Welcome to WebmasterWorld Guest from

Forum Moderators: buckworks

Message Too Old, No Replies

WorldPay to use VbV and MCSC

..but do pop-up blockers affect payments?



12:07 pm on Nov 25, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

I am concerned here - hopefully people have used VbV and MCSC before and can answer this question.

WorldPay are about to implement VbV and MCSC (30 Nov) where a pop-up prompts the card holder for a password (if they are enrolled). How do this work if the user has a pop-up blocker installed?

There are a lot of pop-up blockers out there - Google toolbar, Yahoo toolbar, Netscape/Opera/Firefox all have the option. Norton internet security packages. Independant programs...

If we are going to lose the payment and the order, it seems like a bad idea to me.


12:25 pm on Nov 25, 2004 (gmt 0)

10+ Year Member

This has already been activated on my account, there's the following message on the payment page:

If you are enrolled for Verified By Visa, please ensure that Javascript is enabled. Pop-up killers should also be disabled before you proceed.

This would make sense to me, but would it for the every day Joe Public?


12:44 pm on Nov 25, 2004 (gmt 0)

10+ Year Member

Hi PCInk

This is one of the concerns I raised with Visa and MC in my previous life working for the "other" global scheme and is principally the reason why the "other" scheme sat tight before launching their own version.

IMHO Visa rushed to market with VbyV - I was at the Cybersource sponsored CNP workshop where their new boy announced the service and proclaimed "chargebacks are a thing of the past for CNP merchants". A slightly OTT claim given the subsequent back peddling over CB codes that are infact covered by VbyV and the easy way a V issuer can simply find another reason to CB.

In principle if the box is suppressed and the Cardholder doesn't see it the transaction should freeze. If it doesn't and is allowed to continue then guess what - you're liable.

Couple this to the service's exposure to phishing and the appalling take up rates and again, IMHO, the service will either wither on the vine or have to go through some radical changes before widespread issuer acceptance.

Also, be careful when assuming all V or MC transactions are covered. Read the small print and you'll realise only certain card markets are afforded even the limited CB protection by these services so you'll still need to parse country of origin to ensure you are covered.

When I left the "other" scheme back in June there was huge discussion in the "industry" about these two services - not least amongst UK issuers and acquirers who were stressing out about the cost of a) the fallback to the Issuer and b) the cost and complexity of implementation for merchants (a simple API these ain't) c) the perception of merchants as to it's value.

Speaking as one who has lived a while on "the dark side" as merchants regard it, there is a genuine desire to find the "Holy Grail" in CNP payments that will perform the basic function of "accept payments this way and you are guaranteed payment". I myself got my scheme to the point of "almost" being able to offer that - a chance in a billion of getting it wrong meant we didn't go to market.

I'd ask some very probing questions of anyone offering you this or any similair service. Just exactly which liabilities am I being released from? What happens if the pop up is supressed? What other reasons can be used to execute CB?

Bear in mind that UK Banks at least have publicly voiced the opinion that people who are phished should be liable for any and all losses (negligence in the banks eyes) it may not be too long before VbyV and other similair schemes usefulness in cardholders eyes diminishes with successful phishing attacks.

Watch this space for EMV in a CNP environment. Shouldn't be too long before that's on offer - just got to get Cardholders in the right frame of mind and prove the technology :)

Same goes for Chip & PIN in the UK. The Card Issuers will be laughing - merchants won't. The France experiment seems to only be reported one way - resounding success! For the French issuers, undoubtedly. For foreign issuers and French merchants - not really. Inbound fraud shot up - so much so that the France infrastructure had to be upgraded intoto to perform 100% live auth on all inbound spend - a nightmare given the then weak state of the telecoms infrastructure.

Fraudsters aren't dumb. The majority of worldwide loss goes to highly intelligent and driven groups organised much on the same lines are corporations.

They have figured the Chip & PIN rollout as an "expense" and are already finding ways round it. The migration to CNP environments is one example - also watch for an initial sharp increase on fall back to magstripe as retailers try to get their heads round the new reality of acceptance - all it takes is some clear nail varnish to render a chip useless and the humble magstripe is in use again.


