Improving the customer authentication experience and ...

| Presentation Title | Month XX, Year1 Not for further distribution

Improving the customer

authentication experience and

delivering PSD2 solutions with the

next generation of Verified by Visa

28TH June 2017


This presentation is furnished to you solely in your capacity as a customer of Visa Inc. and/or a participant in the Visa

payments system. By accepting this presentation, you acknowledge that the information contained herein (the

“Information”) is confidential and subject to the confidentiality restrictions contained in Visa’s operating regulations and/or

other confidentiality agreements, which limit your use of the Information. You agree to keep the Information confidential

and not to use the Information for any purpose other than in your capacity as a customer of Visa Inc. or as a participant in

the Visa payments system. The Information may only be disseminated within your organization on a need-to-know basis to

enable your participation in the Visa payments system. Please be advised that the Information may constitute material non

public information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware

of material non public information would constitute a violation of applicable U.S. federal securities laws.

Disclaimer:Case studies, research and recommended practice recommendations are intended for informational purposes only and

should not be relied upon for marketing, legal, technical, tax, financial or other advice. When implementing any new

strategy or practice, you should consult with your legal counsel to determine what laws and regulations may apply to your

specific circumstances The actual costs, savings and benefits of a card program may vary based upon your specific

business needs and program requirements. Visa makes no representations and warranties as to the information contained

herein and member is solely responsible for any use of the information in this presentation in connection with its card

programs

©Visa 2016. All rights reserved.

Notice of confidentiality


Agenda

- Welcome and introduction

- Update on PSD2 requirements for Strong Customer

Authentication

- The new generation of Verified by Visa: VbV 2.0

- VCAS

- Question and answer session


Update on PSD2 requirements for Strong Customer Authentication


PSD2 - Commercial and business impacts

Open Competition• Open API

• New players - e.g. PISP’s, AISP’s

Payment security• Strong authentication mandatory

• Exemptions

• EBA to provide RTS

Consumer protection• 50 euro liability

• Refund next business day

• Limits to surcharging

1

2

3


• Issuers will have to

support an SCA

solution

• Acquirers will have

to support payment

systems that allow

SCA

Eco

mm

erc

ePSD2 will drive changes for payment service providers

The use of two or more of the

following elements:

• something a customer knows

– e.g. password / PIN

• something a customer has

e.g. key material

• something a customer is e.g.

fingerprint / voice recognition

What is SCA?(strong customer authentication)


TRA is recognised as a

valid form of exemptions

to the SCA mandate

TRA will be allowed for

Issuers and Acquirers

(merchants) within certain

limits and subject to strict

monitoring requirements.

Eco

mm

erc

e

PSD2 will drive changes for payment service providers

Reference Fraud Rate (%) for

EUR

Remote card-

based payments

Credit transfers

250-500 0.01 0.005

100-250 0.06 0.01

0-100 0.13 0.015

• Transaction Liability

• Sits with the entity that triggers the

SCA exemption

• Regulations to confirm if the Issuer

has the final decision


Final Draft – Other new exemptions

• Exemption for remote low value payments – EUR 30 (instead of EUR 10) – Cumulative amount of EUR 100 or 5 transactions

• “White lists” of trusted beneficiaries – applicable to all payments*

• MOTO, recurring (apart from first transaction) and “one leg out” transactions are out of scope

NB : Commission can still make changes to the draft RTS before they are finalised. *There is still some uncertainty about whether this covers cards


Next steps (provisional timeline*)

February 23

RTS Submitted by the EBA to the Commission

By end of May

Commission either adopts RTS or proposes amendments

By end of October 2017

RTS Scrutinised by Council and Parliament

By December 2017

Publication into official journal of the EU

Mid 2019?

Entry into force

EBA considers proposed amendments and issuer formal opinion within 6 weeks

*timeline presented assumes that RTS not sent back to EBA. If this occurs then timeline is extended

| Visa 3-D Secure | 201710

The new generation of Verified by

Visa: VbV 2.0

| Visa 3-D Secure | 201711

The Authentication Challenge: High abandonment rates

Cardinal Commerce estimation is based on large merchants implementation (mainly USA and UK).

* Predominant challenge method in the market ©Visa 2016. All rights reserved.

