Practical Ecommerce

Are Verified by Visa and MasterCard SecureCode Conversion Killers?

No merchant wants to add steps in the checkout process that reduce conversion. However, merchants often don’t have a choice about 3D Secure, the payment industry program behind “Verified by Visa,” “MasterCard SecureCode,” and “Amex SafeKey.”

These programs attempt to reduce card-not-present fraud by introducing an identity check after a “confirm purchase” button and before the confirmation page. When a merchant accepts a payment where the cardholder is not present at the merchant’s physical location — i.e., by phone or over the Internet — then traditionally the merchant accepts liability for any disputed charges due to fraud or cardholders denying that they made the purchase.

The introduction of the 3D Secure — here’s the Wikipedia definition — shifted the liability for chargebacks to the credit card company, which is a significant benefit for the merchant. Merchants therefore often include these additional security steps to avoid being charged higher rates for processing credit cards and to reduce chargebacks.

Verified by Visa pop-up on

Verified by Visa pop-up on

When these programs were first introduced, many merchants saw significant negative impact on conversion rates in the payment process. Shoppers were spooked by an extra step, where a pop-up required they set up an additional password, and then remember it. This caused shoppers to abandon at the last step in the checkout process, and encouraged some merchants to offer PayPal as an alternative.

However, as consumers have become more accustomed to these pop-up boxes asking them for additional passwords, abandonment rates have declined to under 10 percent for most merchants.

Using Logos as Security Seals

But I’ve recently noticed a new trend: merchants are starting to use the Verified by Visa and MasterCard SecureCode logos as “security seals.” You can see an example of this on the cart summary page below.

Zoom Enlarge This Image cart summary page, with Verified by Visa and MasterCard SecureCode logos in lower left. cart summary page, with Verified by Visa and MasterCard SecureCode logos in lower left.

I’ve long believed that this is a bad thing for conversion rates — whether it helps prevent fraud is another matter — but until now it was just a intuitive feeling based on anecdotal evidence and a personal dislike of the 3D Secure program. I’ve frequently abandoned when I’ve encountered one of these pop ups.

My company, SeeWhy, set out to learn if this logo use was a deterrent to others as well. In a survey of 502 U.S. online shoppers to determine consumer attitudes to these programs, SeeWhy asked them whether they would consider abandoning when presented with one of these logos.

The findings revealed that 12 percent consider abandoning when they see either the Verified by Visa or the American Express SafeKey logos, while 10 percent will consider abandoning when the see the MasterCard Secure card logo.

It may not sound like much if 10-to-12 percent abandon upon seeing one of these logos. But remember that these logos are being shown on the cart summary page or at the start of the checkout. Therefore, the potential impact is much greater because there is significantly more traffic at this stage compared with the end of the checkout process, when the pop-up is presented. If PayPal is being offered as an alternative this may cause more customers to use PayPal, incurring potentially higher levels of fees for the merchant.

This study only looked at whether these logos would cause shoppers to consider abandoning. It is not definite evidence that customers will actually abandon. Moreover, the study doesn’t attempt to review the overall financial impact of an increased abandon rate versus a lowered fraud cost. Presumably Visa, MasterCard, and American Express have similar interests as merchants, in that they receive processing revenue only when a transaction is complete.

But, nonetheless, the study could be sufficient to give pause to using these logos as security seals.

3 Strategies to Minimize Abandonment

So what is the key takeaway for retailers from this study? If you are selling products that are unique to your site, then this abandonment may be less important to you since it is hard for your customer to buy elsewhere. However, the impact is notable for sites selling products that can easily be purchased from competing ecommerce sites

Here are three strategies you can take to minimize abandonment.

  • Don’t use 3D Secure logos. These logos point out that there is an additional security step in the shopping process. If visitors are concerned that they may not be able to remember their password, or (like me) just don’t like the annoying pop up program, then they will abandon. Today 10-to-12 percent will abandon, but as more visitors become familiar with these logos and the programs they represent, we can expect abandonment rates to increase. Use the credit card logos instead to indicate the payment choices available.

