Upload
chester-cox
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Guaranteed PaymentsGuaranteed Paymentsfor E-Commerce Transactionsfor E-Commerce Transactions
A New, Universal Solution from MasterCardA New, Universal Solution from MasterCard
MasterCard ProprietaryMasterCard Proprietary
Mark Patrick Mark Patrick Vice President - Interactive ServicesVice President - Interactive ServicesMasterCard International MasterCard International
Guaranteed PaymentsGuaranteed Payments
Increased Consumer Confidence and Spending
Increased Consumer Confidence and Spending
Security in Cross-Border TransactionsSecurity in Cross-Border Transactions
MasterCard ProprietaryMasterCard Proprietary
E-Commerce Market ChallengesE-Commerce Market Challenges
• Fear of fraud remains barrier to Fear of fraud remains barrier to converting online browsers to converting online browsers to online shoppersonline shoppers
• Consumer Internet purchases Consumer Internet purchases generally restricted to domestic generally restricted to domestic marketplacesmarketplaces
Consumers
IssuersE-Commerce Market ChallengesE-Commerce Market Challenges
• Mounting costs from processing Mounting costs from processing online chargeback disputesonline chargeback disputes
• Higher decline rates for online Higher decline rates for online transactionstransactions
– Lessened revenueLessened revenue
• Consumer confidence in online Consumer confidence in online channel affected by stream of fraud channel affected by stream of fraud reports in mediareports in media
Merchants and AcquirersE-Commerce Market ChallengesE-Commerce Market Challenges
• No guarantee of payment for merchantNo guarantee of payment for merchant– Online chargebacks growing Online chargebacks growing – Bears all risk for non-signature based transactionsBears all risk for non-signature based transactions– Online fraud losses mountingOnline fraud losses mounting
• Lack of consistent mechanism toLack of consistent mechanism toauthenticate the buyer to the sellerauthenticate the buyer to the seller
– Privacy laws restrict use of authentication toolsPrivacy laws restrict use of authentication tools– High accountholder decline rate – limits activity, High accountholder decline rate – limits activity,
especially for cross-border transactionsespecially for cross-border transactions
6
*Source: INET Reports, 4th Quarter 2000
FindingsFindings• As a result, merchant chargeback expenses for online As a result, merchant chargeback expenses for online
transactions are increasing transactions are increasing
• ““Reason code 37” chargebacks now represent as much as Reason code 37” chargebacks now represent as much as 84%* of all e-commerce chargebacks84%* of all e-commerce chargebacks
ChargebackChargeback
PurchasePurchase
Introducing...Introducing...
UCAFUCAF SPASPA
8
Consumer RationaleConsumer Rationale ““Secure”Secure” is reassuring and strong. is reassuring and strong.
““Code”Code” is secret, private and stronger than “password” is secret, private and stronger than “password”
9
SecureCode ObjectiveSecureCode Objective
Fully Guaranteed TransactionsFully Guaranteed Transactions• Proposal is to eliminate RC 37 “Fraudulent Transaction - Proposal is to eliminate RC 37 “Fraudulent Transaction -
No Cardholder Authorization” chargebacks for any No Cardholder Authorization” chargebacks for any electronic/mobile commerce transaction that is processed electronic/mobile commerce transaction that is processed and authorized in accordance with all of the elements of and authorized in accordance with all of the elements of the guaranteed transaction model the guaranteed transaction model by both the issuer and by both the issuer and the merchant/acquirerthe merchant/acquirer
10
Why Fully Guaranteed TransactionsWhy Fully Guaranteed Transactions Extend the MasterCard guarantee of payment from the Extend the MasterCard guarantee of payment from the physical physical
POS to new points of interactionPOS to new points of interaction
Increase consumer confidence in new channelsIncrease consumer confidence in new channels
Improve acceptance and preference for MasterCard at remote Improve acceptance and preference for MasterCard at remote points of interactionpoints of interaction
Reduce chargebacks and fraudReduce chargebacks and fraud
Increase overall electronic/mobile commerce transactions, Increase overall electronic/mobile commerce transactions, approval rates, and GDVapproval rates, and GDV
MasterCardMasterCardSecureCode ComponentsSecureCode Components
12
Objective:
Universal Cardholder Universal Cardholder Authentication Field (UCAFAuthentication Field (UCAFTMTM))
