Posted by Keegan Johnson on Wed, Sep 01, 2010
In this 3-part series, I examine what 3D Secure is and why it was developed, discuss its successes and failures from the perspectives of merchants, consumers, banks and security experts and how it's been adopted in different geographies, and finally conclude with an evaluation of how well it addresses the problem it set out to solve and whether better approaches might exist. I invite your questions and comments regarding your personal 3D Secure experiences.
Introduction: Part 1 of 3
Our European readers are likely very familiar with 3D Secure in some form, but here on the other side of the Atlantic, not so much. So, first some background.
3D Secure is the generic name given to a protocol originally designed by Visa that is promoted as offering an added layer of security through user authentication to prevent payment card fraud. Visa offered the scheme to other card associations who have implemented it under their own branding. 
The 3 branded versions are Verified by Visa (VbV), MasterCard SecureCode, and JCB International's (Japan Credit Bureau) J/Secure.
Poorly implemented and marketed (there is lots of market confusion about what it is, even in Europe where it has high penetration and most online shoppers have encountered it at least a few times), you may hear any of these 4 terms bandied about. Know that they are all basically the same thing. If you want to dig in to more detail, this Wikipedia article covers the basics.
Why Use 3D Secure?
MasterCard offers this business case on their website:
- 70% of online shoppers are very concerned about security and fraud issues
- 26% would purchase more frequently online if there were more security protection from a card
- 44% of those likely to use SecureCode would be likely to buy more online
- 66% of online consumers who do not make purchases online cite security concerns as the main reason
As this series of articles will discuss, if security, consumer protection, and increased sales are the real issues, we'd all be better off not using 3D Secure technology, because it isn't secure, doesn't offer any additional protection to the consumer beyond the "zero liability" for fraud that is already guaranteed, and often causes sales to drop because consumers don't understand it, don't trust it and don't like the inconvenience.
The Sales Pitch Versus the Reality
Most merchants who chose to adopt 3D Secure do so because it shifts liability for card-not-present fraud to the card issuer on 3D Secure-authorized transactions. Without this economic incentive, it's unlikely 3D Secure would have gained significant market traction.
In some industries with high risk profiles and large dollar sales (e.g. airlines), and where there are limited choices and demand is relatively inelastic (if I want to travel from Toronto to Atlanta, for example, I have only 2 practical choices, unless I'm prepared to take the time to drive), this liability shift and reduced fraud cost outweighs lost sales and what consumers think about the inconvenience.
As a result, purchasing tickets is one of the most likely places consumers are likely to encounter 3D Secure in the US. In most other business categories, there is simply too much competition for retailers to risk offending, inconveniencing or confusing customers.
It's Different in Europe
Adoption in Europe has been much broader than in North America. We speculate that part of the reason for this is that the US e-commerce market was much more established when 3D Secure was introduced, with many more merchants and much more competition within categories. Thus merchants are less willing to do anything that might introduce a perceived inconvenience or a reason for consumers to go elsewhere.
In the UK, the MasterCard Maestro brand which is one of the most widely used cards, basically issued an ultimatum that if merchants wanted to accept their payment cards online, they would need to use 3D Secure. This single spur to adopt has dramatically changed the game there, making ability to accept online payments a critical factor in adoption, although it hasn't completely mitigated concerns about security, lost sales or consumer fear of fraud.
As a result of this enforced implementation, adoption in the UK market for instance, has risen from below 20% to around 80% of UK merchants in just 3-4 years, although there are some notable holdouts. Amazon, the world's largest online retailer (by far), refuses to use 3D Secure, citing consumer inconvenience. Amazon also has very sophisticated fraud systems in place already, so stands to lose more in sales and customer goodwill than it would gain in fraud savings.
Summary
In summary, 3D Secure has had a spotty record since it was introduced by VISA nearly 10 years ago in 2001. In the last few years, it has become much more successful in Europe than in North America where it is still an oddity. It has helped lower fraud a little bit, particularly in the UK market (but not the Total Cost of Fraud - a concept which we'll touch on in future articles that helps explain lack of market traction), but at the expense of consumer angst and lower sales for many merchants.
In the next article, I'll detail the complaints about 3D Secure and why merchants and consumers generally don't like it, and the cost burden it imposes on card issuers.
