By Jim Daly
@DTPaymentNews
Visa Inc. plans to phase out static passwords used with its Verified by Visa e-commerce fraud-control service beginning in April 2018.
Visa’s announcement precedes even more changes coming to Verified by Visa’s underlying technology called Three-Domain Secure, or 3-Secure. EMVCo, the chip card standards body owned by six worldwide payment networks, including Visa, is working on an updated version of the technology, 3-D Secure 2.0, that is expected to be available by year’s end.
Visa developed the 3-D Secure messaging protocol in 2001 and began licensing it in 2004 to other networks, which offer the service under their own brands. MasterCard Inc.’s, for instance, is called MasterCard SecureCode.
While it can be effective in thwarting online fraud, 3-D Secure gained only limited acceptance by card issuers and merchants because of the so-called friction it generated, especially in its early iterations, when a pop-up window would force the cardholder to temporarily leave the merchant’s checkout page during a purchase. Many would-be buyers simply abandoned the transaction.
Even though merchants deploying 3-D Secure transfer liability for fraudulent online transactions to the issuer and can qualify for an interchange break, only about 18% of U.S. e-commerce traffic is running through 3-D Secure rails, according to an Aite Group LLC report, though that percentage has tripled since 2013.
In a Monday blog post announcing the changes, Visa said that advancements in risk modeling and predictive analytics mean static passwords can be eliminated without creating fraud vulnerabilities. Many individual issuers already have moved on to risk-based and so-called dynamic authentication that includes one-time passcodes, according to Visa. The network said the changes it announced this week will affect its entire customer base.
Visa will be “phasing out Verified by Visa-specific static passwords and its enrollment processes,” the post says. Going forward, Visa cardholders won’t have to enter a Verified by Visa password when they make an online purchase.
In some Verified by Visa implementations, the enrollment process “can give thieves a way to register a password on a cardholder’s behalf,” the post says. Creating a Verified by Visa static password during the enrollment process also “can introduce friction and divert cardholders from the merchant’s Web site,” it adds. The changes also will eliminate the risk of forgotten passwords later on, Visa said.
Issuers and merchants increasingly are relying on contextual data, such as past transactions from the same cardholder at an e-commerce site; geo-location; and device checks to verify whether the computer, tablet, or smart phone has a transaction record, to assess a pending transaction’s fraud risk.
“Applying algorithms to this data, the riskiness of each transaction can be assessed in real time, giving issuers better intelligence on whether additional verification is needed,” the post says. “For the vast majority of transactions that are deemed low risk, the purchase can proceed without additional authentication.
“And for the less than 5% of transactions that need additional authentication,” the post continues, “a one-time dynamic passcode can be sent to the shopper’s device, via SMS [text message] or email, to verify identity instead of asking him or her to enroll and enter a static password, which can be forgotten or worse—created, stolen, or guessed by fraudsters.”
The change will take effect in April 2018 for Visa issuers in the U.S., Canada, Western Europe, Latin America, Malaysia, Singapore, and Thailand. Visa says Verified by Visa static passwords will be eliminated by October of that year for its issuers in Central and Eastern Europe, the Middle East, Africa, and the remaining Asia-Pacific countries.