{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

Verified by Visa, and other online verification schemes like MasterCard SecureCode, have been adopted by many online retailers in the UK, but do they cause customers to abandon sales?

Concern about the levels of online fraud has led to the introduction of these security measures, but have they seem to have been introduced without considering the effect on e-tailers, and some have found that conversion rates have been affected.

This subject came up when I talked to Andy Redfern of EthicalSuperstore.com last week. After introducing the Verified by Visa scheme to the site, he experienced an immediate 6% drop in conversion rates. There's also this example of a retailer that suffered a 60% drop in sales after introducing 3D Secure.

We asked the question about effects on conversion rates via Twitter last week, and had a similar response:

VbV and Securecode decimated our card sales. Banks just hadn't explained the process to customers.

At the beginning it was terrible, caused a lot of abandoned carts, now its more mainstream merchants see less chargebacks

A quick search on Twitter for terms like 'Verifed by Visa' and '3D Secure' shows how unpopular these schemes with web users:

Just tried to make a purchase online and hit the usual barrier of having to try and negotiate 3D secure. Why oh why do they make it so hard.

3D Secure is about as helpful as a cat flap in an elephant house

Ok, this is a F*****G JOKE! Verified by Visa won't accept my password... Clicking the submit button doesn't do anything!!! WTF!? #FAIL

Has anyone ever made a successful transaction with the Verified By Visa system? It makes my blood boil every time...

The problems with the scheme are related to poor customer education and bad usability. When e-tailers are looking to make the purchase process as smooth as possible for customers, verification schemes essentially add another step to the whole checkout and, worse still, one that many customers are simply not expecting.

The first many customers will know about such security schemes are when they think they have already completed a purchase, but instead they see a screen that looks something like this:

Verified by Visa

Customers may be reassured by the Visa logo, but this is still a page that is asking for secure information only a step or two after they have already given these details. If you don't know what this step is about, then alarm bells may start ringing.

Also, the Verified by Visa screens I have come across seem to be generic in design, and seems bear no relation (no links, logos etc), have  to the site you have just made a purchase on, another thing which may have customers worried.

The password process for Verified by Visa carries with it all of the problems associates with registration processes on e-commerce sites. I have never yet remembered my VBV password, so every single time I have to reset it. As resetting requires entering your date of birth, card security code etc, it can be a frustrating experience. 

So what can retailers do about it?

Now that more and more big name retailers are using these schemes, then customer awareness should improve and the effect on conversion rates will be less severe, but, since banks haven't done a great job of educating customers about verification schemes, then retailers offering Verified by Visa should at least make sure that customers are aware of what to expect after the checkout process.

The worst thing you can do is just let customers discover VBV, 3D Secure etc after they have made a purchase. This makes it more likely that they will abandon the purchase in frustration.

TheTrainline is one site that asks for Verified by Visa, but though you can search for information in the help section, you will be given no clue by the retailer until you see the screen.

Instead, retailers could advise customers that they will be asked to verify their card after purchase and provide further information for those customers that are unaware of VBV.

Even better, as in this example from eBuyer, the card verification has been integrated into the checkout process, so instead of seeing a screen with just the Verified by Visa form, customers can see the connection with the website and the purchase they have just made:

eBuyer - Verified by Visa

The text on the left also explains VBV for those customers who might be unaware of it, and offers customers the option of contacting the retailer if they have any questions:

Though Amazon still refuses to add Verified by Visa, plenty of other well known retailers now use the scheme, and it seems inevitable that others will follow.

Banks and card providers haven't really done enough to educate customers about the system, or to make the forms more usable, but retailers can at least minimise some of the damage to conversion rates by doing as much as they can to advise customers about what to expect during the checkout process.

Graham Charlton

Published 27 May, 2009 by Graham Charlton

Graham Charlton is the former Editor-in-Chief at Econsultancy. Follow him on Twitter or connect via Linkedin or Google+

2565 more posts from this author

Comments (49)

Comment
No-profile-pic
Save or Cancel
Tom Stuart

Tom Stuart, Chief Architect at Econsultancy Enterprise Guest Access

Very true. The fraud protection on my credit card is already exactly what I want (the issuer removes fraudulent transactions when I report them) so the "protecting the customer" spiel is pretty unconvincing: the only people being protected here are the retailer and the card issuer. It seems win-win until consumers start giving up on online transactions because the "protection" is more hassle than it's worth.

over 7 years ago

David Williams

David Williams, Director of Online EMEA at Deckers LtdEnterprise

An excellent review of Verified by Visa. Interesting that a year ago at an IMRG event I attended, when the audience was asked, around 10% had implemented, at least 60% were wary of implementing, and even more interestingly around 30% had not really considered it. It shows that if the retailers dont know much about it, how can you expect the consumer to?