6.1%

8.6%

5.1% 4.7%

13.8%

6.4%

2.7%

0.0%

2.0%

4.0%

6.0%

8.0%

10.0%

12.0%

14.0%

1 2 3 4 5 6 7

Series1

SMSOTP

mTAN BankID BankIDVarious RBA

Source: Cardinal Commerce and Acquirer interviews

SMSOTP

Challenge method by market*

VbV abandonment rates by country


VbV 2.0 will deliver key improvements• Enhances issuer risk-based authentication capabilities and improves the user

experience across multiple form factors and use cases

Flexible Device and Channel Support VbV 1.0 VbV 2.0

▪ Browser-based authentication support ✓ ✓

▪ Mobile/application-based authentication support ✓

▪ Digital Wallet, Non-payment-based authentication ✓

▪ Support for future channels and form factors (i.e. MOTO) ✓

More Data for Authentication and Security VbV 1.0 VbV 2.0

▪ Payment-related data ✓ ✓

▪ Non-payment related data ✓

▪ Support for new and future authentication methods ✓

Improved User Experience VbV 1.0 VbV 2.0

▪ Capable of integration with the merchant experience ✓ ✓

▪ Removal of Activation During Shopping ✓

▪ Reduce the number of messages required ✓

limited expanded

limited expanded

expanded

| Presentation Title | Month XX, Year13 Not for further distributionVbV 2.0 In-app purchases | November 2016 | ChilliMint (Europe) Limited Confidential.13

Visa VbV2 Demo – available to download

https://invis.io/986QRLDPU

https://invis.io/986QRLDPU


The benefits VbV 2.0 brings

PSD2 Compliant solution

Improves Consumer Experience

Fraud reduction with RBA

Greater merchant control and visibility of cardholder authentication experience

Expand authentication capability to mobile channel

Reduce friction and cart abandonment

Enhanced data for TRA (risk-based authentication)

Support new and future dynamic authentication methods (i.e. OTP, biometrics)

Step-up cardholder challenge for higher risk transactions

Greater exchange of data enhances approvals

€


VCAS


CardinalCommerce Overview

Payments ecosystem is becoming more complex

Improved interoperability for global stakeholders

Cloud-based technology platform is differentiated with powerful attributes

Cardinal’s IP and technology positions it to be the global platform for CNP authentication

• Cardinal provides a

centralized platform that

increases authorizations,

eliminates fraud and reduces

friction

• Seamlessly share more information from merchant/consumer to issuer

• Proactively manages fraud

• Increases authorizations/sales

• Enables regulatory compliance

• Omni channel, new solutions

• Centralized monitoring & control

• Big data analytics

• Flexible and extendable system

• Common customer interfaces

16


CardinalCommerce SolutionsEnhanced Data Transfer

Payment Gateways

Merchant Acquirer Processor

Card Networks

Payment Authorization FlowIssuerMerchant

Authentication Infrastructure

What bank knowsWhat merchant knows

17


Combing Visa and Cardinal Provides a New Perspective

• We use this information to help both issuers and acquirers formulate better strategies to authenticate cards and reduce checkout friction

• You control the decision process with a “white box” approach

More data means better decisions

Cardinal

Centinel

Merchant MPI

Card Network’s

Directory Servers

Payment

Gateway

Merchant

Shopping

Cart

Engage customer when required


Where Are We Today?Improve authorizations with enhanced data

1. Risk Based Authentication

(RBA)

• Balancing security and convenience through robust risk-

based authentication

• Enabling the foundation for data driven decisions is key

2. Data Exchange • Tighter integration between merchants and issuers

provides more insight into good and bad transactions

• Stronger authorization performance and fraud detection

3. 3-D Secure 2.0 • EMV 3-D Secure 2.0 specification released in late 2016

• 3-D Secure 2.0 transactions expected in late 2017

4. What’s Next? • Visa and Cardinal are well positioned to support issuer

needs for risk-based and strong consumer

authentication capabilities in today and in the future

19


Acquirer BIN

Acquirer Merchant ID

Card Expiry Date

Cardholder Account Number

DS URL

Merchant Country Code

Message Category, Extension, Type, Version

Purchase Amount, Currency, Date & Time

Recurring Expiry, Frequency

Browser User-Agent

IP address

Browser Time Zone

Cardholder Email Address, Home Phone Number, Mobile Phone Number, Work Phone Number

Cardholder Name

SDK App ID, SDK Encrypted Data, Ephemeral Public Key

SDK Reference Number, SDK Transaction ID

3DS Requestor URL

Browser Accept Headers

Cardholder Account Information (Account Age, Change, Password Change, Number of Transactions per Day / Year, Shipping Name Indicator,

Suspicious Activity, Payment Account Age etc.)

