known fraud prevention service in the UK and caused quite a furore when it launched in the early 2000s.
The purpose of Verified by Visa is simple: to protect you from fraudulent card usage at its member websites in Europe.
Quick definitions out the way, it’s time to jump into the nitty-gritty and discuss how Verified by Visa works.
How does Verified by Visa work?
Here’s the super simple version.
Once a customer enters their Visa card details, the Verified by Visa protocol whirs into action. The message box pops up and the customer is asked for additional security information — usually their Verified by Visa password or a single-use code sent to their phone.
If the information you provide is correct, the transaction proceeds as normal.
However, if the information is wrong, the transaction is declined.
In reality, the Verified by Visa process is a bit more complicated than that. If you’re interested in the (slightly) more complicated version, here’s how it works according to Visa.
- The cardholder enters his or her Visa payment details.
- The merchant’s 3D Secure service provider packaged the message with the transaction data and delivers it to the issuer via authentication request.
- The transaction is risk assessed. If the transaction is low risk, no additional customer verification is required. If the issuer’s 3D Secure service provider determines the transaction is high risk, it will prompt the cardholder to verify his or her identity by providing a password.
- Issuer sends the authentication result to the merchant.
- The merchant submits the transaction for authorisation with a flag indicating the authentication result.
So that’s a crash course on how Verified by Visa works. Now it’s time to talk about whether customers in the real world appreciate the extra security.
Does Verified by Visa hurt conversion rates?
When Verified by Visa first launched back in the early 2000s, consumers really didn’t know what to make of it. It disrupted the online checkout process (which they had only just got to know) and caused a lot of customers to jump ship.
Writing for the Guardian, consumer finance journalist, Miles Brignall, explained the problem.
[Verified by Visa] has been criticised by cardholders who have complained about being asked to hand over card numbers and other security details to a website that pops up when they are making transactions. Understandably, many people shun the Verified by Visa box for fear that it’s a fraud.
For online merchants, that’s pretty much the worst thing that could happen.
You’ve attracted visitors, wowed them with your website and persuaded them to buy something. They get all the way through the checkout process and plug in their payment details. Then Visa throws up a nasty verification box and your potential customer disappears.
Customers were confused by Verified by Visa and conversion rates tumbled.
However, that was ten years ago.
After another decade of development, the Verified by Visa process is much slicker now. Instead of throwing up a spammy pop-up window, it’s usually integrated into the payment page. It’s part of the checkout process rather than a confusing bolt-on.
Plus, as I mentioned before, Verified by Visa no longer delivers checks on every single transaction. Instead, it will analyse the risk profile of the transaction and decide if it warrants extra checks. Nowadays, less than 5% of transactions where 3D Secure could be applied are actually subjected to 3D Secure checks.
This refinement has led to abandonment rates dropping significantly.
Will PSD2 affect Verified by Visa?
The Second Payment Services Directive (PSD2) entered into force in January 2016 and requires all payment service providers to make substantial changes to their operations before the deadline January 2018.
Importantly, the PSD2 includes a mandate to perform Strong Customer Authentication (SCA) before initiation of the payment. And what is SCA? Let’s borrow the definition from Visa’s own white paper Securing Internet Payments.
The definition of SCA in the EBA Guidelines is based upon the core principles of something a customer knows, something a customer has and something a customer is. The EBA expects two out of three of these factors to be used in authentication (i.e. two-factor-authentication).
In addition to the two-factor authentication defined above, the EBA Guidelines also require that “[a]t least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being stolen via the internet”.
This requires the use of so-called “one-time-passwords”.
So, does Verified by Visa meet the PSD2 requirements or will online merchants need to look elsewhere?
According to Visa, Verified by Visa ticks all the PSD2 boxes.
Back in May, Visa announced a raft of updates to its Verified by Visa program to make it compliant with the new regulations.
Mike Lemberger, Head of European Product and Solutions Europe, said:
By helping to lead the development of 3DS 2.0, we are able to offer an enhanced authentication service that makes these payments both faster and more secure. For European retailers, this helps address the ongoing challenge of reducing cart abandonment in an e-commerce market. This update also provides all the necessary tools to ensure PSD2 compliance for card payments – a major benefit which should not be underestimated.
It’s also worthwhile pointing out that there are some exceptions to the SCA, allowing you to use “alternative methods of authentication”.
Transactions are exempt from performing SCA when:
- The transaction is under 30 euros
- The risk analysis pre-identified a low-risk transaction
We reached out to Visa via their press department and social media for further information about what particular SCA factors will be used but, at the time of writing, we are yet to hear back. When we hear back from Visa, we will update the blog.
What do you think of Verified by Visa?
The improvements in Verified by Visa are all well and good but, at the end of the day, if customers don’t like the service, they won’t use the service.
We want to know what you think of Verified by Visa and 3D Secure services in general. Whether you like the extra security, hate the extra hassle or have never heard of it before, let us know in the comments!