Obviously it was being pushed as a retailer 'must have' but the concerns about the effect on conversion rates concerned all that day even then.

The conversion rate issue and telling the customer what to expect is a must, as is continuing your usability experience for the consumer. I had an experience yesterday on a site I shall not name where after completing VBV the button to complete the order was totally obscured by the VBV box. If I had not noticed that Click to Confirm order button, I would have left the site, expecting the order completed, and would have then wondered why I had not received a confirmation email.

If you do implement VBV, it must not be considered a necessary evil, it needs to be considered an essential part of the shopping basket experience. Even if the banks and card providers have not done their usability home work, there is no excuse for experienced retailers not to.

over 7 years ago

Tom Stuart

Tom Stuart, Chief Architect at Econsultancy Enterprise Guest Access

@Miri: Yes, this is the main reason why Econsultancy no longer accept Maestro payments online -- to us it's just not worth putting our customers through the pain of 3D Secure. It's probably not a win for MasterCard if too many merchants make the same decision!

over 7 years ago

Chris Rourke

Chris Rourke, Managing Director at User VisionSmall Business Multi-user

Definitely  conversion rate killer not just for me personally but also what we get to see when running usabiliy tests.  When people hit any barrier in purchase they immediately recall their nightmare transaction experience and think this one could be the same.

Obviously retailers need to balance the tradeoff of conversion drop (the 6% quoted is lower than I expected) vs fraud protection for their business. If working with it on your site,best ideas are early warning in the process (pre purchase if possible) that VBV is being used, and I think the idea of integrating it into the main site rather than pop up will help, as shown in Ebuyer- havent seen that type implemented before, but it will make it seem a bit less distruptive.  Once the user is in the VBV system the retailer's hands are tied so need to do all you can on your own site.

Chris

over 7 years ago

Avatar-blank-50x50

Tim Leighton-Boyce, Analyst at CxFocus

I'm very glad to see this subject out in the open here and on Catalogue & e-business. I've seen the abandon rates on the relevant stages of some checkout funnels go from single to double digits.

There's also plenty of comment in customer satisfaction surveys about the subject. At first most customers just complained about the issue in general terms about extra passwords, but now more are starting to refer to the system by name. Some blame the merchant, some blame their card company, some blame the merchant for implementing the card company's system -- so two out of three times the merchant gets a beating.

The lack of publicity from the card companies is shameful when you compare it to the lengths they went to when launching chip and pin.

Embedding the form might help with the explaining and warning. But it doesn't do anything about the problems users experience with the system itself. I continue to see a steady flow of adverse comment from users of a site which uses an embedded form.

The frustrating thing is that merchants who have resisted and delayed will possibly have prospered at the expense of those who complied.

More publicity would help, of course. Some serious work on the usability of the system would help too.

over 7 years ago

Ian Tester

Ian Tester, Senior Product Manager at brightsolid online publishing

As a merchant, it has been misery with a few rays of sunshine - basically no consumer education by banks, and big sticks waved agressively by our CC processor and bank to implement it.

Our first implementation smacked our conversion rates (but did massively reduce fraud). We very quickly redesigned the payment process to provide a. a branded experience (so it didn't look like you'd fallen out the payment process) b. a plain englush explanation (as VBV and processors seem incapable of doing this) on the page you enter the details on c. plenty more hand holding / info on the site. Conversion rates recovered.

It's not rocket science - if you are going to implement this (and plenty of merchants have a gun against their heads, realistically) do what you'd do to the rest of your payment process - make it as simple as possible, with no suprises, and brief your customer support team in case of questions. Monitor conversion rates and your funnel like a hawk.

There is of course a huge elephant in the room security-wise: if your card is stolen and you have not enabled VBV, it is incredibly easy for the thief to do so online, as there are basically no security checks beyond having the card in your hand...