Cardholder Account Identifier, Billing Address

Cardholder Shipping Address

Transaction Type

Account Type

Browser Time Zone

DS Reference Number, Transaction ID

EMV Payment Token Indicator

Purchase Date & Time

Recurring Expiry, Frequency

Directory Server Reference Number, Operator ID, Transaction ID, URL

Address Match Indicator

Device Channel, Device Information, Rendering

Options Supported

Message Category, Type

Merchant Name

Merchant Country Code

Merchant Category Code

Merchant Risk Indicator (Delivery Timeframe, Re-order,

Pre-order, Gift Card)

3DS Requestor Authentication Information (Method), Challenge Indicator, ID, Initiated Indicator

3DS Requestor Name, Non-payment Indicator, Prior Transaction Authentication information

Installment Payment Data

Browser Java Enabled, Language, Screen Color Depth, Height, Width

Current Authentication Data Enhanced Authentication Data

Acquirer BIN

Acquirer Merchant ID

Cardholder Account Number

DS URL

Message, Extension, Version

Browser User-Agent More than

10XData


Risk-based Authentication• Transaction is initiated by a participating merchant while the authentication method

and decision is made by the participating issuer

Cardholder enters account details

Merchant sends authentication request to issuer

Issuer authenticates cardholder using preferred authentication method

Issuer replies to merchant with authentication outcome

Merchant submits transaction for authorization with flag indicating authentication result

Only the riskiest transactions (typically <5%) are stepped up for cardholder verification. Visa’s ACS solution (VCAS) offers robust RBA capability 21


VCAS Product FeaturesEnabling intelligent authentication decisioning and management

Risk-based Authentication

– Visa Authentication Risk Scoring Model

• Applicable for all payment brands

– Authentication Risk Rules Engine

• Configurable rule parameters

Multiple dynamic authentication methods

– Biometrics

– Token

– OTP (SMS, email, concurrent)

– Others

Flexible, easy-to-use, Portal for authentication management

– Query and access transaction details in real-time

– Create, test and publish authentication strategies (rules)

– Manage cardholder information in inquiries

22


VCAS User PortalEasy-to-use applications

Dashboard

– Analytic dashboard available upon login to quantify high-level business metrics, i.e., transaction volume by authentication type, challenge rates (successful, failure), and more

CSR Manager

– Designed for Customer Service Representatives (CSR) to manage individual cardholder accounts (PAN)

– Block accts, mark transactions as good, fraud or undetermined, apply temporary authentication “pass”, access details, etc.

Rules Manager

– Created for fraud and cardholder management, allowing users to write, edit, test, and manage the rules based on a variety of situations. The rules can vary in terms of complexity and can be implemented in almost real-time environment

Reporting Manager

– Allows users to view, query and access transaction details in near real-time

– Reports available for download

•Administration and Configuration Manager

– Primary interface for users to configure, run and access various tools and features available within the portal

– The admin tool will allow the Portal Administrator to create new and manage existing users, look at activity and audit logs

23


Online Portal: Rule Application

• Provides a managed service for rule setting and manipulation

• Online Rules Portal available

– Includes 15+ rule parameters for configuration

– Issuer self-managed

• Option to manage on issuer’s behalf

– Near real-time rule deployment

• Roll-back capabilities

• Supports Account and Values lists

• Test rules prior to publishing


Online Portal: CSR Application • Multi-leveled approach

(Hierarchy)

• Permission Based

• Supports multiple user levels

• Look up full PAN

• Access to PAN history

• Block all activity on PAN

• Temporary Bypass


Online Portal: Reporting

• Provides standard set of reports through the portal including, but are not limited to:

– ACS Transaction report

– Date filters

– Card number (PAN) files

– Time stamp details

– Order details

– Merchant Name

• Available in portal or via SFTP

• Monthly is standard


Summary

- Customer Experience is EVERYTHING. VbV 2.0 is designed

to create secure frictionless authentication for remote

payments and is optimised for mobile devices

- The additional data in VbV 2.0 supports RBA/TRA, helping

reduce fraud and comply with PSD2

- Make sure VbV2.0 is in your technology roadmap and start

your implementation planning now

- VCAS is designed to support Issuers in delivering a fully

PSD2 compliant and optimised authentication solution


Questions

Meet the panel:

• Mark Austin, Director of Digital Product Solutions, Europe

• Bruce Poore, Senior Vice President, Global Financial

Institution Services, CardinalCommerce Corporation

• Guido Mangiagalli. Head of Authentication, Europe

• Caroline Birchinall, Head of Verified by Visa, Europe

Improving the customer authentication experience and ...

Documents

Transcript of Improving the customer authentication experience and ...