• Collect and transport an indisputable electronic receipt Collect and transport an indisputable electronic receipt that binds the accountholder to a unique transaction and that binds the accountholder to a unique transaction and provides the basis for a guaranteed transactionprovides the basis for a guaranteed transaction
13
UCAF Solution OverviewUCAF Solution Overview
• Establishes Establishes oneone interoperable and standardized data interoperable and standardized data transport infrastructure for all secure online and wireless transport infrastructure for all secure online and wireless payments, including both credit and debitpayments, including both credit and debit
• Offers a universal method of Offers a universal method of collecting collecting accountholder accountholder authentication data at the merchant virtual point-of-saleauthentication data at the merchant virtual point-of-sale
• Provides the infrastructure for Provides the infrastructure for transporting transporting accountholder accountholder authentication data from merchants, acquirers, networks to authentication data from merchants, acquirers, networks to an issueran issuer
14
UCAF Solution Overview UCAF Solution Overview • UCAF consists of two components, a series of discreet, UCAF consists of two components, a series of discreet,
hidden fields:hidden fields:– UCAF Data InfrastructureUCAF Data Infrastructure– UCAF Authentication Data FieldUCAF Authentication Data Field
• Interacts with a wide variety of issuer security schemes Interacts with a wide variety of issuer security schemes including, MasterCard’s Secure Payment Application including, MasterCard’s Secure Payment Application (SPA)(SPA)
15
Merchant NameMerchant NameCard Acceptor CityCard Acceptor CityCard Acceptor State / Country CodeCard Acceptor State / Country CodeCurrency CodeCurrency CodeSale AmountSale AmountMerchant Transaction StampMerchant Transaction StampUCAF Authentication Data FieldUCAF Authentication Data FieldUCAF EnabledUCAF EnabledUCAF BrandUCAF Brand
Carries security tokenCarries security token
The UCAF Authentication Data Field is first The UCAF Authentication Data Field is first amongamong equals equals in the UCAF data infrastructure in the UCAF data infrastructure
UCAF Data InfrastructureUCAF Data Infrastructure
16
AcquirerAcquirer
UCAF data UCAF data (unaltered)(unaltered)
UCAF dataUCAF data(unaltered)(unaltered)
MerchantMerchantIssuerIssuer
Acquirer UCAF ComponentsAcquirer UCAF Components• Merchant point of sale (POS) interface passes the UCAF Merchant point of sale (POS) interface passes the UCAF
authentication dataauthentication data
• Acquirer systems collect and pass UCAF dataAcquirer systems collect and pass UCAF data
• Acquirer systems must support DE48, the expanded sub-Acquirer systems must support DE48, the expanded sub-element 42 and the new sub-element 43element 42 and the new sub-element 43
AcquirerAcquirer
UCAF EnvironmentUCAF Environment
IssuerIssuer
AccountholderAccountholder
Merchant NameMerchant NameCard Acceptor CityCard Acceptor CityCard Acceptor State/Country CodeCard Acceptor State/Country CodeCurrency CodeCurrency CodeSale AmountSale AmountMTS (optional)MTS (optional)UCAF Authentication Data FieldUCAF Authentication Data FieldAccount NumberAccount NumberExpiration DateExpiration DateCVC2CVC2UCAF EnabledUCAF EnabledUCAF BrandUCAF Brand
Present, Present, Collect,Collect,PassPass
Issuer-DefinedIssuer-DefinedSecurity Token carried viaSecurity Token carried viaUCAF Authentication Data FieldUCAF Authentication Data Field
Accountholder shops with an Accountholder shops with an Issuer defined security solution Issuer defined security solution that uses the UCAF structurethat uses the UCAF structure
Issuer validates and authorizes Issuer validates and authorizes defined security tokendefined security token
The UCAF EnvironmentThe UCAF Environment
MerchantMerchant
18
Merchant ResponsibilitiesMerchant Responsibilities• Update website to include UCAF hidden data fieldsUpdate website to include UCAF hidden data fields
• Evaluate server capabilitiesEvaluate server capabilities
• Contact your transaction processor Contact your transaction processor to arrange UCAF supportto arrange UCAF support
19
MasterCard SPAMasterCard SPA
Using the UCAF InfrastructureUsing the UCAF Infrastructure
21
What is SPA?What is SPA?
• Secure Payment ApplicationSecure Payment Application
• MasterCard’s preferred issuer-based security scheme for MasterCard’s preferred issuer-based security scheme for
remote transactionsremote transactions
• Utilizes the UCAF data transport infrastructure to Utilizes the UCAF data transport infrastructure to
provide an effective online consumer authentication toolprovide an effective online consumer authentication tool
22
What is SPA?What is SPA?