Posted by Keegan Johnson on Wed, Aug 25, 2010
KISS (Keep it Small, Stupid) Proves an Effective Fraud Strategy
The NY Times reported this weekend on an unusual case of credit card fraud filed by the FTC in a Chicago federal court involving more than 1 million cardholder accounts and over 100 fake merchant accounts over a period of at least 4 years. It’s a sign of how much the internet and automation have changed the fraud game, enabling massive scams by employing the KISS (Keep It Small, Stupid) Principle.
The suit claims that more than $10 million was stolen by placing just a single fraudulent charge for less than $10 on more than 1 million different credit and debit cards. Card-not-present transactions (i.e. online sales) were recorded by 16 shell companies operating under more than 100 different merchant IDs. The fake companies, set up with bogus websites and phone numbers to look real when they applied for merchant accounts, were created using stolen identities, and the money was quickly moved out of the US to bank accounts in several different east European countries.
The interesting vulnerability exposed is how easy it is to fly under the radar if you make everything plausible and seemingly random, and don’t do anything to stand out. Criminals carefully set up fake companies with familiar sounding names so that nothing would stand out on the cardholder statements. By only attacking each card once, and for a small amount, it’s a safe bet that the majority of consumers didn’t even notice. The one dumb error was posting a number of transactions for as little as 20 cents. According to the FTC, there were more complaints about the 20-cent charges than the 9 dollar ones because they appeared odd – again, it’s about plausibility.
There were incredibly few complaints of any sort though, because it took nearly a million transactions before the FTC had enough complaints registered to start an investigation. The lesson: KISS.
You can read the full stories here:
My main point for this article was to focus on a throwaway comment from Gartner analyst, Avivah Litan. She is quoted:
“If a credit card is physically swiped in the transaction, the bank that issued the card is on the hook for fraudulent charges. If it is a phone or Internet purchase — called a card-not-present transaction — the bank that hosted the merchant account that received the ill-gotten charges must make restitution.”
And the writer of the article draws the conclusion that because the acquiring bank is on the hook for the fraudulent charges, that the issuer has “little motivation to be greatly concerned about online fraud”.
Really? The acquirer is indeed stuck with many charges of between 20 cents and 9 dollars, since none of the merchant accounts were legitimate, but is there really no cost to issuers in this case?
On the contrary, our analysis shows that it costs the card issuing bank an average of $15 per transaction in labor and paper trail costs (getting consumers to file affidavits, issuing chargebacks, etc), plus fees assessed by the card scheme for each chargeback. More, in fact, than the maximum $10 charge that the acquirer had to eat.
Across more than 1 million fraudulent transactions in this single case, that’s over $15 million – not exactly chicken feed, and certainly not “little motivation” to seek a solution.
The takeaway is this: CNP fraud is a pernicious problem, and it affects, inconveniences and costs everyone involved. Merchants for sure, but also issuers and cardholders.
The $15 in overhead costs may not compare to a $500 loss taken by a merchant of electronics goods, for example, but the issuers are getting hurt on each and every fraud. Consider that if a bank the size of JPMorgan Chase could eliminate these costs, that would represent by our guesstimates a savings of $1.5 – 2.5 million annually – a savings that is pure profit to the bottom line. I’d argue that that’s plenty of motivation for any issuer, and it is an achievable target with more industry collaboration.
And, that would be good for everybody.
Posted by Paul Paetz on Sun, Feb 15, 2009
CEO of TigerDirect Advocates for Social Approach to Solve Vexing Customer-Not-Present Fraud ProblemGilbert Fiorentino is a co-founder of TigerDirect, a top 10 consumer electronics and computer equipment etailer (#6 on the Hitwise list), but despite the size they’ve grown to, credit card fraud still irks Gilbert in a very personal way, as though the cybercriminals TigerDirect confronts every day were stealing the cash right from his wallet. You get the feeling listening to him that he’d gladly confront them in a dark alley.
He says the reason retailers are losing the battle against cyberfraud is that the criminals are working together, selling stolen card numbers and sharing their code scripts and “best practices” for committing fraud, while the merchants work alone. Gilbert contends that if every single merchant joined together to share what they know, online fraud could be completely eliminated, and even enthusiastically encourages (even wishes for) his competitors to join the Global Fraud Fighting Community.
He tells his story in the attached video.