How does 3D Payer Authentication Work and why has it been introduced

Published: 14th June 2009
Views: N/A

Until recently, Internet based card transactions have been classified as 'card-not-present' and 'no signature present' so it has been virtually impossible to prove that the actual cardholder is the person performing the payment transaction at an Internet merchant site.

The result? 78% of all e-commerce chargebacks are from 'unauthorised transaction' reason codes commonly referred to as the "I didn't do it" chargebacks.

This changes with the introduction of 3-D Secure services which provides Internet merchants with the ability to verify the consumer's true identity through a secure, electronic, non 'face-to-face' authentication process.

To press the importance of eliminating card and chargeback fraud on Internet transactions the Card Associations have also instituted chargeback liability shift to protect merchants from online fraud and habitual chargeback offenders.

How does it work?

From an Issuers Point of View:

Issuers must license 3-D Secure "Access Control Server" software from a certified vendor. Issuers then register BINs directly with Verified By VISA and MasterCard SecureCode depending on what card brands they issue. Issuer BINS are installed on the ACS server and cardholders are requested to register their card number with VbV and SecureCode by selecting a unique password and 'secret phrase.

From an Acquirers Point of View:

Acquirers enroll with VISA and SecureCode to register their acquiring BINs/ICAs. Acquirers must identify how they will support the MPI to enable 3-D Secure. Merchants are enrolled by their acquiring bank and registered on the MPI (hosted by FAC) and Directory Server. The Card Associations set up specific parameters in BASE I and INET to ensure 3-D Secure transactions are flagged correctly for both interchange price reductions and chargeback handling. The MID, merchant name, BIN and security certificate are all that are enrolled on the Directory Server. No MCC!

From the Card Associations Point of View:

The Directory Server is the 'traffic cop' that manages and monitors BINS and 3-D Secure messages between Issuer, Acquirer and Merchant. The Directory server receives authentication requests from FAC once a merchant is integrated. The Directory Server determines if the card number is in an enrolled Issuer BIN range, directs requests for cardholder authentication to the appropriate Issuer (ACS) and then responds back to the merchant starting the process of payer authentication directly with the consumer.

From the Card Associations Point of View:

All "attempted" payer authentication requests, whether validated or not, are stored on the Authentication History Server (at VISA and MasterCard) providing data for acquirers and issuers in the event of a transaction dispute. VISA and MasterCard have implemented payer authentication scenarios based on the responses from the ACS server and the MPI software that determine liability shift protection for Issuer and Acquirers.

The Payer Authentication Process

- Issuers and Acquirers register independently and the service is not interdependent;

- Issuers can be enrolled but not their cardholders; alternatively neither can be enrolled - this drives the merchant chargeback liability shift conditions;

- Likewise, Acquirers can be enrolled but not their merchants leaving the liability for fraud with the merchant if payer authentication is not completed prior to the payment authorisation.

- FAC's MPI software communicates with the merchant's payment page and passes the authentication requests to the Directory Server(s) to validate Issuer enrollment;

- The Directory Server queries to determine if the Issuer BIN is enrolled and if yes, communicates with the Issuer ACS server to validate if cardholder is registered;

- If both enrolled, the Directory Server responds via FAC's MPI and sends the message to the merchant to generate the 'pop up' window for the consumer to enter their password information.

- Authentication of the consumer takes place directly between the consumer and the ACS server through a secure browser connection;

- The ACS provides the payer authentication response back to FAC's MPI.

Merchant proceeds with the payment authorisation depending on the authentication response codes provided by the MPI.

First Atlantic Commerce is the first certified 'service provider' of 3-D Secure solutions in the LACR

First Atlantic Commerce offer Offshore credit card merchant processing and international merchant accounts for online businesses across the world. Our secure online payment gateway offers custom payment and risk management solutions to help mitigate online fraud

Report this article Ask About This Article

More to Explore