It's badly-implemented bum-covering by the banks at the end of the day, but including it on your site can have some upside for merchants (fewer chargebacks, less fraud, better rates).

over 7 years ago

Avatar-blank-50x50

Matt Wilkinson, Senior Ecommerce Manager at Gatwick AirportEnterprise

Had a very interesting call with HSBC the other day.. VbV is american and according to the guy i was speaking too, its been a nightmare for the bank, as most people (inc me) dont put the right data in as its misleading.

eg. it asks for a FORNAME but what it actually wants is the exact name on the card, not great usabilty then!! no wonder we all hate it!!

over 7 years ago

Avatar-blank-50x50

Deri Jones, CEO at SciVisum.co.uk

ebuyer.com is one of my regular shopping sites - and I quite like it - despite VBV.  I guess they must have a flexible tech platform too, as they did VBV quite early, and GoogleCheckout too.

But VBV can also be a nuisance also in the web testing space, if you've a user journey that makes up credit card numbers at random each run.

As the VBV will sometimes pop up and sometimes not - and so your CheckOut journey has one step in that comes and goes - or to stop the extra step, then we have to wrap the time for the VBV page into the previous page in the journey, which then has a 'quick, quick, slow, quick ' curve - (slow when the extra VBV is present).

Humm, a bit like the pain of how monitoring journeys should handle the 'out of stock' situation for a randomly selected product:  is that worthy of a 'warning' or a full blown 'error' - as sites vary on how they wish to hide or show their out of stock products.

Or should the journey loop again, and try to buy a different random product.... but if that too is out of stock.... is that finally worthy of being an Error...or does the client call '3 in a row' as the strict definition.  And should we plot the page timings for the extra looping pages, or bin them...

over 7 years ago

Avatar-blank-50x50

Andrew Main

This is a service built by someone who has never had to use it!!!  - It is absolutley appauling and when you look at the alternatives that abound that are easier for the customer to use and expose less data to a third party site; like Google checkout and Paypal payments.. Banks have a lot to learn.  I as an online shopper, also endorse the comment from earlier, that I deliberatley choose not to use it and will seek an easier alternative - almost at any cost.

over 7 years ago

Avatar-blank-50x50

Chris Lund

I've wondered how long it would take for VbV to receive some incoming flak. I hate it.  Everytime it pops up unannounced it confuses and frustrates me,  so imagine the effect it has on the less internet savvy. 

That said, I agree with Daniel's and Chris's points.  Retailers can moan about VbV and the banks' lack of customer education, but this is surely a shared responsibility. 

I've seen some truly horrific integrations of VbV, with no on-site explnation of what it's for, what I'm supposed to do, etc.  If customers are pre-warned about VbV and its purpose, they are surely at least less likely to close their browser (or slam shut their laptop in frustration?) at the final hurdle.  oh and if it at least looks like the VbV page has a passing resemblance to the rest of the site - unlike some I've seen - it might help

about 7 years ago

Avatar-blank-50x50

John Hyde Christchurch NZ

I hate VbV. My wife hates VbV. My friends hate VbV.

We never remember any of our user details - the questions, the prompts, the other tosh.

These Visa people just don't get it. We want to buy stuff for our lives and our hobbies - we don't want online shopping to become a hobby.

We're simply not interested in the banks' problems and their crummy websites. We just want the process to work - like switching on a light or turning on a tap - we don't have time to poner it.

about 7 years ago

Avatar-blank-50x50

Chocolate Now! - Nigel Croft

We enabled 3D secure when we started trading 4 years ago. It has always been a concern that it was lowering conversion rates, but we decided to stick with it in the belief that it would become common practice "real soon now".

This still hasn't happened!

However, we don't have a huge abandonment rate. This may be because we have quite a long ordering process (we let customers create their own custom box of chocolates) so by the time they reach that screen they have invested a lot of time and aren't about to give up.

We also use the Protx (now Sage Pay) system which lets us create custom templates for all the payment screens including an embedded VBV screen. This screen has our logo, an explanation of what is going on AND A SKIP VERIFICATION BUTTON at the bottom. Of course, this doesn't work for Maestro cards which require 3D, but it gives frustrated customers a way round if they are having problems.

We are finding the vast majority of customers do complete verification, and those who use the skip button, we just take a closer look to see if the order appears fraudulent.

