Changes to Verified by Visa (VbV) liability shift

What is changing?

Visa have updated their transaction processing rules (effective April 14th 2018) for merchants based in the Asia, Canada, South America and United States Regions. From this date, the Cardholder Account Verification Value (CAVV) must be submitted in every 3D Secure transaction.

These changes mean you'll become liable for fraudulent transactions if you don’t supply the Cardholder Account Verification Value (CAVV) when sending Verified by Visa (3D Secure) transactions to Worldpay.

Does this change effect my business and what do I need to do?

If you use the Worldpay MPI, we automatically supply the CAVV when 3D Secure authentication is requested. No action is required.

If you're using a third party MPI (Merchant Plug In) provider, you'll need to check that they supply the CAVV and ECI response to you, and that you're passing this information to Worldpay as part of all 3D Secure transactions.

IMPORTANT: If you cannot provide a CAVV, you will no longer benefit from liability shift on these transactions.

What is CAVV?

The Cardholder Account Verification Value (CAVV) process helps to ensure that the cardholder is genuine. 3D Secure transactions with a CAVV value will have a fully authenticated ECI value of 05 or 06. For transactions subsequently found to be fraudulent, you will not be automatically liable. If the CAVV is not sent with an ECI value of 05 or 06, the transaction will be downgraded and you'll become liable for transactions charged back due to fraud.

What if my MPI provider cannot provide a CAVV code?

If your MPI provider cannot supply a CAVV code; in the authorisation request sent to Worldpay you must ensure your MPI provider sets the authorisation message correctly. For example, if the Verified by Visa process cannot complete correctly, the VER (Verify Enrolment Response) or PAR (Payer Authentication Request) must have a status of U, meaning authentication is unavailable.

Similarly, if the process ends abnormally but the customer decides to go ahead with the transaction, the MPI provider should provide an ECI value of 07 for Visa.

Note: In both the above cases, the transaction will have an ECI value of 07, which means they may be liable if the transaction is fraudulent.

For further information and assistance, please contact your Corporate Support Manager (CSM).