5:40 pm on Nov 25, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Hi, is this going to be compulsory for all accounts? If so, where can I find the information on Worldpay's site?


7:49 pm on Nov 25, 2004 (gmt 0)

10+ Year Member

yeah, I think it is going to be compulsory. They sent me an e-mail notifying me that they were going to update my account. It was updated late on Tuesday I think.

All the e-mails confirming the payment now have a message giving the "Authentication Results". Yesterday 2 people entered there password, abotu 15 didnt have one, and strangely 2 People choose not to, so it will still go through with the transaction if thy dont enter the password and they have one.

Unless I'm reading it wrong of course.


2:30 pm on Nov 29, 2004 (gmt 0)

10+ Year Member

This is useful



10:39 pm on Nov 30, 2004 (gmt 0)

10+ Year Member

Worldpay is horrible
My experience with them is once they get your money, they are finished with you. Besides they are so expensive!


3:14 pm on Dec 1, 2004 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

FraudAdvisor, I saw your posts earlier and neglected to give you a welcome so.. Welcome to WebmasterWorld!

The thought occurs to me that if the user is smart enough to install a pop-up blocker wouldn't they be smart enough to realize it might be the reason they can't complete the purchase? I know I'm giving the buyer alot of credit here but surely some will realize it.

So the gist of WorldPay's gamble is that they feel the merits of the verified by visa system outweight the risks of incomplete sales because of popup blockers?


3:25 pm on Dec 1, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

It looks like we have been enrolled too. As things go, it will turn out alright. It seems that Worldpay will still let the transaction go through if the enrolled cardholder chooses not to enter his PIN.

Authentication Results:
Cardholder Did Not Complete Authentication


4:24 pm on Dec 1, 2004 (gmt 0)

10+ Year Member

Hi Lorax

Yes, you'd think so but there's no accounting for consumer behaviour (just because you can use email doesn't mean you're not dumb enough to fall for an appallingly bad spelt phishing attempt or 419 scam ;) )

Also with SP2 from the gurus *sic* at Micro$oft your common or garden user will probably lamely go with the dire warning of hell be unleashed if you allow pop ups.

It's not a major problem but just makes the service stand out as a knee jerk rush to market.

Per the Sitepoint link elsewhere in this topic - nice bit of PR from a company with a vested interest in VbyV - totally misses the point on regional coverage, limited liability shift and the ability of issuers to find other ways to bang back merchants - whether or not VbyV was in place.

As I think I said before the hiatus in the UK market over VbyV is compounding a miserable take up and causing confusion in the consumer space. I for one shop till I drop online - not once have I been prompted for VbyV.....

IMHO - as stated before, I don't give any of these services a terribly long shelf life - they're too exposed, too complicated to adopt for anyone other than massive players, and the truth of their ability or otherwise to deflect losses from merchants will become painfully plain in the coming months and years.

Issuers are spitting at the imposition of this diktat on their bottom lines ...


7:25 pm on Dec 1, 2004 (gmt 0)

10+ Year Member

Fraud Advisor,

You are correct. That article only outlines the North American coverage for merchants.

I guess UK coverage is very different.


8:07 pm on Dec 1, 2004 (gmt 0)

10+ Year Member

We've tried out VbV/MCSC and it's actually quite good stuff.

The only problem is , obviously :D, that a lot of cards get declined. On Visa around 15% drop of sales, on MasterCard more.

Its quite easy to solve - just request a second merchant account with Your bank which is non secured and use it for declined transactions (that's possible).

Another good thing to do is - acquire Your own MPI module and certifiy it with the acquirer.

However naturally You wont be able to do any of this on third party billers. Get Your own merchant account.

My 2 cents.


9:03 pm on Dec 1, 2004 (gmt 0)

10+ Year Member

are you a US merchant


9:56 pm on Dec 1, 2004 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Welcome to the WebmasterWorld forums ChronoMan.


8:36 am on Dec 2, 2004 (gmt 0)

10+ Year Member

Thanks for welcoming.

We're a Payment Service Provider.
So for us it's a bit easier.

And no , we're not from USA. We operate in EU mainly.


Featured Threads

Hot Threads This Week

Hot Threads This Month