Frictionless Experience with Verified by Visa Risk-based authentication case study
Frictionless Experience with Verified by Visa
Risk-based authentication case study
How a risk-based approach to Verified by Visa enables issuers to improve the cardholder experience, increase transaction volumes and reduce costs.
Many issuers are changing the way they implement Verified by Visa.
By evaluating transactions in real-time, and only seeking additonal cardholder authentication for the small proportion that appear to be risky, issuers can remove friction from the online checkout experience.
Everyone benefits: the issuer, the retailer and the cardholder.
And at the same time, issuer support costs plummet, and fraud losses remain reassuringly low.
Based on the 3D-Secure protocol, Verified by Visa is a way to bring additional security to online transactions.
When a merchant supports Verified by Visa, the issuer intervenes in the online checkout process.
Traditionally, issuers enrol cardholders in their Verified by Visa service. Then, whenever an online transaction is attempted at a merchant that supports Verified by Visa, cardholders are asked to authenticate themselves to the issuer using a passcode.
For the issuer, this reduces fraud rates. Meanwhile, the merchant benefits from a liability shift, meaning they are protected from fraud losses. A majority of European e-commerce transactions are now protected by Verified by Visa.
However, the cardholder experience has come under criticism and some merchants complain that Verified by Visa can have a negative impact on conversion rates.
Consequently, Verified by Visa is evolving – and one of the big breakthroughs is risk-based authentication.
About Verified by Visa
What is risk-based authentication?
With risk-based authentication, issuers can take a more selective or segmented approach to Verified by Visa. Instead of requiring all online transactions to be actively authenticated, irrespective of their characteristics, issuers can identify the small proportion that look in any way suspicious – typically around 5% of the total.
Behavioural checks Does this cardholder typically transact online? Do they typically make this type of purchase? Do they typically transact in this currency?
Device checks Is this the device typically used by this cardholder? Where is it located?
Merchant checks Does this fit the type of transaction expected from this merchant? Does this merchant typically generate a high proportion of fraudulent transactions?
These checks are typically run within a self-learning risk engine. Consequently, as it is exposed to an ever-higher volume of transactions, the more accurate it becomes.
Based on these assessments, the issuer determines how best to treat each transaction.
So how does it work?With risk-based authentication, instantaneous checks are automatically run on online transactions. Depending on the vendor who is supplying the risk-based authentication solution used, these may include:
95%
For low-risk transactions – typically up to 95% of transactions – the issuer can be confident that an authentic cardholder is conducting a genuine transaction, and no further checks are necessary.
For higher-risk transactions – typically around 5% of transactions – the issuer can invoke a step-up or active authentication method.
For highest-risk transactions – typically around 0.2% of transactions – the issuer can deduce that the transaction is very likely to be fraudulent and decline it accordingly.
5%
0.2%
With such a small proportion of transactions deemed to be higher risk, the issuer can invoke a strong and appropriate authentication method.
Depending on their own capabilities and the vendors they work with, this could include dynamic passwords, the type of challenge questions used in their existing online banking solutions, or one-time-passwords delivered via SMS text messages or push messages.
So how does it work?Risk-based authentication solutions are available from a number of vendors. As hosted solutions, they can typically be integrated with an issuer’s own IT architecture, and/or they can work in parallel with the services provided by a third party processor.