  • Bypass 3D Secure for loyal and frequent customers. If your site can detect high-value or frequent customers when they log in, then use this rule to skip the additional security pop up. A few airlines have started doing this for their most frequent fliers. It makes no sense to make it harder for your most frequent customers to buy from you. These customers are very unlikely to try and chargeback transactions.

  • Offer payment choices, and the ability to switch. If you have an abandonment problem caused by 3D Secure programs, then you should consider offering alternatives, such as PayPal and Google Wallet. Both of these payment methods avoid the 3D Secure requirement and are particularly effective for mobile transactions where additional steps in the checkout process cause abandonment on a massive scale. By contrast, mobile wallets convert at significantly higher rates on mobile devices compared with credit cards.

An A/B test comparing payment card logos with 3D Secure logos would be the most scientific approach. If you have run this kind of test, please share the results here so that we can all learn.

Charles Nicholls

Charles Nicholls

Bio   •   RSS Feed


Sign up for our email newsletter

  1. darrylxxx June 14, 2013 Reply

    Good article Charles, something I have been wondering about. All said and done, the current payment systems are prehistoric in web terms.

    As a retailer I am encouraged by some of the new entrants that are trying to reinvent how this is done e.g., the proposed web standard for " the worlds [sic] first open, Universal Payment Standard".

    The standards body Web Payments Community Group say, "the goal is to create a safe, decentralized system and a set of open, patent and royalty-free specifications that allow people on the Web to send each other money as easily as they exchange instant messages and e-mail today."

    Cheaper, faster, secure and reliable payments processing is possible if we can just stop the big incumbent processors messing it up!

  2. Massimo Chieruzzi June 17, 2013 Reply

    Really nice article !

    Here In Italy the Verified by Visa 3D Secure code has been active for a long time and I can assure it’s a big conversion rate killer. Cartasi, our Visa/Mastercard issuer in Italy has terrible interface, getting the code is damn hard and we usually see a 5-10% drop in conversion rate when using this security system.

  3. Elizabeth Ball June 24, 2013 Reply

    After a two-year absence, I am re-introducing the ability to pay via Visa, Mastercard, Amex and was unhappy to hear about the 3D secure requirement by the bank, as I agree with Charles that it is an impediment to purchase. However, there is a 4th strategy: tell your customers upfront that you have 3D Secure and they will be asked for their password. Hopefully they can hunt for it before they shop.

  4. OppfinnarJocke July 21, 2013 Reply

    I am a customer that frequently make purchases with my CC on the web. The MasterCard SecureCode is a BIG nuisance… not only does it require me to remember a password that I maybe use once a month or even less, but when I forget the password I also have to remember an account number! What are they thinking…? I have tens of passwords to remember already, just to get out on the web and read email etc. Do I want more passwords? Of course not…

    And the result is that I use THE SAME password for MC SecureCode as for any other occasional web site (like this one). So how secure did that end up…?

    Security must not hamper usability! When it does, security is what gets side stepped, nothing else.

  5. Steve Wilson July 25, 2013 Reply

    3D Secure is really an over-engineered response to an essentially simple problem: computers have a hard time telling original data from copies, and stolen cardholder data from the real McCoy. But this problem has been solved using cryptography.

    Magnetic stripe card skimming and carding is essentially the same trick as CNP fraud. Regular POS terminals cannot tell copied stripe cards from the originals. Now, we solved the carding problem with Chip-and-PIN. A chip card digitally signs the PAN and the transaction before sending it to the terminal; master keys allow the terminal to check the signature and verify that the cardholder data must have actually come from an original card.

    CNP fraud — the illicit replay of stolen PANs — is simply the online equivalent of skimming and carding. We could use exactly the same technology in chip cards to digitally sign PANs and transactions before sending them from a browser or mobile device to an e-commerce server.

    Using chip technology and digital signing would dramatically streamline 3D Secure, and remove the need for the issuing bank redirection which disturbs so many shoppers.

