Chase Paymentech Europe Limited, trading as Chase Paymentech, is a subsidiary of JPMorgan Chase Bank, N.A. (JPMC) and is regulated by the Central Bank of Ireland.
What’s 3D Secure costing your business?
Amleto MontinariDirector of StrategyChase Paymentech Europe Limited
Background to Chase Paymentech
200+ Years 15 Years of global
ecommerce transactions*
50%
222 500 Merchants
*approximately based upon 2009 figures
Agenda
Benefits and Challenges of 3D Secure
Discovering if there is a trend involving 3D Secure
Reviewing present challenges and future developments
RFI associated costs
Chargeback costs
Let’s look at the costs of fraud.....
Lostrevenue
Manhours
Potential fines Potential inability to process cards
Manhours
Potential for Chargebacks
False Positives
Lost ProductRequests for Information Chargebacks
Fraud Management Systems are the answer to fraud management…or are they?
£$
€
£$
£
£ €$
But Some Say…
Cardholder Authentication is the answer
“CNP fraud dropped in the UK by 19% to £266.4m in
2009”
And Others Say…
France
While The Data Say…Relation between 3D Secure Enrollment and Lost checkouts
Spain
Italy
United StatesAustralia
Canada
United Kingdom
Germany
0% 10% 20% 30% 40% 50% 60% 70%
5%
10%
15%
20%
25%
Dro
pped
che
ckou
t rat
e be
caus
e of
S
ecur
e E
nrol
lmen
t
Cancel Button Hit Rate for 3D Secure Enrollment – Liability Shift Still Applies
Merchant Positive – 3D Secure enrolment is not mandated and customer awareness does not matter as customers do not have to enrol
The Efficient Markets – 3D Secure enrolment is mandated and customers enrol
Merchant Negative – 3D Secure enrolment is mandated and customers do not enrol
Agenda
Benefits and Challenges of 3D Secure
Discovering if there is a trend involving 3D Secure
Reviewing present challenges and future developments
Is There a Trend?
Maestro UK & EU• 2008
India• 2009
Italy• 2009
Singapore• 2010
Sweden• 2010
Amex • 2011
France• Next
one?
Learn to live with 3D Secure
Agenda
Benefits and Challenges of 3D Secure
Discovering if there is a trend involving 3D Secure
Reviewing present challenges and future developments
“Technical”
challenges
No visibility
on results
Consumers like
authentication
Acquirer
MerchantCardholder
Issuer
3D SecureDirectory
ACS
Aut
hent
icat
ion
Aut
horiz
atio
n
0110
PAReq to ACS
PARes with AAV
AAV
AAV in UCAF field
0100EPS-Net
Y
Enrolled Card?
Y,
ACS
Enrolled Issuer?
Card#
AAV
SecureCode?1. Technical Challenges
1. 3DS chargeback liability matrix Visa
o Reason Code 75 – Cardholder Does Not Recognize Transaction o Reason Code 83 – Fraudulent Transaction, Card Not Present
MasterCard & Maestro o Reason Code 37 – No Cardholder Authorisation o Reason Code 63 - Cardholder Does Not Recognize Transaction
Consumer Cards: Applies when:
1. Authorization Request is Approved 2. ECI 5 (Fully Authenticated) or ECI 6 (Authentication Attempted) is performed and, 3. CAVV, (Visa “Card Authentication Verification Value”), AAV, (MasterCard “Accountholder Authentication Value”) is
obtained with an ECI of 5. Not required for ECI of 6. 4. √ = Chargeback Liability Shift for Visa, MasterCard and Maestro.
Card Issuance
Location Merchant Location
United States Canada European Union
Central Europe, Middle East &
Africa
Latin America. So. America and
Caribbean
Asia Pacific
United States √ * √ √ √ √ √ Canada √ √ √ √ √ √ European Union √ √ √ √ √ √ Central Europe, Middle East & Africa
√ √ √ √ √ √
Latin America. So. America and Caribbean
√ √ √ √ √ √
Asia Pacific √ √ √ √ √ √ * As of 14 October 2011 for MasterCard and Maestro
1. 3DS chargeback liability matrix contd.
Commercial Cards: Applies when:
1. Authorization Request is Approved 2. ECI 5 (Fully Authenticated) is performed. (ECI 6 DOES NOT provide liability shift except as noted) and, 3. CAVV, (Visa “Card Authentication Verification Value”), AAV, (MasterCard “Accountholder Authentication Value”) is
obtained with an ECI of 5. Not required for ECI of 6. 4. √ = Chargeback Liability Shift for Visa, MasterCard and Maestro.
Card Issuance
Location Merchant Location
United States
Canada European Union
Central Europe, Middle East &
Africa
Latin America. So. America and
Caribbean
Asia Pacific
United States √ √ √ √ √ √ Canada √ √ √ √ √ √ European Union √ √ ECI 5 or 6 –
MC and Visa √ √ √
Central Europe, Middle East & Africa
√ √ √ ECI 5 or 6 – MC Only
√ √
Latin America. So. America and Caribbean
√ √ √ √ ECI 5 or 6 – MC Only
√
Asia Pacific √ √ √ √ √ ECI 5 or 6 – MC and Visa
2. Fraud Alert ReportsAcquirers receive Fraud Alert reports from Visa and MasterCard;
Reports detail the fraudulent transactions not charged back by Issuers due to a fraud liability shift being applied;Full card number, transaction date, and amount are reported
Ask your acquirer to provide
this report to you
These reports will be helpful to
reduce future fraud and also
will benefit the industry
because further lowering
the total fraud rate for
each merchant
3. Cardholders are looking for signs of security
77%
84%
84%
87%
88%
83%
Special security
code
Security symbol in browser
N =546 N =548 N =536
Q20: To what extent do you agree with each of the following statements?• When making an online purchase I prefer entering a special security code to ensure safety of my payment details.• When making an online purchase I expect to see a security symbol in my browser.
N = 576
82%
83%
Something Is Moving
Password is provided to you by your bank and is linked to your
credit or debit card
Dynamic password is generated by entering your credit or debit card in
a card device (OTP), or use a security or access code device
Dynamic password is generated by your card which has a keypad and LCD screen
embedded into it
Dynamic password (TAN-code) is generated via SMS sent to
your mobile phone.
After entering user ID and a password, a
transaction can only be completed with
another password...
Dynamic password
OTP device
Dynamic Passwordvia SMS
Static Passwor
d
Dynamic Password
built-in OTP device
SummaryPositive Strategy
Negative
Strategy
A MustHere to stay
New Developments
Questions?
Page 21April 6, 2011