Presentación de Amieto Montinari, de ChasePaymentech para el I Foro de Medios de Pago y Fraude Online organizado por adigital. (Madrid, 20 de diciembre de 2012).
1. What’s 3D Secure
costing your business?
Amleto Montinari
Director of Strategy
Chase Paymentech Europe Limited
Chase Paymentech Europe Limited, trading as Chase Paymentech, is a subsidiary of
JPMorgan Chase Bank, N.A. (JPMC) and is regulated by the Central Bank of Ireland.
2. Background to Chase Paymentech
200+ Years
15 Years
50% of global
ecommerce
transactions*
222 500 Merchants
*approximately based upon 2009 figures
3. Agenda
Benefits and Challenges of 3D Secure
Discovering if there is a trend involving 3D
Secure
Reviewing present challenges and future
developments
4. Let’s look at the costs of fraud.....
Man Potential for
hours Chargebacks
RFI associated costs
Chargeback costs
False Lost Man Potential fines Potential inability to
Positives revenue hours process cards
5. Fraud Management Systems are the answer
to fraud management…or are they?
£
€
$
£ €
£
$
Requests for
Lost Product Information Chargebacks
6. But Some Say…
“CNP fraud
Cardholder
dropped in the
Authentication is
UK by 19% to
the answer
£266.4m in 2009”
8. While The Data Say…
Relation between 3D Secure Enrollment and Lost checkouts
25%
Spain
20%
Dropped checkout rate because of
Australia
France Germany
Secure Enrollment
15% United States
Canada
10% Italy
5%
United Kingdom
0% 10% 20% 30% 40% 50% 60% 70%
Cancel Button Hit Rate for 3D Secure Enrollment – Liability Shift Still Applies
Merchant Positive – 3D Secure enrolment is not
The Efficient Markets – 3D Secure enrolment is
mandated and customer awareness does not matter as
mandated and customers enrol
customers do not have to enrol
Merchant Negative – 3D Secure enrolment is
mandated and customers do not enrol
9. Agenda
Benefits and Challenges of 3D Secure
Discovering if there is a trend involving 3D
Secure
Reviewing present challenges and future
developments
10. Is There a Trend?
Maestro India Italy Singapore Sweden Amex France
UK & EU • 2009 • 2009 • 2010 • 2010 • 2011 • Next
• 2008 one?
12. Agenda
Benefits and Challenges of 3D Secure
Discovering if there is a trend involving 3D
Secure
Reviewing present challenges and future
developments
13. “Technical”
challenges
Consumers like No visibility on
authentication results
14. 1. Technical Challenges
Cardholder Merchant
Card#
PAReq to ACS
PARes with AAV
Authentication
SecureCode
AAV
AAV
ACS 3D Secure
Directory
Authorization
AAV in UCAF field
0100
EPS-Net
0110
Issuer Acquirer
15. 1. 3DS chargeback liability matrix
Visa
o Reason Code 75 – Cardholder Does Not Recognize Transaction
o Reason Code 83 – Fraudulent Transaction, Card Not Present
MasterCard & Maestro
o Reason Code 37 – No Cardholder Authorisation
o Reason Code 63 - Cardholder Does Not Recognize Transaction
Consumer Cards: Applies when:
1. Authorization Request is Approved
2. ECI 5 (Fully Authenticated) or ECI 6 (Authentication Attempted) is performed and,
3. CAVV, (Visa “Card Authentication Verification Value”), AAV, (MasterCard “Accountholder Authentication Value”) is
obtained with an ECI of 5. Not required for ECI of 6.
4. √ = Chargeback Liability Shift for Visa, MasterCard and Maestro.
Card Issuance United States Canada European Central Europe, Latin America. So. Asia
Location Union Middle East & America and Pacific
Africa Caribbean
Merchant
Location
United States √* √ √ √ √ √
Canada √ √ √ √ √ √
European Union √ √ √ √ √ √
Central Europe, Middle East & √ √ √ √ √ √
Africa
Latin America. So. America and √ √ √ √ √ √
Caribbean
Asia Pacific √ √ √ √ √ √
* As of 14 October 2011 for MasterCard and Maestro
16. 1. 3DS chargeback liability matrix contd.
Commercial Cards: Applies when:
1. Authorization Request is Approved
2. ECI 5 (Fully Authenticated) is performed. (ECI 6 DOES NOT provide liability shift except as noted) and,
3. CAVV, (Visa “Card Authentication Verification Value”), AAV, (MasterCard “Accountholder Authentication Value”) is
obtained with an ECI of 5. Not required for ECI of 6.
4. √ = Chargeback Liability Shift for Visa, MasterCard and Maestro.