  6. pattyw August 7, 2013 Reply

    Food for thought… I just read the following article.

    Consumers are Ready to Use Advanced Authentication Solutions for Safer Online Retail Purchases

    According to the new "Online and Mobile Retail Authentication: Preventing Fraud in the Age of Data Breaches and Malware" report by Javelin Research & Strategy, most consumers are not familiar with authentication technologies for use during online retail payments, but that is about to change. While two-thirds of consumers have declared they are well acquainted with static security questions, many merchants are apprehensive about introducing additional steps into the checkout process that may introduce friction and contribute to cart abandonment. But, several emerging solutions offer less intrusive ways, such as advancements to the 3D Secure platform. According to Al Pascual, Senior Analyst Security, Risk and Fraud at Javelin Strategy & Research, improved authentication is critical as fraudsters currently have access to large amounts of compromised personal information and payment data. Merchants need to surmount unfounded fears of consumer backlash as consumer familiarity will breed comfort and confidence in using newer, more secure authentication measures.

  7. Sheila October 15, 2013 Reply

    The problem I have with Master Card Secure Code and Verified with Visa as a merchant is that both programs are not compatible with 90% of the e-commerce shopping carts in existence .

    It is not compatible with our current e-commerce web store shopping cart. We were told we would need a programmer to write special code approximately 35 hrs of work at
    a cost of $8000-10,000 by the reseller of these programs Cardinal Commerce

    On top of those fees is the $1000
    licensing fee and additional monthly fees depending on the amount of transactions

    Master Card and Visa do not require their merchants to provide this yet they require it to win a charge back
    where the customer claims they did not participate or authorize despite obtaining their signature from a verified AVS matching billing address

    How are we supposed to use these programs at such a high expense
    as a small business owner if the software is not compatible with
    our shopping cart and 90% of e-commerce shopping carts?

    Just another way for the large issuing banks and Master Card and Visa to stick it to the small business

  8. Alberto October 17, 2013 Reply

    The best I have seen is Maestro Secure. When I try to make a payment, they send me a text message to my mobile with a code. I don´t know why Visa and Mastercard don´t follow this process. You don´t have to remeber a password, and you don´t have to enroll in something most of customer don´t know. If I were Visa and Mastercard, I´d make this authentication process by default (nowadays all the banks have our mobile numbers, so the can activate to all their customers). But Visa and Mastercard don´t bother about the fraud. The don´t lose money, merchant do. They only don´t make money with those transaction. Merchants lose 100m$, they lose, what, 0.1m€? That´s ridicolous for them. It´s a pitty Visa and Mastercard have not real rivals

  9. jrodman February 23, 2015 Reply

    Speaking for myself, if I encounter Verified by Visa, I seek another vendor. If I can’t find another I might use it. The thing is buggy and often interferes with my ability to complete the transaction.

  10. syahairudin July 28, 2015 Reply

    How to get 3D secure application for payment gateway?
    Is it true to have 3D secure to be certified first? what kind certification to be need?

  11. Michelle March 13, 2016 Reply

    Merchants can submit their billing descriptors with This way if a customer is unable to recognise a transaction, they can easily google out the details.

  12. Dan Cohn March 16, 2016 Reply

    I read your article with great interest. This was written two years ago. Do you think anything has changed in this period? Would you still expect a 10-12% abandonment? Is it more acceptable now?

    Thanks for your reply.

  13. Reid December 17, 2016 Reply

    These things fail *constantly*. I just tried 3 times over the span of an hour to purchase airline tickets on United, and the frame simply wouldn’t load; it timed out. I had to try again 5 hours later, and it finally went through (after a 20 second wait). It doesn’t even require a code, it just does some transaction with the Verified by Visa backend. I’ve never setup a code on any card I had.

    Any sane merchant would avoid it like the plague. This is the first time I’ve seen it since NewEgg circa 2008 — where, again, every time I tried to make a purchase, the SecureCode thing crashed and made it impossible to ever buy anything.

    These schemes are a great way to lose money and drive your customers insane.