Visa USA is ramping up the roll out of Verified by Visa to help make Internet-based credit card payments as trusted and secure as face-to-face transactions. It’s designed to authenticate cardholder identities — in real time — at the point of purchase prior to accepting the card as payment.
Merchants need only install the Visa-supplied software to activate a cardholder interface that challenges the cardholder for a password or asks them to insert their Visa Smart card into a smart card reader, and enter a PIN.
Verified by Visa can be activated across a variety of Internet-accessible devices, including:
- Web-browser software on a PC
- Wireless devices
- Personal Digital Assistants (PDAs)
3-D Secure Payer Authentication Protocol
Behind the Verified by Visa service is a technology called the 3-Domain or 3-D Secure Payer Authentication Protocol that divides the processing work for card payments among the Merchant, the Cardholder, the Merchant Bank (Acquirer), and Card Issuer. Cardholders register for Verified by Visa with their participating Issuer Bank, and can use the service when shopping at merchants who are enrolled for Verified by Visa through their Merchant Acquirer Bank.
Verified by Visa works with traditional magnetic-stripe cards using a password to identify the cardholder and also with Visa Smart cards by using cryptographic processing on the chip that can only be activated with the correct entry of a PIN at the time of purchase. Issuer banks must be enrolled in Verified by Visa for cardholders to use the service, otherwise the credit card payment is processed as a traditional card-not-present transaction.
Overall objectives of Verified by Visa are to improve the security of e-commerce payment transactions and improve both cardholder and merchant confidence in Internet purchases as well as to reduce disputes and fraudulent activity related to the use of Visa payment cards.
Verified by Visa benefits enrolled merchants in a number of ways:
- Increased transaction security helps to build cardholder confidence in e-commerce.
- Growth in revenue is driven by the increase in confidence that turns shoppers into buyers.
- Chargeback protections eliminate reason codes 61 (Fraud Mail/Phone/E-commerce transaction) and 23 (T&E invalid transaction) from ever being placed on disputed, but successfully authenticated, transactions.
- Credit card fraud is reduced due to real-time alerts on failed authentication attempts.
- Operating costs are reduced with a decrease in the efforts to research and process chargebacks since they’re filtered out by VisaNet on verified transactions.
- Data quality on e-commerce transactional data is improved.
Visa is actively promoting the Verified by Visa service, and participating merchants can take advantage of the opportunities that Visa sponsors:
- Visa will conduct an advertising campaign, public relations, online content, and periodic promotions to encourage consumer acceptance and participation in the Verified by Visa service.
- Visa has developed a specific Verified by Visa Identity — the Verified by Visa Merchant Symbol — for display on participating Web sites to promote consumer awareness and acceptance of the Verified by Visa service.
- Participating merchants can also utilize sample Verified by Visa marketing messages and be listed at the visa.com site on the Verified by Visa Merchant’s page.
- Merchant logos may be displayed at Issuers’ cardholder registration sites and would indicate that merchants are committed to improving their level of security in Internet commerce.
- Participating merchants will be offered a Verified by Visa Merchant Symbol Toolkit that provides the Verified by Visa merchant symbol, usage guidelines, and Visa-developed messaging.
- Visa further recommends that merchants encourage buying instead of browsing by offering special promotions or exclusive offers to Verified by Visa cardholders who purchase products/services.
Pieces of the Verified by Visa Puzzle
Verified by Visa consists of these components — operating together — to support cardholder enrollments with Issuer Banks, and cardholder authentication to determine payment authorization:
- Merchant Commerce Server: Hardware and software to support online transactions and facilitate communication between the merchant application and the merchant’s acquirer bank.
- Merchant Software: Software integrated into the merchant’s e-commerce environment that enables merchants to participate in the Verified by Visa service.
- Validation Server: Software that verifies Issuer identity on digitally signed authentication responses sent to the merchant. Merchants integrate this software into their commerce server software.
- Directory Server: Identifies participating Verified by Visa Issuers and cardholders and routes authentication dialog between merchants and the appropriate Issuer Access Control Server. This server is operated by Visa.
- Transaction Manager Server: Stores transactions in the Transaction Manager database for which authentication was performed. Database is used to verify authenticated transactions and to provide additional information during the dispute process. This server is operated by Visa.
