It's come to our attention recently that some operators may have had some of their customers calling up and advising that they get the following message appearing when trying to process a payment\make an online booking on WebRes:
Although extremely rare the cause of this message is totally normal, not just for WebRes but for all online retailers. We do see this from time to time which is to be expected with the very high volume of transactions we process through WebRes. There's a lot of important information on this page and so although a little detailed at times its very important that you try to understand this as it can have a direct influence on your business and payments taken.
Behinds the scenes there have been some major improvements to how card payments are taken online no matter how small or large. The change is to ask for an extra password to be setup against a card which accumulates into an online retailers website asking for extra details before processing a payment for example asking for the 3rd, 6th and 7th character from the password already setup against the card. There are various terms that people use to describe this new online security from 'Visa Verified', 'MasterCard Secure Card', '3d Secure' Payer authentication' and Card Enrolment'. All of these terms essentially refer to the same online card password system although in the case of the first two examples these are the names given to the system of that particular card type issuer.
You might ask how this affects you and why this causes an issue as shown in the screenshot? Well as this system has been established for a number of years (WebRes was one of the first systems to fully integrate with this more secure method), some coach operator banks \ acquirers will charge you less per card transaction if it's an online payment (customer present) as it is deemed more secure than an over the phone payment (customer not present). This is not always the case and in the event of an attempted card payment that processes without using the above secure system they may leave the 'Liability Shift' with the operator. Although we don't use WorldPay, they have an excellent page that describes 'Liability Shift' in more detail.
To summarise, traditionally, merchants have been liable for e-commerce chargebacks due to fraud. Payer authentication brings the benefits of liability shift.
Liability shift means that the liability for the chargeback loss shifts from the merchant to the issuing bank, for e-commerce transactions that are deemed fraudulent (those transactions where the cardholder has denied involvement in the transaction). The issuing bank, in most cases, is no longer allowed to pass such chargebacks back to the merchant. Below are 3 potential payment card scheme outcomes that happen when processing a card payment online for one of your trips, holidays, merchandise etc.
- Cardholder Authenticated - you may no longer be liable for chargebacks if a cardholder claims they did not make the purchase. The issuing bank becomes responsible for the chargeback for Visa, MasterCard and Maestro.
- Cardholder/Issuing Bank not Enrolled for Authentication (Authentication Offered but not Used) - because full enrolment is not yet universal, Visa and MasterCard offer you global protection for personal cards where authentication has been attempted even if the issuing bank is not participating or the cardholder is not enrolled.
- Cardholder Authentication not available (Authentication Unavailable) - Visa does not offer protection against fraud-related chargebacks; however, MasterCard and Maestro do on personal cards.
So how does all of this relate back to the scenario as first described in the above screenshot? Well essentially because we decided a long time ago when we first implemented the new Payment Authentication within WebRes that we'd only accept safe payments that allow liability shift; non-safe payments as described in point 3 above and partially point 2 would not be accepted. We did this to protect our operators as we fully understood that online card fraud could be a major issue and by only choosing to allow the safest of payments for our operators could we guarantee for the most part that firstly the risk of any fraudulent payments was massively decreased and that secondly the liability shift never became an issue.
We understand that for some operators this does mean that certain card schemes used by their customers may not be accepted online but may be accepted directly in our desktop products (ph28,t28,t3). We feel though that as this is such a small amount of card schemes it's a safety precaution well worth taking.
Hopefully this goes some way to describing the scenario that we have been asked about more frequently recently. If you do have any questions regarding this then please feel free to ask the WebRes team.