3D secure is an ok system, but as others have noted, nobody bothered to tell the customers about it! If the banks would just advertise it, we would have much fewer problems.

But it doesn't stop here........ Have you got one of those fancy keypad units for your online banking yet? (You put your card in, type your pin, and it generates a security code for logging in - a different one each time) Well, the banks are already trialling a system for online payments where you will need to use one of these every time you make an online purchase.

This may be easier in the long run (you will just have to remember your pin) but will undoubtedly confuse the heck out of customers, they won't be able to find their keypad when they need it etc etc. So, it ain't over yet - it isn't even started! Now would be a great time for the banks to get their act together and start educating their (and our) customers.

about 7 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

Doesn't help when you get this sort of message (which I've just received from Datacash our payment provider):

Please note that there was a technical problem with Visa 3Dsecure transactions. We have escalated this to Visa for further investigation.


We have switched to the Visa secondary site and processing of Visa 3DSecure transactions has resumed as per normal.

Due to this problem one of the errors you might have received is a 159 error for 3DSecure Visa transactions.

If I was a retailer, and it was the first week of December, and I got this, I'd be hopping mad at Visa 3Dsecure to say the least...

about 7 years ago

Avatar-blank-50x50

Tim Leighton-Boyce, Analyst at CxFocus

Meanwhile I've just this minute sighted my first ever bona fide customer survey comment from someone who was surprised NOT to be prompted for their password on a card which they know to be registered.

That's my first bit of anecdotal evidence that customers are beginning to become familiar with the system despite the lack of publicity.

about 7 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Tim - that customer, a Mr V. Visa? ;)

about 7 years ago

Avatar-blank-50x50

Tim Leighton-Boyce, Analyst at CxFocus

Well, I've certainly heard of people posting dummy reviews on merchant's sites in order to create a positive or negative buzz. So why not fake comments?

But in this case they would have had to place an order to do it -- this survey was one embedded in the thank you page.

I wonder when we will see a comment here from Mr V's representatives to explain how well the system is being received by our mutual customers?

about 7 years ago

Avatar-blank-50x50

lu

if you are a merchant using verified by visa then check your orders!! today, we have had customers struggling to make payments. the payment gateway page begins loading vbv then hangs. luckily, 2 customers called within 1 hour so we were made aware of the problem. we would have been none the wiser if it were not for this. it may just be an issue between hsbc payment gateway and vbv. we are yet to get any answers from anyone. one thing is for sure.. we have lost orders. please check that you have not been affected. 

i HATE vbv!

about 7 years ago

Avatar-blank-50x50

Deri Jones, CEO at SciVisum.co.uk

<sales mode on> - our 24/7 web monitoring can do complex CheckOut journeys, so would alert straight away for these kind of problems VBV or etc.

Nice to know before your customers start to suffer....:<)

Can we help you out Lu, with something quick this week?

about 7 years ago

Avatar-blank-50x50

Robert Tyler, Project Manager at BlackRock

This is the most frustrating part of a payment process I have ever come across. I've just aborted yet another transaction after being faced with Barclays VBV. Apparently my password is wrong. OK, thats fine, I'll hit forgotten password. Enter my details as they appear on card (which is in front of me). No such card registered. Nice. Ok, I'll hit "Im not enrolled, new registration". Enter my card details. Card already registered. Call the help line. On hold for 25 minutes. Off down pub to spend the £28 I've just saved.

about 7 years ago

Ian Tester

Ian Tester, Senior Product Manager at brightsolid online publishing

More to the point, with the SEO gurus on this site, should we not be gunning for #1 ranking, and for Visa rather than VbV?

Blog it, tweet it. Shake that tree. You know it makes sense. ;-)

about 7 years ago

Avatar-blank-50x50

David Hatchard

I think someone else mentioned this earlier on but has anyone received a letter from their bank passing on a message from MasterCard that from June 30th, 2009, they require MasterCard SecureCode to be used for all Maestro e-commerce transactions? It goes on to say that any non-compliant merchant may be subjected to fines of up to $25,000 per month!

I have held off implementing 3D Secure on our site for all of the reasons highlighted by everyone above. And even though MasterCard have issued this warning, I am STILL relunctant to implement.

