Visa pushes for two-factor authenticated transactions

Visa pushes for two-factor authenticated transactions

Summary: Australia is increasingly being targeted by online fraud rings, and online merchants need to shore up payment transactions with an added layer of security, according to Visa.


Payment technology company Visa is attempting to drive Australian uptake of its 3-D Secure offering, which adds more security to online payment transactions to reduce credit card fraud.

Last month, a joint strike force took down a counterfeit credit card manufacturing operation in Sydney, New South Wales, potentially stopping AU$5 million in fraudulent transactions. But what has Visa worried is the increase in online fraud, which is categorised as "card not present" frauds. This makes up 71 per cent of credit card fraud that is committed in Australia.

A recent report (PDF) by the Australian Payments Clearing Association showed that credit card fraud is up 50 per cent annually, with online shopping a big driver of the upward trend.

"[Online fraud] is growing at a really rapid rate, and Australia, uniquely in Asia-Pacific, did suffer over the last 12 to 18 months of being targeted by quite a number of international fraud rings," Visa Asia-Pacific director of e-commerce, Justin Roche, said at CA Technologies' CA Expo in Sydney today.

Curbing fraud relies on implementing prevention, protection and response measures, according to Visa, and adding layers of security into online credit card transactions is a good way to approach fraud management, Roche said.

Visa is heavily pushing its 3-D Secure technology, an XML-based protocol invented by the company for online credit card transactions. Online merchants can implement 3-D Secure, which is hosted by the bank of their choice, at their websites' backend for "high risk" transactions. Customers who are registered with the Verify By Visa or MasterCard SecureCode program will receive a one-time password that is sent to their mobile phones to punch in during the payment process.

Online ticket vendor Moshtix implemented 3-D Secure late last year and has seen instances of payment fraud decrease.

According to Roche, there is a AU$500 to AU$1000 initial set-up cost for the 3-D Secure merchant plug-in, and a small transactional fee charged at the payment gateway is managed by the banks for every authenticated transaction.

The cost to implement 3-D Secure is relatively low, but despite having existed for some time, less than 10 per cent of online merchants registered with Visa in Australia have adopted the technology, according to Visa. Adoption rate for 3-D secure in China and India is around 25 to 50 percent.

"What we need to recognise is Australia is becoming a target for a lot of those fraud rings, because we have high levels of online merchant capability, high credit levels on our cards, but at the moment, we still have low levels of penetration for merchants picking up 3-D Secure," Roche said. "It's really important for us that cardholders signing up to 3-D Secure, as well as merchant,s will enable the whole [payment] industry to be more protected as we move forward."

Visa is looking to make it mandatory for certain categories of online merchants to take up 3-D Secure to drive adoption rates. The company is also working with banks to have more customers on the Verify By Visa program.

"Some of the merchants were getting a little annoyed about Visa or the banks asking people to enrol to the program at the point of purchase ... [and] that shouldn't happen," Roche said. "We are now advocating all the banks to automatically enrol their customers and, in some circumstances, high-risk customers to be enrolling in 3-D Secure if they have opted out previously."

Topics: Banking, Security, Australia

Spandas Lui

About Spandas Lui

Spandas forayed into tech journalism in 2009 as a fresh university graduate spurring her passion for all things tech. Based in Australia, Spandas covers enterprise and business IT.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Annoyance

    I really fine the "Verify by Visa" interaction very cumbersome and annoying. I rarely get asked for my password, so when it does come up I can't remember it. There's no simple way to obtain your password again, you need to actually call your bank to get it reset.

    Regular old two-factor authentication would be much better. Give people a smartphone app, or send them an SMS. But for the love of god make it across the board, don't only force it on "right risk" sites or sites that opt in. Make sure very site requires it so people will actually get used to it.
  • Don't risk it

    I depend a lot on shopping online and have always been concerned about the risk of exposing my credit card information. A must have is asking users to telesign in to complete a transaction by using 2FA. I am not sure why not all companies use this, in fact I feel suspicious when an online store doesn't ask me to telesign in, now it just feels as if they are not offering enough protection.
  • Pin Based

    Why can't we just go to requiring a pin for EVERY credit card transaction, no matter if the card is present or not?

    Other countries already do this, so this should be a no brainer and should prevent a lot of fraud. Not all of it of course, but a lot of it.
  • Credit Card Security

    I wonder if credit card companies and mechants keep your credit card information on public cloud sites where the cloud provider's employees, worldwide, can view the data.
  • American Express

    A few years ago, American Express announced a new credit card called "Blue". I applied for and received one of these cards. One of the main features advertised, besides that you could pay off the bill over time, was single-use credit card numbers. The cards had a "smart chip" and you got a smart chip reader and, for online purchases, it would present you with a single use credit card number to use. I did see a few issues with it, such as linkages between the account number, name on the "card" and expiration date, but I thought the idea was great. I think it didn't work because many vendors wanted to keep the card data in case they needed to add a secondary charge, say for shipping extras and the second charge would not go through.

    One issue I have with this 3D idea is that I don't always take my cell phone with me. If I had the phone every time I went shopping, why would I need the card? In the U.S., you could go shopping for coffee just using the phone, or buy tickets and just present the phone. People are looking for something more convenient than waiting for a text message and then having to transcribe some number. A lot of credit cards are using RFID technology now to make transactions quicker at the brick-and-mortar shops. I prefer to just swipe my card. There are dangers in everything. What I'd like to see are fingerprint readers and the ability to add a pin. That is what I call 2FA!