Verified by Visa and Mastercard SecureCode are broken and need to be fixed

Update Thursday 17th May 2012.

It seems that Verified by Visa and 3D secure are not being enforced on every transaction. (see most recent comment at the bottom from Blufin). You are sent via the system but not asked for a password.

Verified by Visa and Mastercard SecureCode are broken. At cxpartners we've watched hundreds of users on e-commerce websites and seen some serious trust and usability issues that are hurting e-commerce. Our clients have seen conversion rates drop because of it. E-consultancy published an article over a year ago with specific examples of 3D secure harming sales.

In this article I will outline what the issues are and suggest some design changes to overcome them.

The history

Verified by Visa was introduced as 3D secure as way of reducing fraudulent credit and debit card transactions online. The protocol was then adopted by Mastercard as SecureCode and by JCB as J/secure.

Merchants are encouraged to adopt the protocol as it reduces the number of fraudulent chargebacks, that is, money returned to the consumer from the merchant due to a fraudulent card transaction. The advantage to consumers is the reduced chance of a fraudulent transaction online and a warm feeling that internet shopping is safe.

So far so laudable.

Why Verified by Visa is broken

Sadly, the implementation of 3D secure (that covers Verified, Secure Code and J/secure) introduced a number of serious usability and trust issues.

Let's look at the trust issues.

1. The standard implementation of 3D secure is via a pop-up. As anybody will tell you pop-ups are bad as they are the favoured trick of the fraudster and scammer.
2. The URLs used to host 3D secure do not match the merchant, Visa or the card issuing bank (some implementations use the issuing bank's servers). The URLs chosen are so poor they actually look like phishing sites. Here's 2 examples: securesuite.net & securesuite.co.uk
3. The design of the form does not match the design of either the merchant or the issuing bank. The design looks 'cheap'. It doesn't look trustworthy.
4. No telephone number. When a user sees a telephone number it gives them a feeling legitimacy. They may not phone, they just want to see the number just in case.
5. The calls to action at the bottom of the page really don't work. 'Submit' is rather generic and does not give an indication of the next step. 'Cancel' gives no indication what will happen next and really should be removed.
6. There is still very little recognition by users. Visa and Mastercard have done a poor job of marketing and raising awareness.

The sign-up process

The sign up process to 3D secure, done through the same pop-up/window from Securesuite.net has a number of serious usability issues which further reduce the feeling of trust.

7. When a field has been completed it automatically moves the cursor to the next field. This takes control away from the user and can cause confusion.
8. The text is American "Expiration date" should be "Expiry date"
9. Personal information is asked for (social security in the US and date of birth and sometime mother's maiden name in the UK) but without any explanation as to why this is needed. We are constantly being told not to give this information out online yet I'm being asked to by what could be a phishing attack.
10. Activate now or Activate later? Which to choose. I don't know.
11. When entering a password the requirements are crazy secure. 8 to 15 characters, 2 letters, 1 upper and 1 lower case and 2 numbers. Blimey! This leads to the major problem with 3D secure.

Once the customer has overcome all 11 of those issues they can purchase. 11 issues. 11 serious issues. That's why 3D secure is hurting e-commerce and why both Amazon and eBay haven't implemented it. It kills sales.

This brings us to serious issue number 11. Perhaps the most severe and problematic. Humans can't remember passwords that complex. We need clues to remember things. Tricks, methods. We are not robots.

The password requirements mean that most normal humans can't and don't remember their password the next time they come back or worse write it on a post-it note and stick it to their screen.

Typically what happens is the user is presented with the 3D secure screen next time they are shopping. They try and remember their password and can't. They will try 2 options and most likely won't remember.

They then have to go through the password retrieval process. They are then asked for date of birth, mother's maiden name or digits of the social security number.

That means that for many purchases users need to enter personal details they are told time and time again to be careful with online.

When they have entered these details they are then told to enter a new password. The password cannot match the old password. Which can cause issues as yet another password needs to be generated. So if the user has tried 2 options before retrieval they may well have figured out the password, they can't then reuse it.

The eleven reasons above show what serious trust and usability issues 3D secure has introduced. Below is some best practice advice to help mitigate these issues and hopefully rescue some sales.

How to fix 3D secure

I've included 2 wireframes to show how we go about fixing some of the issues 3D secure has introduced.

The solution starts on the page before the 3D secure window. We warn the user about what's going to happen next. We've seen in user testing that the user is rarely expecting this step. Most ecommerce sites just have a large buy button when actually the transaction is only complete after the 3D secure page.

Warn the user that 3D secure is the next step. Show the logos so when they see the 3D secure page they are expecting it. Don't talk about 3D secure anywhere else as this can be off putting for users as, like us professionals, they really don't like 3D either and seeing that may cause them to drop out.

Next comes the 3D secure page.

Firstly, the URL, well that's an easy one, embed the page within an iframe. It does of course mean one can't check the security certificate but hey, who ever does this?

Embedding within the iframe gives us the ability to add support content around the window.

The first thing is to match the logo within the 3D secure screen with one at the top of the surrounding box.

Next we need to add some support copy. Here we are asking people to enter their details and explain where the form comes from. Neither Verified by Visa or MasterCard SecurePay are known brands so explain that the form is from the user's bank. Then we explain this why the form does not quite match the rest of the website.

We also add, if possible, the basket contents to reassure the user they are buying what they want – it acts to keep the user on target and reminded of the goodies they are buying.

Finally, and most importantly we add a telephone number. This is partly for reassurance and partly to rescue that sale if the user can't get through the 3D secure process. Not ideal to switch the sale to phone at this late stage but better than loosing the sale.

In conclusion

3D secure is a fact of life in ecommerce. Users, professionals and merchants all have their issues with it. If you follow the steps above you should help overcome some of these issues. Visa – if you are listening, get in touch and let's fix this for everybody.

I'm sure there are lots of e-commerce and product people reading this - leave your tips and experiences in the comments.

Update Wed 17th Nov 2010 11am.
Will Holley in the comments points an article by Ross Anderson and Steven Murdoch at Cambridge University earlier this year. How online card security fails.
There is a further discussion of this article over at Hacker News covering the technical and security issues.