If you haven't already got 3D running on your site, and have received a letter similar to the one we have, I would interested to hear what you're going to do. Adopt 3D, absorb the fines imposed, or cease accepting Maesro cards?

Is it a case of 'boy crying wolf'? Haven't MasterCard and Visa been setting these 'deadlines' for the past 2 years (at least)? 

about 7 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

Hi David

Yes, I got that letter and threw it in the bin. We decided last year (when we knew this was coming) to drop support for Maestro cards *because* of the 3D Secure implications. 

But we could do this knowing that very few of our customers used Maestro anyway and, of the few that did, they almost always had an alternative card they could use.

Guess it depends on your customer base.

about 7 years ago

Avatar-blank-50x50

Lloyd

I've just been fuming again. Had a problem the other day, 3D secure would not recognise my password (which I keep at home written down). Made several attempts then gave up. Went to garage to fill up with petrol had to talk to card security  by then the queue behind me had built up.

Have been making several other purchases online using another debit card, this firm asked me to do 3D secure which I reluctantly set up and recorded the password. Try it again today for another item, guess what wrong password (the one I had written down the day before). Changed password and transaction not accepted by bank, used credit card no problem and not asked for 3D security.

about 7 years ago

Matt Isaacs

Matt Isaacs, Founding Partner & CEO at EssenceEnterprise

The comments here make me chuckle.  I used to be CMO of a credit card company and we had VBV and SecureCode in our pipeline to be implemented in 2004 - except neither Visa nor Mastercard were ready.  I left the wonderful world of Financial Services back in 2005 and hadn't heard a peep about VBV until earlier this year.

Strikes me that most folks would consider any project that got this amount of negative feedback a failure.  But if you also took > 5 years to implement it....now that is something.

@Ashley - keep throwing those letters in the bin!  Although you could mix it up with the odd paper plane...

about 7 years ago

Avatar-blank-50x50

Mahendra S Mehta

Whenever I try to book my Air Canada Ticket online I had waisted hours to get VV through. Firstly, I contact CIBC Visa for technical problem that my payment thro' has been suspended for no fault of mine. Moreover, AIr Canada online service terminates the purchase of Tickets if transactions take more than ten minutes.

Second Time while buying the ticket online same history. Finally, I made up my

mind not to do any purchase online. By the way I am 75 years Senior Citizen and I have not been communicated that your transactions will be over without any result for vverified procedure.

Better discontinue this complicated method replaced by USER FRIENLY Transaction.

Mahendra S. Mehta

Senior Citizen

306-586-5942

about 7 years ago

Avatar-blank-50x50

Dr. Dragomir D. Dimitrijevic

Hi All:

I immensely enjoyed the article and the comments. However, as someone with more than 20 years of experience with software development ranging from low level assembly language software to high level Internet and satellite
application, I believe that I am entitled to dissagree and say my humble
opinion. Although I am in no way associated with Visa, I must say that all
of the blame was unnecessarily placed on Visa's shoulders.

Complaints in the article and the comments may be divided in several
categories:

1. Lack of prior information/education so cardholder knows what is coming up
during checkout: May be Visa should have been more strict with defining
compulsory content of the merchant's site. May be it was duty of developers
to use common sense.

2. Erroneous implementation such as the case when someone got message that the card is not known, and after trying to register the card got the message that the card is already registered... don't tell me that Visa should be blamed for this mishap. This clearly goes to the vendor. BTW, why don't you publicly name and shame the vendor? Make your contribution to the free
market.

3. Someone complained that he had to type phone/email during registration,
something he already provided on the merchant's site. As an optional
extension, 3DS specification makes a provision to, in case of activation
during shopping,  transfer cardholder's data from merchant's site to Access
Control Server. So the blame is on the developer too. To compare it with the
cars, air conditioner is not compulsory part of the carr, but if you want a
more confortable car, do what it takes to have a more confortable car and
the market will judge your product.

On the high level, 3DS authentication is perfectly OK, simple, and logical:
provide the card info, based on the card number go to your issuer who knows
you, and provide some more info such as password. I developed similar system for a Serbian card way back in 1999 while Visa waisted time with now
abandoned SET protocol. So I believe that on the high level, user's
experience should be OK.

