E-Commerce Authentication

Payment Card Compliance & Disputes

412

Agenda

Overview
How it works
Verified by Visa
MasterCard SecureCode

Note: Each program has its own eligibility, processing requirements,

criteria, and benefits. For complete details, please visit the Payment
Card Compliance SharePoint website

E-Commerce Authentication
Overview

Overview
Verified by Visa
Verified by Visa (also known as 3-D Secure) is a product that allows password information to
be used to confirm the identity of the cardholder. The merchants plug-in software facilitates
the password validation between the cardholder and the issuer during on-line transactions. In
addition to fraud prevention and interchange benefits, VbV provides participating e-commerce
merchants with applicable chargeback protection and/or liability shift based on certain
authorization and settlement information.

MasterCard SecureCode
SecureCode is MasterCards global e-commerce security program for protecting confidential
cardholder data over the Internet. SecureCode uses MasterCards Universal Cardholder
Authentication Field (UCAF) to provide an enhanced payment guarantee to online merchants
by presenting, collecting, and passing cardholder authentication information. Using hidden
fields and merchant plug-in application that is integrated with a merchants web page, along
with authentication information generated by issuers, MasterCard Secure Code provides
explicit evidence of the cardholders involvement in a transaction. MasterCards SecureCode
provides participating e-commerce merchants with applicable chargeback protection based
on certain authorization and settlement information.

Overview
Participants:
Cardholder Participates by entering their password for the issuer to validate via the
merchants plug in software when making a purchase.

Issuer Participates by validating the cardholders password, assigns a Visa CAVV

(Cardholder Authentication Verification Value) or MasterCard AAV (Accountholder
Authentication Value), and provides the value to the merchant.

Merchant Participates in VbV and SecureCode, their plug-in software forwards the
cardholder account number to Visa or MasterCards card directory to identify the issuer.
The issuer determines cardholder participation and initiates the authentication prompt for
the cardholder to enter their unique password. The issuer performs authentication, and
the merchant receives the Visa CAVV or MasterCard AAV and provides it in the
authorization request.

VbV and SecureCode Merchant Benefits:

Merchants are not liable for and resulting from the unauthorized use of cards for
transactions with valid VbV or SecureCode data
Fraud on a merchants site is reduced
Higher rate of authorization approval

Overview
Cardholder Authentication Definitions:
Approved Full Authentication
Cardholder, Issuer, and Merchant all participate
Cardholder properly entered their password
Issuer validated the password
Attempted Authentication
Merchant participates and the cardholder was not authenticated:
Issuer may or may not participate or
Cardholder does not participate or
Password was not entered or unable to be validated by issuer

How does it work?

How does it work?

After an activated cardholder enters payment information, the issuers VbV or SecureCode
window will be displayed, prompting the cardholder for a password. The cardholder is now on
the issuers website and the authentication process begins.
The participating issuer validates the password and calculates the Visa CAVV or MasterCard
AAV (populated in the UCAF field).
The issuer sends the CAVV or UCAF authentication information to the merchant
The merchant receives the CAVV or UCAF authentication information from the issuer via the
plug-in and proceeds with the transaction.
The merchant initiates the authorization request with the following information:
The CAVV or UCAF authentication information as received from the issuer and
Visa E-Commerce Indicator:
05 Authenticated (secure electronic commerce transaction) or
06 Attempt (Non-authenticated secure transaction, merchant attempted to
authenticate the cardholder using 3-D Secure)
MasterCard E-Commerce Security Level Indicator:
21 Channel encryption; cardholder certificate not used (this is a preferred
value for MasterCard SecureCode)
23 Channel encryption; chip cryptogram used, cardholder certification used
UCAF Collection Status Indicator:
1 Merchant is able to collect UCAF data, but UCAF was not populated or
2 Merchant is able to collect UCAF data, and UCAF data is present

Programs
Verified by Visa & MasterCard SecureCode

Verified by Visa
Real-time online payment authentication system that validates the customer is the owner of the
account presented for payment. When the cardholder is completing an on-line transaction and
the merchant participates in Verified by Visa, the cardholder is prompted to enter a password
that they created when they registered with their bank. The password is forwarded to the issuer
for confirmation. The Verified by Visa window disappears and if fully authenticated, the
cardholder resumes their transaction. If the password is not confirmed an error message will
appear. In the event the cardholder is not participating in VbV, an attempt to authenticate is
recorded.
Offers chargeback protection for dispute reason codes 75 and 83 when the merchant fully
authenticated or attempted to authenticate the transaction.

Excluded Merchants
4829

Wire Transfer/Money Orders

5967

Direct Marketing (Inbound Teleservices Merchant)

6051

Non-Financial Institutions Foreign currency, Money Orders (Not Wire Transfer), Traveler Checks

7995

Betting; including Lottery Tickets, Casino gaming chips, Off-Track betting and Wagers at Race
Tracks

Note: Any merchant identified as High Risk for excessive or fraudulent chargebacks will also be excluded from the program.
Note: Commercial cards are excluded unless they are fully authenticated.
| 10

MasterCard SecureCode
Real-time on-line payment authentication environment that validates the customer is the owner of
the account presented for payment. When the cardholder is completing an on-line transaction,
and the merchant participates in SecureCode; Authentication is made to ensure the customer is
the authorized cardholder for the designated card.
This process takes place prior to the authorization request.
When the merchant participates in SecureCode, they have the ability to transport various types
of cardholder authentication data to the issuer which can be validated and authorized with a
defined response.
Full Authentication is received when a merchant attempts to obtain a valid SecureCode response
and the Issuer returns a positive reply. When the merchant attempts to obtain a valid
SecureCode response and the Issuer does not participate in SecureCode, the Authentication is
considered attempted.

Note: Commercial cards are not eligible for chargeback protection.

Note: LAC to LAC transactions do not have the commercial card exclusion.
| 11

MasterCard SecureCode
E-Commerce merchants who participate in the MasterCard SecureCode program are offered
chargeback protection for dispute reason codes 37 (No Cardholder Authorization Fraud) and
49 (Questionable Merchant Activity) and 63 (Cardholder Does Not Recognize Transaction)
when the transaction meets the following criteria:
E-Commerce Transaction
Authorization was obtained for the amount of the transaction AND:

Scenario

Full
Authentication
Received

Authentication
Attempted

Merchant located in the US/Issuer located in the US

Merchant located in the US/Issuer NOT located in the US

Merchant located in Canada/Issuer located in Canada

Merchant located in Canada/Issuer Not located in Canada

Merchant located in LAC/Issuer located in LAC

Merchant located in LAC/Issuer NOT located in LAC

Note: RC 49 protection only on fully authenticated transactions

| 12