• SPA defines the protocols, messages, message formats, and data SPA defines the protocols, messages, message formats, and data requirements for an overall issuer-centric remote security requirements for an overall issuer-centric remote security solutionsolution
• Based on MasterCard IPR, SPA is licensed separately to vendors Based on MasterCard IPR, SPA is licensed separately to vendors as well as end users (members) to work in conjunction with as well as end users (members) to work in conjunction with existing infrastructures, like wallets or pseudo account schemesexisting infrastructures, like wallets or pseudo account schemes
• Vendor solutions will go through a SPA and UCAF certification Vendor solutions will go through a SPA and UCAF certification processprocess
23
How Does SPA Work?How Does SPA Work?• An issuer’s SPA enabled server generates a unique security An issuer’s SPA enabled server generates a unique security
token—similar to a signed electronic receipt—called an token—similar to a signed electronic receipt—called an Accountholder Authentication Value or AAVAccountholder Authentication Value or AAV
• It populates the UCAF infrastructure at the merchant pay It populates the UCAF infrastructure at the merchant pay page and is transported back to the issuer for verification page and is transported back to the issuer for verification during authorizationduring authorization
• SPA enabled transactions can be recognized through the use SPA enabled transactions can be recognized through the use of unique control bytes assigned and managed by MasterCardof unique control bytes assigned and managed by MasterCard
SPA EnvironmentSPA Environment
SPA ServerSPA Server
1) 1) Accountholder fills out Accountholder fills out Merchant Pay PageMerchant Pay Page
2) SPA solution detects 2) SPA solution detects hidden fields on merchant hidden fields on merchant payment pagepayment page
3) SPA solution launches3) SPA solution launches
5) SPA solution populates 5) SPA solution populates hidden UCAF data field hidden UCAF data field with AAVwith AAV
6) AAV passed unaltered via 6) AAV passed unaltered via UCAF data field to UCAF data field to AcquirerAcquirer
4) 4) Accountholder is verified by Accountholder is verified by Issuer SPA serverIssuer SPA server
7) 7) Acquirer passes AAV via UCAF data field unaltered to payment Acquirer passes AAV via UCAF data field unaltered to payment networknetwork
--Generate and store AAV dataGenerate and store AAV data-Validate AAV during-Validate AAV during authorizationauthorization
8) 8) AAV validated by SPA serverAAV validated by SPA server
The SecureCode EnvironmentThe SecureCode Environment
Acquirer
UCAF EnvironmentUCAF Environment
Issuer with SPA serverIssuer with SPA server
Accountholder with SPA solutionAccountholder with SPA solution Merchant
*********
MasterCardMasterCardSolutions for Issuer and AcquirersSolutions for Issuer and Acquirers
27
Solutions For Issuers - Options Solutions For Issuers - Options
Build an Build an in-housein-house solution for SPA and 3D Secure solution for SPA and 3D Secure
OutsourceOutsource to a third party to a third party
– ““Verified by Visa”Verified by Visa”
– MasterCard’s Managed Service for SPA & 3DMasterCard’s Managed Service for SPA & 3D
– Others: e.g. CyotaOthers: e.g. Cyota
28
Solutions For Issuers - Options (cont.)Solutions For Issuers - Options (cont.)
Build an in-house solution for SPA and 3D SecureBuild an in-house solution for SPA and 3D Secure
•Difficult to build the business caseDifficult to build the business case
•Uncertain environmentUncertain environment
•Expensive to maintainExpensive to maintain
•More controlMore control
29
Solutions For Issuers - Options (cont.) Solutions For Issuers - Options (cont.) Outsource to a third partyOutsource to a third party
– ““Verified by Visa”Verified by Visa”
– MasterCard’s Managed Service for SPA & 3DMasterCard’s Managed Service for SPA & 3D
– Others like: e.g. CyotaOthers like: e.g. Cyota
•MasterCard’s Managed Service provides a MasterCard’s Managed Service provides a locallocal solution for all your cardholders solution for all your cardholders
•Very cost effectiveVery cost effective
30
Objectives of Managed ServiceObjectives of Managed Service Remove financial barriers to implementing SPARemove financial barriers to implementing SPA
- improved business case- improved business case
- significantly reduces chargeback costs- significantly reduces chargeback costs
Provide flexible platform for bank branded servicesProvide flexible platform for bank branded services