Arguably, specification on the low level (content and exchange of XML
messages) could have been done more simple and efficient. When you put in the same pot XML messages, XML signatures, zipping/unzipping and Base64 encoding/decoding of PAReq/PARes messages, you are creating a mine field for today's software developers who mostly lack basic education to tell the least. However, if you go carefully through the 3DS specification, line by line, implmentation is doable and that is what I am working on right now.

Now we come to my favorite topic - lack of basic education of today's
software developers. Throughout my career, I have seen laid off auto workers
who switched to web development and dentists who switched to IT. You can
find zillion online crash courses on software development. I have seen one
that issues software development certificates for $5 (yeah you read it
correctly - FIVE DOLLARS). Next time when you shop for a software product,
ask software developers if they read "The Art of Computer Programming" by
Donald Knuth - a very difficult book that was once considered a Bible for
software development. I doubt that you will find more than a handfull of
such software developers. Most of them start their software development
straight away with modifying "Hello World" sample program they get with
their development tool. The program starts shoing signs of life and that is
when programmers become armed and dangerous: they know nothing and think they can do everything. The issue may be further expanded to the demise of today's educations and European Bolognia Declaration that will destroy intelect of human race.

So the final question is, was it Visa's duti to mandate and foresee every
little detail of the entire VBV system (screen content, usability,...)? I
doubt. It is a free market. What do you think about let's say AAA
prescribing design of cars including glove compartment and seats. Folks,
shop around like you do with cars, kick the tires and take a test drive.

Cheers,

Dr. Dragomir D. Dimitrijevic'

about 7 years ago

Avatar-blank-50x50

Ben

So google checkout have stopped accepting maestro cards?

I wonder if this has anything to do with the mandatory 3D secure requirement?

about 7 years ago

Avatar-blank-50x50

Bill Goldie

After yet another failed VbV transaction...why the hell doesn't everybody accept OpenID? One username, one password, all authentication passed through one verifier.....or would that imply smaller genitalia? I often wonder whether male pride has a lot to do with the stupidities of society. By the way, I'm a man.

about 7 years ago

Pat Wood

Pat Wood, MD at TruffleShuffle.com

Very interesting article, and one that we've always pondered as a small independent etailer... so I decided to ask our facebook fans - a surprising and overwhelming thumbs up...

http://www.facebook.com/pages/TruffleShufflecom/6350029455?ref=ts

almost 7 years ago

No-profile-pic

Anonymous

I've just encountered another frustrating call to VbV in order to complete a transaction and was given some rather interesting information by the call centre guy who helped me out.

Today he has dealt with 20 complaints so far. This week his total is 95. This is an average week as far as complaints go. There are 120 call centre staff working at any one time who deal with an equal split of calls coming in. This is somewhere in the region of half a million complaints a year via the call centre, no wonder I can never get through!

This is a heck of lot of time, effort and money being spent dealing with problems generated by a system that, according to the friendly guy I spoke with at VbV: "might ask for the 8th character in a password even if the password only contains 7 characters". Hmmm.

almost 7 years ago

Ashley Friedlein

Ashley Friedlein, Founder, Econsultancy & President, Centaur Marketing at Econsultancy, Centaur MarketingStaff

@Anonymous

Interesting... 500,000 complaints. I wonder how many of those actually end up converting to a sale? And how many don't bother to complain in the first place and just shop elsewhere?

And what's the average lost order value...?

Seems pretty simple maths to come up with an eye-catching headline: "VbV losing retailers £300m a year" or similar. So how much is it *saving* retailers in reduced fraud etc? As much as that? Maybe. Maybe not.

almost 7 years ago

Avatar-blank-50x50

Stefan

VBV has major security flaws.

almost 7 years ago

Avatar-blank-50x50

Philip

We found a conversion reduction of between 7-11% following implementing VBV /SC.

What worries me is it seems too easy to get around VBV as we have had plenty of very obvious fraudulent transactions that have been fully authenticated. We worked out how they were doing it (they had the VBV password etc), all we did was copy and paste the card name into Google + 'Facebook' and Google returned the card holders 'Facebook' page. Since DOB is available on some peoples 'Facebook' account, the fraudsters just enroll the VBV using a free email account and hey presto they have all the required data to create a fully authenticated VBV transaction.

If all VBV manages to do is let business walk out the door then it’s been an expensive lesson. Our company was forced into it, since our bank wanted to charge another 1% processing for non- VBV transactions. They can’t even say if VBV transactions will protect 100% against chargeback – the only response we get is that ‘it should make your case stronger’…fantastic!

