ince its introduction in 2001, Verified by Visa has not caught on with either cardholders or merchants. Depicted in television commercials featuring NFL star Emmitt Smith and others, the service was designed to increase both cardholder and merchant confidence in Internet purchases as well as reduce disputes and fraudulent activity related to the use of Visa payment cards. On April 5, 2003, it got real value for the merchant when a liability shift from acquirers to issuers for the fraudulent use of a card became effective.

To use Verified by Visa, merchants must purchase a simple plug-in software module that determines cardholder participation in the service and establishes an Internet connection, enabling Visa Issuers to authenticate their cardholders. Processors have begun to include Verified by Visa solutions in their product mix. The implementation process for the merchant is somewhat complex, but the various vendors have developed solutions that make implementation easier.

The vendor software selected should include Cardholder Information Security Program protection, a Verified by Visa requirement. For a list of vendors who have been certified by Visa as providers of the Verified by Visa service, visit www.visa.com/verified/vendors

Online merchants and acquirers have been slow in beginning to use Verified by Visa, but since April 5, 2003 the savings in chargebacks, chargeback fees and lost product makes sense for the merchant to pay the up-front expense and extra cost for the service.

For the acquirer, it can mean additional income from the merchant, decreased exposure to fines from the Acquirer Monitoring Program, the ability to continue to receive income from a merchant who might otherwise have to be terminated for "excessive chargebacks," and the opportunity to reduce its overall risk exposure because of the better quality of the transactions.

Verified by Visa, marketed to increase the confidence of Visa cardholders in making more online purchases, really does nothing for the cardholder. Visa's Zero Liability policy, which took effect April 4, 2000, already has virtually eliminated consumer liability in cases of card fraud for all Visa transactions processed through the Visa network, including online purchases. The new policy removed both the $50 cardholder liability and the 48-hour reporting requirement in cases of fraudulently used Visa credit or debit cards.

What Verified by Visa does do today is a lot for the online merchant. When properly used, Verified by Visa now takes away chargebacks for fraudulent transactions. The risk of loss now remains with the issuer for these types of cardholder complaints. This can be a huge benefit to acquirers and online merchants that have been plagued with chargebacks, the most common of which has been Reason Code 61 (Fraudulent Mail/Phone Order Transaction).

By using Verified by Visa, the most common chargeback and the other new "I didn't do it" chargeback, Reason Code 75 (Cardholder Does Not Recognize Transaction), are eliminated, which can dramatically reduce an online merchant's chargeback totals.¹ Acquirers for merchants using Verified by Visa will be able to represent any Reason Code 61 and Reason Code 75 chargebacks.

The best news is that the merchant is simply required to submit the transaction for enrollment verification, and it does not matter whether the cardholder is enrolled in Verified by Visa and uses it or not. Issuers appear to be responding to the liability shift in various ways. Some fearing steeper losses are mandating that the cardholders sign up for Verified by Visa. Others, fearing the loss of customers, are not even bothering to offer it to their cardholders and are establishing reserves to cover the higher anticipated fraud losses.

Verified by Visa Program Requirements

Issuer chargeback rights will not apply if a merchant authenticates or attempts to authenticate a cardholder using Verified by Visa during an online purchase. Both the U.S. and International Operating Regulations were revised effective April 5, 2003, to further support Verified by Visa. The program, designed to boost consumer confidence and promote a secure electronic commerce environment, protects acquirers, when certain online transaction conditions are met, from the following chargeback reason codes:

• 23 - T&E - Invalid Transaction
• 61 - Fraudulent Mail/Phone Order Transaction
• 75 - Cardholder Does Not Recognize Transaction
• 83 - Non-Possession of Card (International)

Effective April 5, 2003, the issuer is required to:

• Acknowledge a Verified by Visa Authentication Request with an Authentication Confirmation or an Attempt Response and a Cardholder Authentication Verification Value (CAVV), regardless of whether the cardholder is participating in the Verified by Visa program.
• Validate the CAVV during processing.
• Provide Visa with CAVV keys for stand-in processing.

Effective April 5, 2003, an acquirer is protected from chargeback liability for the reason codes listed above if it meets the Verified by Visa authentication processing requirements, which include:

• Use of a valid CAVV in the authorization request - when supplied by the Issuer or by Visa - as a condition of using a "5" (Secure Electronic Commerce Transaction) or "6" (Merchant attempted Verified by Visa), in the Electronic Commerce Indicator (ECI) field of the authorization and clearing records.
• Ensuring that its participating merchants and third-party processors comply with the terms of the Verified by Visa (a/k/a 3-D Secure) operating requirements and the Cardholder Information Security Program.

For more information about acquirer requirements, refer to the "3-D Secure Acquirer Implementation Guide" available from Visa.

MasterCard has begun to roll out its own program, SecureCode, which enables online merchants to receive a "global payment guarantee." SecureCode also shifts the liability, but only for transactions where an actual cardholder authorization has occurred.

Unlike Verified by Visa, simply offering cardholder authorization does not shift liability to the issuer. Most vendors offering Verified by Visa also offer SecureCode, and it usually can be added without requiring extensive integration.

David H. Press is Principal and President of Integrity Bankcard Consultants, Inc. (www.integritybankcard.net). He can be reached by e-mail at dhp@integritybankcard.net or by phone at 630-637-4010.

¹ Reason Code 23 (T&E-Invalid Transaction) and International Reason Code 83 (Non-Possession of Card) also are included in the liability shift from the acquirer to the issuer.