Card Issuance United Canada European Central Europe, Latin America. So. Asia Pacific
Location States Union Middle East & America and
Africa Caribbean
Merchant
Location
United States √ √ √ √ √ √
Canada √ √ √ √ √ √
European Union √ √ ECI 5 or 6 – √ √ √
MC and Visa
Central Europe, Middle East √ √ √ ECI 5 or 6 – MC √ √
& Africa Only
Latin America. So. America √ √ √ √ ECI 5 or 6 – MC √
and Caribbean Only
Asia Pacific √ √ √ √ √ ECI 5 or 6 – MC
and Visa
18. 3. Cardholders are looking for signs of
security
N =546 N =548 N =536 N = 576
Special
security 88% 84% 77% 82%
code
Security
symbol in 83% 87% 84% 83%
browser
Q20: To what extent do you agree with each of the following statements?
• When making an online purchase I prefer entering a special security code to ensure safety of my payment details.
• When making an online purchase I expect to see a security symbol in my browser.
19. Something Is Moving
Static Dynamic password
Password OTP device
Dynamic password is generated by
Password is provided to you by
entering your credit or debit card in
your bank and is linked to your
a card device (OTP), or use a
credit or debit card
security or access code device
After entering user ID
and a password, a
transaction can only be Dynamic Password
Dynamic Password completed with
built-in OTP device another password... via SMS
Dynamic password is Dynamic password (TAN-code)
generated by your card which is generated via SMS sent to
has a keypad and LCD screen your mobile phone.
embedded into it
So you deploy a Fraud Mngmt System and all your problems go awayBut do they? Your costs increase, and the nature of your changes. You need a higher ladderYou could add Session Behavior to this list, which is the 20 ft wall.....until fraudsters start to act more like normal customersAll in all, your costs are now significant in terms of people and technology solutions
Both Visa and MasterCard suggest that now over 60% of total transactions in the UK are fully authenticated3DSA key part of the answer is cardholder authentication as a standard practice for all Card Not Present transactions Thisthe first ever decrease since 1999. This decrease is due to the increasing use of sophisticated fraud screening detection tools as well as the continuing growth in the use of MasterCard SecureCode and Verified by Visa”.So if every Merchant deplyed 3DS, Merchant fraud would cease to exist. It would be like the Retail sector post Chip and PINIs it as simple as this?I will come back to this theory and how the law of unintended consequences is a factor
Search for 3DS s c c and you get the followingYou don’t get Visa website, you don’t get MCSo now we have seen the 2 schools of thought. Which is correct? Here comes the math
We presented this in Amsterdam 1 year ago and we got a lot of feedback and requests to repeat because it was the first time quanitiative analysis had been reportedThe data set for this analysis was based on Merchants offering 3DS, not on all e-commConsi – u in the room?Efficient markets – cardholders must enrol after X times, uusally 3 – ADS – where Merchant offers 3DSMerchant Positive – cardholders do not have to enrol, but many Issuers do not pariticpate or dont force c/h to enrol – can click on cancel button 10 times and nothing happens. Merchants can still decide on how to proceed, but bear in mind that Merchants get liabilkity shift if Issuer does not participateMerchant Negative – difference to UK and CA is cardholder behavior. Also, Issuers much less efficient. Spanish Issuers asking for 4 digit PIN (Chip and PIN pin)
Looks like a global trend mandated by a combination of Govts, Regulators and Card SchemesIn UK for example, we know the Home Office includes e-comm fraud in crime stats. Isnt this an easier crime to fix than murders? Mandate the authentication of all e-comm txns.Its becoming reminicent of Chip and PINThe realitySo what is happening where 3D Secure has been mandated?ITALY: Merchants don’t offer it in many casesSWEDEN: originally declined all transactions without 3D Secure and now consumers know what to do (hopefully)UK: In the UK can almost be considered as a standard practice for consumersINDIA: Card Schemes contacted by the Central Bank of India because some merchants did not offer it
Here are some fundamental points to agree on:Technical challenges: The technical Implementation across the chain is not homogenous and can create issues for consumersNo visibility on how good 3D is: everybody knows the bad things, but many unknowns existHow much of the drop at checkout is generated by fraudster that cannot simply complete the authentication steps – unknown!What is the real drop at checkout if we exclude the fraudsters? Unknown!How much money is a company effectively saving because of the implementation of 3D Secure? Can be known, but how many really do?Consumers like to go through some sort of authentication, simply what is in place might not be the appropriate way of doing it
Kevin Smith plug – he has one that worksCard Schemes and Issuers have recognised that static passcodes are weak because they rely on humansYou and I talking, what if card is stolen, still need PIN, but if you get it, can now do retail and e-comm fraud. PIN written on card, post-it note attached to card, ATM etched with PIN, AIB codecard
Can be a positive strategy to adopt to decrease fraudCan be a negative strategy outside of the UK if you focus on consumer experienceBut in some places and for some cards must be done! And like it or not it is here to stayImprovements are under way to deal with the issues, but it still must be mandated to increase its adoption because the advantages of doing it vs. not are not clear at allSo what is the position of a merchant that does not offer 3D Secure today?