Having integrated VBV into a couple of ecom websites, it's also got to be said that the vbv Api set it the most god awful convoluted piece of coding I've seen, it's got the feel of a very badly thought through design, a real hack.

almost 7 years ago

Avatar-blank-50x50

aimee5

I have verified by visa!

over 6 years ago

Avatar-blank-50x50

aimee5

Oh great, how embarrassing, let me try that again.

I HATE VERIFIED BY VISA!!!

over 6 years ago

Avatar-blank-50x50

Boon

As a consumer I was one of the first to enrol in the Verified by Visa when it launched sometime ago. I remember the setup being quite simple, and simply put, I have not had any problems with VBV at all since then, and I am quite a frequent internet shopper, making 5+ purchases per month.

I can see the flaw though as the banks have basically not educated customers about VBV, and so customers might be confused when they first see it. I really do think that a simple mail-out to all visa customers with details about VBV would have been the bare minimum.

over 6 years ago

Avatar-blank-50x50

Trevor

On five occasions in the last 2 days I have attempted to make purchases online. On each occasion upon submitting my password, the screen has gone blank!!

Telephone calls to my bank and the companies concerned inform me that there is NO problem with Visa Secure or the company websites implying that the problems I am experiencing MUST be of my own making!

No more I say.....stuff them all!!

over 6 years ago

Avatar-blank-50x50

jamble

Interesting discussion article and discussion! I'm in a position where a client is being effectively forced by the bank to integrate VBV and they have done so a couple of times in the past finding that it causes pretty much 100% loss in sales! 

However, the time has come again to try and get this done under bank pressure and I was wondering if anyone might have any interesting resources/links on "best practice" for integrating VBV when you don't have much choice in the matter? 

Cheers!

over 6 years ago

Avatar-blank-50x50

Deri Jones, CEO at SciVisum.co.uk

We're just helping a client who is also being pushed the same way.

We're providing extended User Journey 24/7 monitoring  to include the extra VBV pages that the user is sent off too:  we use real cards+ authentication: and the client kills our order before any money changes hands.

(as we run the Journey every 5 minutes that would be about 10,000 orders/month if they didn;t kill them !!)

The client had concerns about user's reporting  speed variation /failures in the page provided by the CC company, so the new Journeys now measure and plot this, and they can see if it is corelated to CheckOut drop-out or not.

The client has also added a lot of AJAX javascript cleverness to their site over the last 3 months: and seen some conversion rate fluctuation too: so are a little nervous as to the root causes of that.

Their existing 24/7 monitoring of user journeys was just hitting fixed URLs: so after going AJAX was wrongly still showing 100% Green; despite their early AJAX bugs they knew about!

Reason being: because those fixed URls did indeed work, but no real clients were being directed there any more... as the functions were now being done in new AJAX calls, not the old page URls.

Anyway, we also provided a suite of new dyamic User Journeys, that handle the AJAX, and  the highly dynamic of the page content as it is generated - so they get 24 visibility and Alerting now, of any blips/  sporadic errors.

over 6 years ago

Avatar-blank-50x50

0100001101000011

Funny thing is, I've never had a problem with 3D Secure (using it) and I still despise it - I've had to implement it as I'm an in-house WebDev and it looks to me like it's not really a security solution any more than plastering over the cracks in the walls is a structural solution to subsidence. Yes, we had _that_ letter from Barclays Merchant Services and the company decided to implement the system. My job was to implement it whilst trying not to loose too many customers - lucky me. I've made information about what the process is and why it's implemented readily available on the website (even with a download/print friendly PDF format), embedded the actual 3DS Login form in an iframe with all the relevant fall-backs (iframe support disabled, JavaScript disabled) and wrapped just about everything I could think of in Exception handlers and reporting systems so I can keep track of what goes wrong and where. Considering our "typical" customer doesn't exactly match the standard tech-savvy profile (being female and in the 40-60 age range) you'd expect quite a high abandonment rate perhaps - but, from what I've read, ours isn't too bad weighing in at approximately 3.1%. Mind, maybe tech-savvy punters can see the system for the snake-oil it really is.

over 6 years ago

Avatar-blank-50x50

James Lin

Please take a look at this proposal: http://www.paymentseal.com It provides more protection for card holders without requiring registration and passwords. At the same time making the merchant PCI-Compliant.

over 6 years ago

Avatar-blank-50x50

Eve

EVery time I get the verify by visa page I am terrified. I enter the password. It fails. I try again, it fails. The third time it fails and i have to phone the bank.. AGAIN!     The Bank confirm my password is correct. They reset it, it works once, then next time, the whole rigmarole again!!!!

