Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: buckworks
WorldPay are about to implement VbV and MCSC (30 Nov) where a pop-up prompts the card holder for a password (if they are enrolled). How do this work if the user has a pop-up blocker installed?
There are a lot of pop-up blockers out there - Google toolbar, Yahoo toolbar, Netscape/Opera/Firefox all have the option. Norton internet security packages. Independant programs...
If we are going to lose the payment and the order, it seems like a bad idea to me.
This would make sense to me, but would it for the every day Joe Public?
This is one of the concerns I raised with Visa and MC in my previous life working for the "other" global scheme and is principally the reason why the "other" scheme sat tight before launching their own version.
IMHO Visa rushed to market with VbyV - I was at the Cybersource sponsored CNP workshop where their new boy announced the service and proclaimed "chargebacks are a thing of the past for CNP merchants". A slightly OTT claim given the subsequent back peddling over CB codes that are infact covered by VbyV and the easy way a V issuer can simply find another reason to CB.
In principle if the box is suppressed and the Cardholder doesn't see it the transaction should freeze. If it doesn't and is allowed to continue then guess what - you're liable.
Couple this to the service's exposure to phishing and the appalling take up rates and again, IMHO, the service will either wither on the vine or have to go through some radical changes before widespread issuer acceptance.
Also, be careful when assuming all V or MC transactions are covered. Read the small print and you'll realise only certain card markets are afforded even the limited CB protection by these services so you'll still need to parse country of origin to ensure you are covered.
When I left the "other" scheme back in June there was huge discussion in the "industry" about these two services - not least amongst UK issuers and acquirers who were stressing out about the cost of a) the fallback to the Issuer and b) the cost and complexity of implementation for merchants (a simple API these ain't) c) the perception of merchants as to it's value.
Speaking as one who has lived a while on "the dark side" as merchants regard it, there is a genuine desire to find the "Holy Grail" in CNP payments that will perform the basic function of "accept payments this way and you are guaranteed payment". I myself got my scheme to the point of "almost" being able to offer that - a chance in a billion of getting it wrong meant we didn't go to market.
I'd ask some very probing questions of anyone offering you this or any similair service. Just exactly which liabilities am I being released from? What happens if the pop up is supressed? What other reasons can be used to execute CB?
Bear in mind that UK Banks at least have publicly voiced the opinion that people who are phished should be liable for any and all losses (negligence in the banks eyes) it may not be too long before VbyV and other similair schemes usefulness in cardholders eyes diminishes with successful phishing attacks.
Watch this space for EMV in a CNP environment. Shouldn't be too long before that's on offer - just got to get Cardholders in the right frame of mind and prove the technology :)
Same goes for Chip & PIN in the UK. The Card Issuers will be laughing - merchants won't. The France experiment seems to only be reported one way - resounding success! For the French issuers, undoubtedly. For foreign issuers and French merchants - not really. Inbound fraud shot up - so much so that the France infrastructure had to be upgraded intoto to perform 100% live auth on all inbound spend - a nightmare given the then weak state of the telecoms infrastructure.
Fraudsters aren't dumb. The majority of worldwide loss goes to highly intelligent and driven groups organised much on the same lines are corporations.
They have figured the Chip & PIN rollout as an "expense" and are already finding ways round it. The migration to CNP environments is one example - also watch for an initial sharp increase on fall back to magstripe as retailers try to get their heads round the new reality of acceptance - all it takes is some clear nail varnish to render a chip useless and the humble magstripe is in use again.
All the e-mails confirming the payment now have a message giving the "Authentication Results". Yesterday 2 people entered there password, abotu 15 didnt have one, and strangely 2 People choose not to, so it will still go through with the transaction if thy dont enter the password and they have one.
Unless I'm reading it wrong of course.
The thought occurs to me that if the user is smart enough to install a pop-up blocker wouldn't they be smart enough to realize it might be the reason they can't complete the purchase? I know I'm giving the buyer alot of credit here but surely some will realize it.
So the gist of WorldPay's gamble is that they feel the merits of the verified by visa system outweight the risks of incomplete sales because of popup blockers?
Cardholder Did Not Complete Authentication
Yes, you'd think so but there's no accounting for consumer behaviour (just because you can use email doesn't mean you're not dumb enough to fall for an appallingly bad spelt phishing attempt or 419 scam ;) )
Also with SP2 from the gurus *sic* at Micro$oft your common or garden user will probably lamely go with the dire warning of hell be unleashed if you allow pop ups.
It's not a major problem but just makes the service stand out as a knee jerk rush to market.
Per the Sitepoint link elsewhere in this topic - nice bit of PR from a company with a vested interest in VbyV - totally misses the point on regional coverage, limited liability shift and the ability of issuers to find other ways to bang back merchants - whether or not VbyV was in place.
As I think I said before the hiatus in the UK market over VbyV is compounding a miserable take up and causing confusion in the consumer space. I for one shop till I drop online - not once have I been prompted for VbyV.....
IMHO - as stated before, I don't give any of these services a terribly long shelf life - they're too exposed, too complicated to adopt for anyone other than massive players, and the truth of their ability or otherwise to deflect losses from merchants will become painfully plain in the coming months and years.
Issuers are spitting at the imposition of this diktat on their bottom lines ...
The only problem is , obviously :D, that a lot of cards get declined. On Visa around 15% drop of sales, on MasterCard more.
Its quite easy to solve - just request a second merchant account with Your bank which is non secured and use it for declined transactions (that's possible).
Another good thing to do is - acquire Your own MPI module and certifiy it with the acquirer.
However naturally You wont be able to do any of this on third party billers. Get Your own merchant account.
My 2 cents.