Verified by Visa — which typically functioned as a way to improve security by adding a password to the online payment process — is phasing out the use of static passwords.
The move won't affect the more widely used online banking passwords required by Visa issuers or the account passwords that protect the e-commerce sites that accept Visa payments. But Visa's plan is nevertheless a chance to improve the standard for authenticating online commerce.
Starting in April 2018, Visa says it will begin phasing out Verified by Visa-specific static passwords in its enrollment processes for the 3D Secure e-commerce fraud prevention platform. 3D Secure has been the e-commerce authorization platform for major card brands since Visa developed it in 2001. It is offered to e-commerce merchants and their consumers through issuers with Verified by Visa, Mastercard SecureCode, Amex SafeKey and ProtectBuy (Discover).
Though it would seem to put another barrier between fraudsters and consumers, in practice the 3D Secure system may have impaired commerce. The prompt to enter a Verified by Visa password — which the consumer may not have memorized — had the potential to derail the purchasing process.
And if a fraudster registered with 3D Secure before the consumer had the chance, it would effectively give the fraudster a more trusted identity than the legitimate account holder had.
The fact is, while Visa is making a definitive move to rid static passwords from its network, it isn't risking much by making this change, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
A Verified by Visa password "is not something that is used very much right now," Conroy said. "Most of the authentication is forced by the issuer."
Verified by Visa passwords appear only on occasion, depending on the type of transaction, plus merchants are reluctant to require an extra password every time for fear of losing the sale, Conroy added.
Some Visa issuers have already embraced a risk-based approach for authorization by seeking a one-time password through Verified by Visa, but it was a small percentage, said Mark Nelsen, Visa's vice president of risk products and business.
"There are requests for passwords for every transaction in some markets, but not as much in the U.S., where merchants want to avoid password promptiing," Nelsen said.
Visa's plan to end the use of static passwords on a specific date gets everyone thinking on the same level, Nelsen added. "Sometimes that is needed in the marketplace to get the long tail of issuers to move ahead, and that's really what we are trying to do here."
Because so many organizations are seeking an end to static passwords, biometrics are an obvious alternative to implement, Nelsen said. "If a merchant requests a verification from Visa, we can prompt them to use a fingerprint on their cellphone or whatever authorization they are using in their mobile banking app, and use that for a payment transaction," he said.
It is important for Visa to emphasize its desire that 3D Secure become more consumer-friendly, Conroy said. If the April 2018 directive serves as a mandate for issuers, it allows those banks more time to adopt new technology, she added."One of the big challenges was always if the consumer would use a strong password that was different from other passwords they were using — and that's a big if — that authorization would be more secure," Conroy said.
The continuing rise of data breaches makes it even more vital that consumer authentication methods be changed, said Aaron Kline, vice president of innovation and new ventures at ID Analytics.
"Our major banking and telco customers regularly share stories about compromised credentials being used by fraudsters to take over accounts," Kline said. "These account takeovers result in major losses due to unauthorized money movement, new credit cards illicitly opened, and new wireless service established by fraudsters."
Static passwords to authorize e-commerce transactions or protect consumer accounts have been under fire in the payments security industry for the past few years, as more secure methods such as tokenization, dynamic data and biometrics enter the mainstream.
Mastercard is also pushing ahead with a plan to improve its implementation of 3D Secure. The Mastercard Identity Check system — commonly known as "Selfie Pay" — allows issuers to replace the SecureCode password prompt with an option to use fingerprint or facial recognition to verify an e-commerce purchase.
"Any merchant that's SecureCode enabled today … they don't have to do anything different," nor do they need to know that the change is coming, said Catherine Murchie, senior vice president for processing and enterprise security and network solutions at MasterCard Inc., in an interview at this SourceMedia's Card Forum and Expo in April. "Essentially what we're doing is replacing the password with a biometric."
And starting Oct. 14, Discover will implement a liability shift for disputed card-not-present transactions for merchants participating in the card brand's ProtectBuy program.
After that date, issuers will be responsible for fraudulent card-not-present transactions in cases where the merchant is a certified ProtectBuy user and has submitted or obtained an authenticated or attempted ProtectBuy response from the issuer.
“In the past, 3D Secure got a bad rap,” Corey Iacono, a Discover account executive for global operations said at last week's Western States Acquirers Association’s annual meeting in Scottsdale, Ariz. “Previously consumers had to enroll themselves in the service and 100% of transactions were challenged.”
Discover now enrolls all of its cardholders in ProtectBuy, giving issuers the ability to challenge cardholders on suspicious transactions by sending a one-time password to confirm the transaction, Iacono said.
In addition to what the card brands are doing individually, a new 3D Secure 2.0 standard will take hold later this year. That specification, being shared with EMVCo, the EMV standards body, provides issuers with more consumer data to help make authorization decisions while also providing guidance for issuers to eliminate static passwords. The update also eliminates the need for a consumer to even enroll card credentials.
While not directly related to the 3D Secure changes, the Faster Identity Online Alliance, or FIDO, has a similar goal in mind in eliminating static passwords. Members of FIDO have been developing and certifying new authentication technology, much of it in biometrics, to protect consumer accounts and devices.
Earlier this year, FIDO moved its technology concepts more clearly into the payments realm through an agreement with EMVCo, concentrating on mobile payment security through device authentication.
FIDO now has 250 certified products available for banks and technology organizations to deploy in their transaction or account authorization schemes, Adam Powers, technical director of FIDO Alliance, said in a Sept. 21 blog post.
"All FIDO certified products and solutions have one very important thing in common," Powers wrote. "They can eliminate an organization's risky and inefficient reliance on single-factor username and password authentication. This is a well-known necessity."
Kate Fitzgerald contributed reporting to this story.