Guaranteed Payments

for E-Commerce Transactions

A New, Universal Solution from MasterCard

Mark Patrick
Vice President - Interactive Services
MasterCard International MasterCard Proprietary

Guaranteed Payments
Increased Consumer
Confidence and Spending
Security in
Cross-Border Transactions
MasterCard Proprietary

E-Commerce Market Challenges

Consumers
Fear of fraud remains barrier to

converting online browsers to

online shoppers
Consumer Internet purchases
generally restricted to domestic
marketplaces

E-Commerce Market Challenges

Issuers
Mounting costs from processing online

chargeback disputes
Higher decline rates for online
transactions
Lessened revenue

Consumer confidence in online channel

affected by stream of fraud reports in

media

E-Commerce Market Challenges

Merchants and Acquirers
No guarantee of payment for merchant
Online chargebacks growing
Bears all risk for non-signature based transactions
Online fraud losses mounting
Lack of consistent mechanism to

authenticate the buyer to the seller

Privacy laws restrict use of authentication tools
High accountholder decline rate limits activity,
especially for cross-border transactions

Findings
As a result, merchant chargeback expenses for online

transactions are increasing

Reason code 37 chargebacks now represent as much as
84%* of all e-commerce chargebacks
Chargeback

Purchase
*Source: INET Reports, 4th Quarter 2000

Introducing...

UCAF

SPA

Consumer Rationale
Secure is reassuring and strong.
Code is secret, private and stronger than password
8

Fully
Guaranteed Transactions
SecureCode
Objective
Proposal is to eliminate RC 37 Fraudulent Transaction -

No Cardholder Authorization chargebacks for any

electronic/mobile commerce transaction that is processed
and authorized in accordance with all of the elements of
the guaranteed transaction model by both the issuer and
the merchant/acquirer

Why Fully Guaranteed Transactions

Extend the MasterCard guarantee of payment from the
physical POS to new points of interaction
Increase consumer confidence in new channels
Improve acceptance and preference for MasterCard at remote
points of interaction
Reduce chargebacks and fraud
Increase overall electronic/mobile commerce transactions,
approval rates, and GDV

10

MasterCard
SecureCode Components

Universal Cardholder
TM
Authentication Field (UCAF )
Objective:

Collect and transport an indisputable electronic receipt

that binds the accountholder to a unique transaction and

provides the basis for a guaranteed transaction

12

UCAF Solution Overview

Establishes one interoperable and standardized data transport

infrastructure for all secure online and wireless payments,

including both credit and debit
Offers a universal method of collecting accountholder
authentication data at the merchant virtual point-of-sale
Provides the infrastructure for transporting accountholder
authentication data from merchants, acquirers, networks to an
issuer

13

UCAF Solution Overview

UCAF consists of two components, a series of discreet,

hidden fields:

UCAF Data Infrastructure

UCAF Authentication Data Field

Interacts with a wide variety of issuer security schemes

including, MasterCards Secure Payment Application

(SPA)

14

UCAF Data Infrastructure

Merchant Name
Card Acceptor City
Card Acceptor State / Country Code
Currency Code
Sale Amount
Merchant Transaction Stamp

UCAF Authentication Data Field

Carries security token

UCAF Enabled
UCAF Brand

The UCAF Authentication Data Field is first among equals

in the UCAF data infrastructure

15

Acquirer UCAF Components

Merchant point of sale (POS) interface passes the UCAF

authentication data
Acquirer systems collect and pass UCAF data

Acquirer systems must support DE48, the expanded sub-

element 42 and the new sub-element 43

Acquirer

Issuer
UCAF data
(unaltered)

Merchant
UCAF data
(unaltered)

16

The UCAF Environment

UCAF Environment
Accountholder

Merchant
Present,
Collect,
Pass

Accountholder shops with an

Issuer defined security solution
that uses the UCAF structure

Issuer

Issuer validates and authorizes

defined security token

Acquirer

Merchant Name
Card Acceptor City
Card Acceptor State/Country Code
Currency Code
Sale Amount
MTS (optional)
UCAF Authentication Data Field
Account Number
Expiration Date
CVC2
UCAF Enabled
UCAF Brand

Issuer-Defined
Security Token carried via
UCAF Authentication Data Field

Merchant Responsibilities
Update website to include UCAF hidden data fields
Evaluate server capabilities
Contact your transaction processor

to arrange UCAF support

18

19

MasterCard SPA
Using the UCAF Infrastructure

What is SPA?
Secure Payment Application
MasterCards preferred issuer-based security scheme for

remote transactions
Utilizes the UCAF data transport infrastructure to

provide an effective online consumer authentication tool

21

What is SPA?
SPA defines the protocols, messages, message formats, and data

requirements for an overall issuer-centric remote security solution

Based on MasterCard IPR, SPA is licensed separately to vendors
as well as end users (members) to work in conjunction with
existing infrastructures, like wallets or pseudo account schemes
Vendor solutions will go through a SPA and UCAF certification
process

22

How Does SPA Work?

