October 21, 2013
I feel like I must have missed a step because I've never encountered this before, although it appears it's been around a few years.
This evening, I went to make an online purchase from a merchant I've shopped with many times before, and I wanted to use my Rogers MC. I've used the Rogers card with this merchant several times before without incident.
Tonight, however, after I'd entered my CC info, a page came up that said that Rogers MC "wants" me to use "MasterCard SecureCode". Logos for MC SecureCode and Rogers both appeared on the page. It was a page from BorderFree, who provides cross-border brokerage services to this merchant and has done so for quite some time. The link to Terms & Conditions for MC SecureCode was dead. I did not proceed as I didn't know what this was or why I should want to do it or why Rogers wanted me to or if it did. Accordingly, my transaction was blocked. I had to call and place the order by phone, which meant I lost my ebates rebate and the transaction changed from CDN to USD.
After I hung up from the merchant's CSR, I found this:
I remain mystified by this document and this "service". The service seems vague to me and is not explained to my satisfaction. It appears to have been in place since 2013, so why has Rogers never told me about it? why are they suddenly insisting on it? do other MC providers insist on it also?
It's not entirely clear what this offers or how it does it. There is a suggestion that there might at some point be a fee. What is clear, more or less, is that if I use it, I am obligated, under threat of losing my card, to constantly update Rogers on any changes in answers to questions which have not yet been revealed to me. It also appears I am supposed to tell them about other CCs I may hold, and I must agree to share all of this with unspecified third parties, or so it seems. I presume the latter would be the credit agencies (which I assume they already use to check on me now and then, so what else are they looking for?), but there are no restrictions; could be located in another country, subject to other laws unknown to me, etc.
I am not inclined to sign up for this, but am wondering what others think and whether it is a sign of things to come. Have you had this experience? If so, what did you make of it and what did you do?
February 1, 2016
Loonie thanks for posting this information. We have not encountered SecureCode requirement for any of our Rogers MC transactions.
It is a bit tricky to find further information on SecureCode but I did find these:
It would appear that the SecureCode is a MasterCard requirement - not originated by Rogers Bank.
Could it be this came up only because it was an International transaction? [edit[ see below
We have not used the cards for any International purchases. We have U.S. accounts for purchases in USA. Have not completely gone through the information in the links but passing this on for your further enlightenment on the matter. I look forward to further discussion on this topic.
Edit: 10:15 AM
Further reading on the subject indicates that SecureCode is probably a good thing. It is akin to a PIN number and is controlled by your Financial Institution. It offers another level of security for the merchant and the customer. I must admit the legalize in the document Loonie linked to seemed to be one-sided pro-Rogers protection with very vague protection for the cardholder. Not unusual for a legal script.
In order for SecureCode to be invoked it appears to require two things:
1. The vendor must sign up to participate in the program;
2. The cardholder must have filled out the SecureCode application for a personal code.
Both parties receive an added level of protection with the program.
I don't know what happens when the vendor signs up and then encounters a customer who has not registered for SecureCode.
SecureCode is available for all Mastercards.
The important thing to note is that the SecureCode is between you and your Financial Institution. Similar to a PIN, the vendor never sees that number.
I don't recall signing anything related to a SecureCode when we applied for Rogers Bank MasterCard. I will look into it since I think it does add more security for online purchases.
Loonie, sorry it did not register with me the first time that this was not the first time you have used the card with this vendor. Could it be that they signed up for the service since the last time you used it? Do you recall filling out information for SecureCode when you applied for Rogers Bank MasterCard?
Hope this helps...
April 6, 2013
MasterCard SecureCode and Verified by Visa are an extra layer of security for card-not-present purchases done over the Internet. They have been around for a while. I've encountered the MasterCard SecureCode some years ago. Not recently, though.
They will kick in when both the card issuer and the merchant have implemented support for them. This is from Microsoft Skype: What are Verified By Visa and MasterCard SecureCode?:
What are Verified By Visa and MasterCard SecureCode?
Some financial institutions use an extra security step known as “Verified by Visa” or “MasterCard SecureCode” to authenticate internet purchases. If your financial institution uses these services, you will be redirected to their site in order to complete the purchase.
