Verified by Visa-specific static passwords will be eliminated by October 2018

As more and more shoppers make their purchases online, keeping e-commerce fraud in check — while minimizing interruptions to good customers — is a priority for everyone in payments. Thanks to changes coming to Verified by Visa (VbV), Visa’s online authentication service, and to Three-Domain Secure (3-D Secure), the industry-wide messaging protocol for online authentication on which VbV is based, e-commerce payments are set to become even more secure and convenient for consumers, merchants and financial institutions.

The early days of e-commerce

In the early days of the internet, when e-commerce sites first started popping up, merchants and banks had very few tools for verifying whether the person attempting payment was the actual cardholder. In 2001, Visa developed the 3-D Secure messaging protocol and the VbV authentication service to answer this new security challenge. The service gave consumers a secure method for authenticating themselves to their bank, helping to prevent fraudulent online transactions while giving all parties greater peace of mind.

Visa began licensing the 3-D Secure protocol to other major card schemes in 2004 and it has since become the de facto standard for online authentication. The protection provided by Verified by Visa has helped drive Visa e-commerce growth for more than 15 years.

As e-commerce evolves, authentication must keep pace

E-commerce looks very different today than it did 20 years ago, when personal computers were the only avenue for shopping online. Today, the e-commerce environment is mature and expanding, with consumers choosing among their laptop, tablet, mobile browser, and mobile apps. With so many ways to shop, retailers must make their payment process both secure and free of burdensome steps that lead to abandoned shopping carts.

Fraudsters are also paying attention to the growing business of e-commerce and trying to take advantage with increasingly sophisticated attack techniques. And with the proliferation of EMV chip in the United States making counterfeit fraud at the point of sale less viable, criminals are increasingly targeting the e-commerce channel. Taken together, these trends have made authenticating today’s online shoppers more complex, but more essential.

Smarter security through risk based authentication

The good news is that advances in risk modeling and predictive analytics have helped us answer this challenge, improving the security of 3-D Secure transactions while minimizing friction for cardholders. Risk-based and dynamic authentication—today’s gold standard for online authentication—makes an assessment of a transaction’s riskiness behind the scenes. This is done by analyzing contextual data about purchases, such as behavioral checks (has the cardholder shopped online here before?); device checks (where is this device located? has the cardholder shopped from it in the past?), and merchant checks (does this merchant generate a high proportion of fraudulent transactions?).

Applying algorithms to this data, the riskiness of each transaction can be assessed in real-time, giving issuers better intelligence on whether additional verification is needed. For the vast majority of transactions that are deemed low risk, the purchase can proceed without additional authentication. And for the less than five percent of transactions that need additional authentication, a one-time dynamic passcode can be sent to the shopper’s device, via SMS or email, to verify identity instead of asking him or her to enroll and enter a static password, which can be forgotten or worse – created, stolen or guessed by fraudsters.

Adapting Verified by Visa

So how are these smarter authentication technologies being deployed at Visa? Though many issuers have already moved to a risk-based and dynamic approach for online authentication, Visa is announcing changes to make that approach standard across its customer base. Starting in April 2018, Visa will begin phasing out Verified by Visa-specific static passwords and its enrollment processes, a change that will address:

Enrollment vulnerabilities: The password enrollment process used in some Verified by Visa implementations can give thieves a way to register a password on a cardholder’s behalf.
Risk of shopping cart abandonment during enrollment: The enrollment process for Verified by Visa-specific static passwords can introduce friction and divert cardholders from the merchant’s website.
Risk of forgotten passwords: Forgotten passwords often lead to consumer frustration, resulting in a poor customer experience, abandoned transactions, and operational costs related to resetting passwords and dealing with cardholder queries.

For Visa issuers in the U.S., Canada, Europe, Latin America, Malaysia, Singapore and Thailand, the change will take effect in April 2018. For issuers in Central and Eastern Europe, the Middle East, Africa, and the remaining Asia Pacific countries, Verified by Visa-specific static passwords will be eliminated by October 2018.

3-D Secure gets a makeover

Broader industry changes are also afoot for online authentication. In 2014, Visa and MasterCard jointly contributed 3-D Secure 2.0 to EMVCo, the global technical body that manages the EMV Specifications and other payments standards. EMVCo is now developing an updated and enhanced version of the 3-D Secure specification, called 3-D Secure 2.0.

The new specification, which is currently being shared with EMVCo members, will be available to the general public in late 2016. It will include a number of features designed to address the rise of new technologies and ways to pay, including support for e-commerce transactions from mobile devices and applications or PC browsers, while providing a foundation to support new device types such as connected cars and refrigerators.

3-D Secure 2.0 will also enable an improved experience for consumers by providing issuers with more data—data that can be used in the decision process so that legitimate transactions are not declined. 3-D Secure 2.0 will also give merchants the capability to better integrate authentication into their checkout processes for a more seamless consumer shopping experience.

Once the final specifications are made available later this year, Visa will begin developing and rolling out enhanced 3-D Secure 2.0-based products that will help issuers and merchants better recognize trusted customers from fraudsters while giving online shoppers a smoother payment experience.

Source: Visa