 I never had the chance to opt in.What can i do?

about 6 years ago

Avatar-blank-50x50

a. raab

I wish they would conduct a sourvey regarding this.

I also, many times, abandoned a purchase because the clumsy, unreliable and confusing of SecureCode. 

And all the times it returned to the purchasing site saying "please try to enter your card again"...

about 6 years ago

Avatar-blank-50x50

R.Mz

VbV & 3D Secure are 2 things which our Merchant Services Provider are trying to force us into using at the moment. Our Platform Developers are really reluctant to intergrate it saying we 'will' loose 30-50% of our revenue becasue of it. Its so hard to gauge the effect thsi is going to have. I understand the issues with frightening consumers with over complicating the sales process but our MSP will half our payout time by 50% which will massively improve cashflow and the increased security will help us on the fraud risk too.

The Credit Card companies are in a win win situation as they dont have to absorb the financial responsibility for authorising a card which has been compromised and push that onto the e-retailer even though we have no way of verifying the information supplied. What frustrates the most is that they have all the information available to help out e-retailers but decide not to because they are not affected by the financial implications. Everyone thinks that a fraud chargeback is insured against and if credit card companies were forced to implement the basics of Public Liability Insurance claims their attitude would change overnight.

As a retailer I dont know where to start. I doubt the bounce rates will be as high as 50% as the awareness of the VbV & 3D Secure systems is higher than even a year ago. Without it our MSP has us by the short and curlys and have even threatened to pull our account de to non-compliance. Our Platform Developers dont want to get involved because of the implication of revenue loss to us their customer. I do want to get involved because the benefits from a security and business operations perspective have the potential to benefit us massively. Talk about a mine field!

about 6 years ago

Avatar-blank-50x50

Nathan

Verified by Visa is more frustrating than most people here realize. I just tried to make an online payment that was stopped by VbV, even though all the numbers were input correctly. The screen informed me that the payment was not processed and that my card is now locked. It tells me to call my bank. I do. It turns out a glitch has developed at VbV with accepting the security codes from all cards issued by my bank. They hope to fix it within a week. The bank tells me that they have not locked my card, and that I should call Visa. Visa tells me that I must call VbV, and they give me the number. VbV tells me, essentially, that they don't do customer service and are not in business to help me. They deal with my bank. Deeply unsatisfactory and angering. I will do everything I can to avoid ever having to use VbV again as long as there is an alternative. I can usually find one. For International payments for very specific things, it's hard to find an alternative though. And BTW, I am now down $75 for a late registration penalty for a conference. Think there's a chance VbV will help me with that?

over 5 years ago

Avatar-blank-50x50

Glendinning

Thank God I'm not alone!
My 'gripe'is that having entered the moronic input fields No 3 No5 No8 it gets rejected. Okay - I take the existing pattern and make 'subtle' changes ... and now get "You have used this one before - chose another different one"
Does anyone spot the absolute lunacy of this?
THEY (Vorlons?) KNOW I had this before - I changed it not because I was drunk but because 'they' didn't accept it!!! BUT they friggin well know it was a valid one!
Holy suffering hellfire ....

Task ahead ... use other 'non-SBV' options ... even a bloody 'phone call.
Note to Vendors ... Opt OUT of this crapshow! Or suffer falling sales!
(Time for my medication ... sorry everyone)

over 4 years ago

Avatar-blank-50x50

James Hodgskiss

3D Secure is a pain, but nothing compared to Captcha. Maybe that's the next step - combining the two!...

over 4 years ago

Avatar-blank-50x50

Majors

Stunning story there. What happened after? Thanks!

almost 4 years ago

Avatar-blank-50x50

Yu Mi

Hi,
It's now late 2012. Any more recent data about whether VBV still impacts conversion rates so severely and/or other data about customer usage?

Thanks!

almost 4 years ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.