- Visa Integrated Processing (VIP) Systems: Provides authorization, clearing, and settlement services through VisaNet for Visa Members.
- Issuer Access Control Server (IACS): Stores information about cardholder enrollment accounts and account access in the Account Holder File (AHF). Validates cardholder participation in the service and provides digitally signed authentication response data to merchants. The IACS is operated by the Issuer, processor, or Visa, on behalf of the Issuer.
- Issuer Enrollment Server: A server that manages cardholder enrollment by presenting a series of questions to be answered by the cardholder and verified by the Issuer. The Enrollment Server is operated by the Issuer, its processor, or Visa on behalf of the Issuer.
Payer Authentication Processing
The seven steps below follow a transaction from initiation to completion using Verified by Visa:
Step 1. Cardholder Makes Purchase
After merchandise selection through traditional online shopping steps, the cardholder proceeds to checkout. At the checkout, the cardholder may complete the requested information in any variety of ways, including self-entered, an electronic wallet, merchant one-click, or other checkout capabilities. After the purchase information is entered, the cardholder selects the ‘buy’ button. This activates the Merchant Plugin to determine if the Visa card account participates in Verified by Visa.
Step 2. Merchant Starts Authentication Process
The Merchant Plug-in identifies the account number and queries the Visa Directory Server to determine if the card account is enrolled in Verified by Visa. If the account number does not participate, the Merchant Plug-in returns the transaction to the merchant’s commerce server and the merchant proceeds with a standard authorization request. If the account number participates in Verified by Visa, the Web site address of the Issuer Access Control Server (IACS) is returned to the Merchant Plug-in.
Step 3. Issuer Access Control Server Functionality
For participating cardholders, the Merchant Plug-in sends an authentication request to the Issuer via the cardholder’s browser. The Issuer Access Control Server displays a pop-up screen to the cardholder displaying information for that purchase and prompts the cardholder to enter his/her password. The cardholder enters the password and the Issuer server verifies it. A cardholder is given a maximum of three attempts for password entry. If the cardholder is unable to correctly enter his/her password, the cardholder is prompted with the hint that was established during enrollment. The cardholder is given one last chance to enter the correct response. If answered correctly, the transaction continues as if the password was entered correctly. If answered incorrectly, an authentication failed response is returned to the merchant. If the cardholder has a smart Visa card, the Issuer server also prompts for insertion of the chip card in the reader to initiate a dialogue with the chip. The smart Visa card generates a cryptogram that is sent to the Issuer Access Control Server along with the related transaction data used to generate the cryptogram. The server validates the cryptogram and determines if the card authentication passes or fails. The card authentication results information is formatted into the response message.
After the password and/or smart Visa card is verified, the Issuer Access Control Server determines whether the cardholder authentication has passed or failed and formats an authentication response. The Issuer server also sends a copy of the authentication response message to the Authentication History server. All attempted authentication transaction responses (passed, failed, and not available) are transmitted and stored in the Authentication History database.
Step 4. Merchant Processes Authorization
Upon receiving the authentication response, the Merchant Plug-in verifies that the auth response message is from a valid participating Issuer. If it’s verified and the Issuer’s authentication response contains a “passed” result, the cardholder is deemed “authenticated”. The Merchant Plug-in returns the authentication response message to the merchant storefront software. If the merchant receives a “failed” authentication response from the Issuer server, the merchant should request another form of payment from the shopper. Merchants are not permitted to submit failed authenticated purchases for authorization.
Step 5. Acquirer Processes Authorization
The Acquirer receives the authorization request from the merchant. The Verified by Visa data fields are mapped into existing VisaNet fields.
Step 6. VisaNet Verifies Authentication and Processes Authorization
The VisaNet Integrated Payments (V.I.P.) System receives the authorization request containing the authentication data from the Acquirer. These transactions are processed as standard service electronic commerce transactions.
Step 7. Issuer Authorizes Internet Purchase
The Issuer’s authorization center receives the request with authentication data and processes the transaction.
Harnessing the Power of Verified by Visa
To learn more about Verified by Visa or to see if it’s right for your E-commerce site, visit the
Visa Merchant Resource Center where you can download a data sheet on the service and the Merchant Implementation Guide. You can also find a list of software vendors who offer merchant support for the Verified by Visa requisite software.