Consumer Authentication – The Liability Shift

17 Dec

Consumer Authentication – What’s in it for Me?

Many merchants with an online presence have been hesitant to implement consumer authentication for a variety of reasons. With the use of ‘3-D Secure’ (3DS, Verified by Visa, MasterCard SecureCode) customers may be more likely to abandon a purchase if they feel the check-out process is too lengthy, many are critical of how 3DS really works, and let’s be honest, most consumers haven’t taken the steps to configure their cards to use 3DS consumer authentication.  One benefit of all the recent high profile breaches and fraud may be consumers that are a bit more patient with additional authentication for card not present (CNP) transactions.

For consumers, the benefits are clear, if consumer authentication is widely adopted by merchants (and consumers), fraud is less likely to occur. For merchants, the implementation of consumer authentication for CNP transactions may not be as straight forward as installing new EMV enabled hardware, due to the diversity of choices that exist in the marketplace. However, these authentication solutions have the benefits of reduced fraud, possible increased sales (due to reduction of false declines), and liability shift. For example, ApplePay is using thumb print biometrics to authenticate mobile payments at the point of transaction. The goal of authentication is to qualify the payer without increased transaction times, as long transaction cycles have a high rate of abandonment. Let’s dig into the details of the liability shift.

Card Not Present Liability Shift – Not a Pretty Picture

Liability shift is a hot topic when discussing the upcoming October 2015 date for merchants to support EMV.  When you look at descriptions from the card brands on how and when liability shifts for EMV, you get simple pictures and narratives (see the examples from Visa).

For CNP transactions, consumer authentication can be used to shift liability, but the options for when and how to implement authentication are not as straight forward, and merchants walk a fine line to ensure they maintain a positive customer experience.  Visa, MasterCard, and American Express all detail the requirements to shift liability for CNP transactions when using consumer authentication, and many of the details are outlined in the card brand chargeback guides. In some cases, they even document a complete authentication guide.  Below is an excerpt from the Verified by Visa Implementation Guide:

“Visa has modified the global operating regulations to shift chargeback liability for fraudulent consumer transactions from the acquirer and merchant to the issuer when a merchant submits proof that the transaction was authenticated – or the merchant attempted to authenticate – the cardholder in a Verified by Visa transaction.”

The Value of Consumer Authentication – The Liability Shift Grows Every Day

There is a universal agreement that using EMV reduces card present fraud and it’s a given that merchants will make the change to EMV for card present transactions.  It’s also a given, that just as in Europe and Canada, as use of EMV expands, and card present fraud decreases, CNP fraud will explode if consumer authentication is not broadly implemented.  In Canada, counterfeit and lost/stolen fraud has decreased by 54% since 2008, which was the inception of EMV in Canada.  At the same time, CNP fraud has increased 133%. The consulting group, Aite, estimates in a report created for RSA, that CNP fraud will begin to dramatically increase in 2016 (widespread adoption of EMV), doubling to $6.4 Billion by 2018.  Effective implementation of a consumer authentication solution will add security, reduce fraud, and shift chargeback liability from the merchant and onto the card issuer.

What is a Merchant To Do?

Data breaches and fraud are a reality; merchants need to secure card data at every entry point, as well as any stored card data.  EMV is a great step to address the problem of card present fraud. A consumer authentication solution is the best way to reduce fraud for CNP transactions, and shift liability to the card brand when fraud does occur.  To ensure a merchant has all the right tools in their security toolbox, tokenization should be used to cleanse all card data from the environment.  With EMV, consumer authentication, and tokenization, a merchant has a diverse set of security tools that reduces the risk associated with handling payment card data.  Stay tuned for our final breakdown of EMV, Consumer Authentication, and Tokenization in our next installment.

TokenEx is a cloud tokenization platform that offers virtually unlimited flexibility in how you store, access, and secure your data, while remaining processor agnostic. Follow us on Twitter and LinkedIn.