Support multiple authentication methods as required Support multiple authentication methods as required - SPA- SPA- 3D-Secure- 3D-Secure
Complimentary to MIGS serviceComplimentary to MIGS service
31
Maestro ModuleMaestro Module
3-D Secure Module3-D Secure Module
SPA ModuleSPA Module
Future ProtocolsFuture Protocols
Ac
tive
Ac
ces
s
Authentication Engine
Cardholder Applet
Cardholder Browser
Cardholder Mobile Device
Cardholder Plug-in(Chip)
Cardholder Access Method
Multiple Standards - One Issuer Multiple Standards - One Issuer SolutionSolution
AAV AAV Verification Verification
ModuleModule
HSMHSM
Issuer Issuer Authorization Authorization
HostHost
Data UploadData UploadModuleModule
Issuer’s Issuer’s ExistingExisting Card Card Management Management
SystemSystem
CardholderCardholderDataData
MIP/ MIP/ VAPVAP
MIP/ MIP/ VAPVAP
Acquirer Acquirer Host/ Switch/ Host/ Switch/
GatewayGateway
Internet Payment Internet Payment GatewayGateway
Merchant Web Merchant Web StorefrontStorefront
MPIMPI
BrowserBrowser
SPA AppletSPA Applet
Visa Directory Visa Directory ServerServer
SPA AppletSPA Applet
Download ServerDownload ServerCardholder Cardholder EnrollmentEnrollmentCardholder Cardholder EnrollmentEnrollment
CardholderCardholderAuthentication Authentication
DataData
HSMHSM
Bat
chB
atch
BrowserBrowser
Dow
nlo
adD
own
load
EnrollmentEnrollment
Enrollment/ DownloadEnrollment/ Download ShoppingShopping
Issuer Issuer Administration Administration
and Registrationand Registration
UCAFUCAF
SPA ModuleSPA Module
(AAV generation)(AAV generation)
3D Secure Module3D Secure Module
(ACS)(ACS)
ACTIVE ACCESS SERVERACTIVE ACCESS SERVER
BankNet/VisaNet
MasterCard MasterCard APCAPC
Issuer’s Issuer’s DatacenterDatacenter
33
MIGSMIGS
• MIGS is a turn key payment gateway, that significantly MIGS is a turn key payment gateway, that significantly reduces the complexity and costs of acquiring, enabling, reduces the complexity and costs of acquiring, enabling, supporting and processing for Card Not Present supporting and processing for Card Not Present merchants.merchants.
• MIGS leverages the Bank’s existing transaction MIGS leverages the Bank’s existing transaction processing connectivity to MasterCard’s Banknetprocessing connectivity to MasterCard’s Banknet®® Global Global Network.Network.
Solutions for AcquirersSolutions for Acquirers
34
WhyWhy MIGS MIGS for the Member Bank ?for the Member Bank ?
• Banks lack business case yet face losing MerchantsBanks lack business case yet face losing Merchants
• MIGS takes investment risk away from Member BankMIGS takes investment risk away from Member Bank
• Outsourcing with benefits of in-house and moreOutsourcing with benefits of in-house and more
• MIGS is quicker to market (2 months instead of 12)MIGS is quicker to market (2 months instead of 12)
• Much lower cost and off balance sheet!Much lower cost and off balance sheet!
MIGS is a high value added service… from MasterCard to its Member Banks
MIGS Architecture
MIGSMIGSAuthenticated with Digital Certificate
BANKNET
BanksandCard
Schemes
Inte
gra
ted
MIG
S P
aym
ent
So
luti
on
Merchant/Enterprise/
Portal Server(s)
Online Store- E-commerce- M-commerce- T-commerce
Call Center- Telesales- IVR
Electronic BillPresentment
Business Systems- ERP- CRM
E-ProcurementPortal
Internet&
Private
Digital Order (DO)
Digital Receipt (DR)
Merchant Administrationand Reporting
Subsequent Transactions- Capture / Refund
- Reconciliation- Enquiries & Reports
36
MERCHANTWEB Site
RSC
Cardholder
MIGSPayment Server
12
3
4
MIGS - Switch to IssuerMIGS - Switch to Issuer
5AcquirerAcquirer
IssuerIssuer
MasterCardMasterCardGuaranteed Payment MilestonesGuaranteed Payment Milestones
Implementation TimelineImplementation Timeline 1 April 20021 April 2002
Issuers and Acquirers Support System RequirementsIssuers and Acquirers Support System Requirements
1 November 20021 November 2002
Liability shift for full UCAF authorizations Liability shift for full UCAF authorizations –Rules changes for Chargeback Reason Code 37 become effective for electronic and mobile commerce Rules changes for Chargeback Reason Code 37 become effective for electronic and mobile commerce fully guaranteed transactionsfully guaranteed transactions–No liability shift for issuers that do not populate the UCAF fieldNo liability shift for issuers that do not populate the UCAF field
1 April 20031 April 2003
Proposed Asia Pacific liability shift Proposed Asia Pacific liability shift
1 April 20031 April 2003
Determine position on global liability shift Determine position on global liability shift
MasterCard Proprietary