An issuers SPA enabled server generates a unique security

tokensimilar to a signed electronic receiptcalled an

Accountholder Authentication Value or AAV
It populates the UCAF infrastructure at the merchant pay page
and is transported back to the issuer for verification during
authorization
SPA enabled transactions can be recognized through the use of
unique control bytes assigned and managed by MasterCard

23

The SecureCode Environment

SPA Environment
Accountholder with SPA solution

UCAF Environment
Merchant

1) Accountholder fills out

Merchant Pay Page
2) SPA solution detects
hidden fields on merchant
payment page
3) SPA solution launches

4) Accountholder is verified by
Issuer SPA server

Issuer with SPA server

Acquirer
-Generate and store AAV data
-Validate AAV during
authorization

SPA Server

8) AAV validated by SPA server

5) SPA solution populates

hidden UCAF data field
with AAV
6) AAV passed unaltered via
UCAF data field to
Acquirer

7) Acquirer passes AAV via UCAF data field unaltered to payment

network

*********

MasterCard
Solutions for Issuer and Acquirers

Solutions For Issuers - Options

Build an in-house solution for SPA and 3D Secure

Outsource to a third party

Verified by Visa
MasterCards Managed Service for SPA & 3D
Others: e.g. Cyota

27

Solutions For Issuers - Options (cont.)

Build an in-house solution for SPA and 3D Secure
Difficult to build the business case
Uncertain environment
Expensive to maintain
More control
28

Solutions For Issuers - Options (cont.)

Outsource to a third party
Verified by Visa
MasterCards Managed Service for SPA & 3D
Others like: e.g. Cyota
MasterCards Managed Service provides a
local solution for all your cardholders
Very cost effective

29

Objectives of Managed Service

Remove financial barriers to implementing SPA
- improved business case
- significantly reduces chargeback costs
Provide flexible platform for bank branded services
Support multiple authentication methods as required
- SPA
- 3D-Secure
Complimentary to MIGS service

30

Multiple Standards - One Issuer

Solution
Authentication Engine

Cardholder Applet

3-D Secure Module

Future Protocols

ActiveAccess

SPA Module
Maestro Module

Cardholder Access Method

Cardholder Browser
Cardholder Mobile
Device
Cardholder Plug-in
(Chip)

31

AAV
Verification
Module

Issuers
Datacenter

HSM

Issuer
Authorization
Host
Issuers
Existing Card
Management
System

MIP/
VAP
MIP/
VAP

BankNet/VisaNet

Acquirer
Host/ Switch/
Gateway

Cardholder
Data
Internet Payment
Gateway

Batch

Data Upload
Module

MasterCard
APC

Cardholder
Authentication
Data

Issuer
Administration
and Registration
SPA Applet

Download

Download Server

Cardholder
Cardholder
Enrollment
Enrollment

Visa Directory
Server

ACTIVE ACCESS SERVER

3D Secure Module
(ACS)
SPA Module
(AAV generation)

HSM

Enrollment

Browser

Enrollment/ Download

Merchant Web
Storefront
UCAF
MPI

Browser
SPA Applet
Shopping

Solutions for Acquirers

MIGS
MIGS is a turn key payment gateway, that significantly

reduces the complexity and costs of acquiring, enabling,

supporting and processing for Card Not Present
merchants.
MIGS leverages the Banks existing transaction

processing connectivity to MasterCards Banknet Global

Network.
33

Why MIGS for the Member Bank ?

Banks lack business case yet face losing Merchants
MIGS takes investment risk away from Member Bank
Outsourcing with benefits of in-house and more
MIGS is quicker to market (2 months instead of 12)
Much lower cost and off balance sheet!

MIGS is a high value added service

from MasterCard to its Member Banks
34

MIGS Architecture
Merchant/Enterprise/
Portal Server(s)

- E-commerce
- M-commerce
- T-commerce

Call Center
- Telesales
- IVR

Electronic Bill
Presentment
Business Systems
- ERP
- CRM

E-Procurement
Portal

Integrated MIGS Payment Solution

Online Store

Digital Order (DO)

MIGS
Authenticated
with Digital
Certificate

Internet
&
Private
Digital Receipt (DR)

Subsequent Transactions
- Capture / Refund
- Reconciliation
- Enquiries & Reports

BANKNET

Merchant
Administration
and Reporting

Banks
and
Card
Schemes

MIGS - Switch to Issuer

MERCHANT
WEB Site

MIGS
Paymen
t Server

RSC

Acquirer

2
1

4
3

Issuer
Cardholder

36

MasterCard
Guaranteed Payment Milestones

Implementation Timeline
1 April 2002

Issuers and Acquirers Support System Requirements

1 November 2002

Liability shift for full UCAF authorizations

Rules changes for Chargeback Reason Code 37 become effective for electronic and mobile commerce
fully guaranteed transactions
No liability shift for issuers that do not populate the UCAF field

1 April 2003

Proposed Asia Pacific liability shift

1 April 2003

Determine position on global liability shift

MasterCard Proprietary