The growth in e-commerce transaction volumes and the increased adoption of mobile phoned the way consumers are now shopping has changed. With this in mind, Visa recently released an overview of best practices for mobile issuers.
Compared to traditional e-commerce from a laptop or PC, browser based mobile commerce (m-commerce) is still in its infancy but it is positioned for significant growth.
According to Visa some of the factors that are influencing m-commerce are:
- The increased number of mobile optimised websites
- The proliferation of smart phones and other mobile devices
- The convenient/always-on nature of smart phones
As these factors cause m-commerce transactions to grow they will increasingly become a target for fraud and therefore authentication processes need to adapt to the new market.
To this end, Visa have published some guidelines for Issuers and Access Control Server (ACS) service providers which highlight the need for differentiating the processing of browser-based mobile transactions which are verified by Visa.
They feel it is essential to distinguish m-commerce from e-commerce to reduce fraud while still minimizing consumer friction and shopping cart abandonment. Balancing security and consumer convenience is even more challenging in within the m-commerce environment as consumers expect security without interruption of online purchases.
An overview of the general guidelines that Visa has set out for browser based mobile commerce are as follows:
- Activation during shopping (ADS) is not recommended on mobile devices
- ACS service providers should, at a minimum, provide templates for generic PC, generic mobile, reject, and support configurable templates
- The generic mobile template is limited to W3C XHTML basic 1.1 or later
- The generic mobile template is limited to a maximum width of 200 pixels and maximum height of 250 pixels
- ACS service providers must support the capability of interrogating the HTTP user agent to determine device type
- ACS service providers must use an SSL server certificate that does not cause warnings or rejections on mobile devices
- The redirection mechanism remains unchanged from core protocol