If you have not previously set up your Verified By Visa or MasterCard SecureCode account, you'll need to provide information to your card issuer to confirm your identity and then create your password. When making future purchases, only your Verified by Visa or MasterCard SecureCode password will be required during checkout.
August 1, 2015
American Express also has a similar thing called SafeKey. I've had it come up during a Skip The Dishes order (they recently changed payment companies, now on Stripe which supports it). I believe in their case it sent me a one time use number to my email address on file with Amex that I then had to input in SafeKey.
May 27, 2016
Used to get blocked by the MasterCard SecureCode thing going back at least 10 years when trying to buy VIA train tickets online. IIRC the need to jump through the extra hoop seemed isolated to the VIA website. It was a pain in the butt for my wife to deal with so we just drove around it by using a VISA card instead.
My most recent experience was that I got temporarily blocked by Verified by VISA about a year ago trying to buy about $40 worth of auto parts (a replacement side mirror) from Rock Auto out of the USA using my HT Preferred VISA. In that case I just followed their second level of verification exercise and the purchase was eventually approved. Still a PITA though, especially for a $40 transaction
October 21, 2013
Made a phone call to Rogers. They agreed that it's a real "thing" but could not explain why it had kicked in at this time. They said they do not require it for this kind of transaction, even though that's what the screen alleged, i.e. "your card issuer wants you to...". They said it is normally used for what sounded like commercial purposes involving airlines and such, but not sure if the person we talked to knew what he was talking about. He said I did the right thing by not accepting it. ???
I am really uncomfortable being lied to, which I clearly was - either by the borderfree website which alleged that Rogers "wants" me to do this, or by the person at Rogers who said they don't.
I can't help wonder if this is being insisted upon somehow because it's a card that is often used for foreign transactions.
The merchant form whom I ordered is not an obscure one that nobody ever heard of.. And I've been doing business with them for a very long time. One doesn't encounter this hurdle when ordering by phone, which I finally did., using the same card.
I don't know the way forward, but I know I don't like the T&C.
I'm now waiting to see what will happen with the package as it no longer is coming through their broker, who manages Customs and also rreturns.
April 6, 2013
There's a good chance all this about MasterCard SecureCode will soon be moot.
The SecureCode signup pages I've found seem to be now non-functioning!
MasterCard may be in the process of replacing fixed-answer SecureCode verification with Mastercard Identity Check verification that uses dynamic one-time PIN's. Kind of like what EQ Bank uses when one calls in.
This is from ATB Financial: Mastercard® Identity Check™ :
Here’s how it works:
- When you shop with a participating online merchant, you’ll be prompted to enter a unique, one-time PIN code.
- You can then indicate whether [I think that should be "how"] you’d like to receive the PIN code
- Confirm your purchase and complete your checkout by entering the PIN code you received via email*, SMS text*, or an automated phone call.
- The purchase will be authorized with the merchant, and your purchase transaction will be approved.
Voila! No passwords to remember, and it’s still simple and secure.
October 21, 2013
April 6, 2013
MasterCard's transition from SecureCode to Identity Check is actually part of a credit card industry transition from 3D Secure 1.0 to 3D Secure 2.0.
The transition is described in Payments Journal: A Credit Union’s Guide to 3D Secure 2.0:
Verified by VISA (VBV), Mastercard SecureCode, American Express SafeKey, Discover ProtectBuy, Secure Online Transactions (SOT), EMV 3-D Secure, and Mastercard Identity Check are just a few of the monikers this security protocol has worn since its inception in 1999.
3D Secure 1.0 relied on features like static passwords, pop-up boxes, and user registration to verify and authenticate cardholders. However, this created barriers for legitimate customers, leading to frustration and cart abandonment. Credit unions and banks ramped up their fraud strategies, but this led to higher rates of false declines, which only added to customer frustration.
3D Secure 2.0 does away with these onerous user requirements. Say goodbye to pop-ups and hello to Risk Based Authentication. Static security keys are being swapped out for one-time passwords (OTPs). And no longer will legitimate customers bear the burden of registering their card with Visa or MasterCard to receive the benefits of the security protocol.
Another key difference with the new version is the amount of data behind each decision. 3D Secure 2.0 pulls information like IP address, shipping address, device information, and more info about customers themselves, allowing issuers to improve risk scores and make better authentication decisions.
October 21, 2013
January 3, 2013