85% Reduction in checkout time when compared to previous 3DS solution
70% Reduction in abandonment when compared to previous 3DS solution
5%of customers challenged with risk-based approach
0% increase in fraud when compared to previous 3DS solution
85% Fewer inbound calls relating to password resets
What are the benefits of risk-based authentication?Risk-based authentication offers tangible benefits to all parties:
Issuers benefit
• The drop-out or abandonment rate of Verified by Visa transactions is significantly reduced – which translates to higher transaction volumes, higher e-commerce revenues and more satisfied cardholders
• The volume of cardholder calls to issuer call centres for Verified by Visa password re-sets sees an even more significant reduction – which translates to reduced costs
• The underlying fraud rate remains consistent for both active and risk-based authentication – which means that fraud costs remain low
• Depending on the way the solution is implemented, there may be no need to enrol individual cardholders into Verified by Visa – which, again, brings reduced costs
1
2 Cardholders benefit
• The speed, simplicity and convenience of the checkout process is improved – which translates to a better customer experience
• For higher risk transactions, step-up authentication is invoked – which can bring a sense of reassurance to more cautious online shoppers
Merchants and acquirers benefit
• The drop-out or abandonment rate of Verified by Visa transactions is significantly reduced – which translates to more transactions, higher conversion rates, increased sales and more satisfied customers
• The volume of customer support calls and enquiries is reduced – which translates to reduced costs
3
The UK experience – significant, tangible, quantifiable benefits
In the UK, several issuers have been using risk-based authentication for a number of years, and the benefits they have experienced are detailed over the next two pages.
eCommerceTransaction
Real-time RiskAssessment
Decline Transaction
MandatoryAuthentication
Low Risk(majority)
95%
High Risk(minority)
5%
Highest Risk(rare)
<0.2%
Continue Purchase
eCommerceTransaction
Decline Transaction
MandatoryAuthentication
Real-time RiskAssessment
Low Risk(majority)
95%
High Risk(minority)
5%
Continue Purchase
'"!!#$
("!!#$
)"!!#$
*"!!#$
'+$,-./0-$102.345$678-$940$:-04;84/.<$=/8<-53.7345$
>?5$@4A/B-$ =C75"$678-$ 172A/0-$678-$$
4000
5000
6000
Ca
ll V
olu
me
Reduced customer calls for password resets
7
Before risk-basedVbV implemented
After risk-based VbV implemented
Fraud Rate
1
2
3
4
5
6
70
10
20
30
40
50
60
1000
2000
3000
4000
5000
Aban. Rate
Frau
d ra
te (b
asis
poi
nts)
Aba
ndon
rate
(%)
Call
volu
me
5 10 15 20 25
Call Volume
Highest Risk(rare)
0.2%
Before risk-basedVbV implemented
After risk-based VbV implemented
eCommerceTransaction
Real-time RiskAssessment
Decline Transaction
MandatoryAuthentication
Low Risk(majority)
95%
High Risk(minority)
5%
Highest Risk(rare)
<0.2%
Continue Purchase
eCommerceTransaction
Decline Transaction
MandatoryAuthentication
Real-time RiskAssessment
Low Risk(majority)
95%
High Risk(minority)
5%
Continue Purchase
'"!!#$
("!!#$
)"!!#$
*"!!#$
'+$,-./0-$102.345$678-$940$:-04;84/.<$=/8<-53.7345$
>?5$@4A/B-$ =C75"$678-$ 172A/0-$678-$$
4000
5000
6000
Ca
ll V
olu
me
Reduced customer calls for password resets
7
Before risk-basedVbV implemented
After risk-based VbV implemented
Fraud Rate
1
2
3
4
5
6
70
10
20
30
40
50
60
1000
2000
3000
4000
5000
Aban. Rate
Frau
d ra
te (b
asis
poi
nts)
Aba
ndon
rate
(%)
Call
volu
me
5 10 15 20 25
Call Volume
Highest Risk(rare)
0.2%
Before risk-basedVbV implemented
After risk-based VbV implemented
Abandonment and Fraud Rates
Reduced customer calls for password resets
Data supplied by CA Technologies and RSA
Cost savings
Fewer customer calls – following the implementation, customer requests for password re-sets tumbled by 85%
Stable fraud levels
Low losses – despite the elimination of active authentication on 95% of transactions, e-commerce fraud levels remained reassuringly low
A better user experience
Less friction – with only 5% of transactions deemed to be higher risk, 95% of transactions now require no cardholder authentication
Faster transactions
Increased speed – following the implementation, average transaction times reduced from 50 seconds to ten seconds
Increased transaction volumes and e-commerce revenues
Higher conversion rates – following the implementation, abandonment dropped from over 4% to under 1%
At Visa Europe, we can provide additional advice on how you could implement and benefit from risk – based authentication.