Contact us

FREE TRIAL

Merchant Whitelisting (MWL) Best Practices pt.1: User Experience

NO NAME
SCA exemptions include a neat feature, merchant whitelisting. Enabling the cardholders to pick and choose merchants whom they trust provides them with control over their online payments user experience. To get more insight into cardholder UX along with best practices regarding managing the merchant whitelist, keep reading.

SCA exemptions include a neat feature, merchant whitelisting. Enabling the cardholders to pick and choose merchants whom they trust provides them with control over their online payments user experience. To get more insight into cardholder UX along with best practices regarding managing the merchant whitelist, keep reading.

This article is a part of our Merchant Whitelisting Best Practices series. To round up the story take a look at our post regarding MWL industry best practices, Risk Considerations edition.

What is Merchant Whitelisting?

PSD2 & RTS enable cardholders to exempt certain merchants from SCA by adding them to their merchant whitelist. 3D Secure 2.2 brought us merchant whitelisting, also known and trusted beneficiaries, a part of the SCA exemptions. MWL allows cardholders to whitelist trusted beneficiaries in order to avoid an additional authentication step during online payment processing.

This approach leads to a truly frictionless user experience, regardless of the transaction amount or merchant fraud rate. MWL is applicable for one-click payments, including both card-on-file and recurring payments with variable amounts. It is important to mention that not all merchants are eligible for whitelisting. The selection of MWL eligible candidates is under the issuing bank's control. Depending on the merchant industry type, level of risk, and cardholder transaction history, the issuer compiles a list of merchants eligible for merchant whitelisting.

Specific conditions under which merchant whitelisting is applicable includes the following requirements:

  • During adding or modifying a merchant on a cardholder's whitelist, SCA is mandatory.
  • Clear terms & conditions explaining what is the cardholder agreeing to, which entity on the whitelist, as well as in which countries and for which products is the exemption applicable.
  • Once a merchant is on the whitelist, each following transaction under issuer monitoring.
  • Issuing bank is the one in control of MWL candidates, i.e. merchants can't whitelist themselves.
  • Cardholders are able to remove a merchant from the whitelist.

MWL User Experience: Best Practices

The following paragraphs bring a summary of best practices suggested by VISA and MasterCard regarding the UX when it comes to merchant whitelisting.

Adding a merchant to a whitelist

There are two flows for adding a merchant to a whitelist.

  • During/after payment authentication

This approach involves issuing bank's ACS and has less impact on issuers. Merchants would be whitelisted one at a time.

Suggested best practices include the following:

  1. Upon deeming a merchant eligible for whitelisting, the payer is offered one out of two options to add the merchant to the whitelist:
  2. Checkbox visible on the payment authentication screen. The downside of this approach is the possibility that the cardholder will overlook the checkbox, while the benefit lies in fewer clicks and using a single page.
  3. Using a separate page after the payment authentication process. This approach decreases abandonment but requires an additional click from the cardholder.
  4. Use user-friendly language and make sure that the cardholder understands what stands behind merchant whitelisting.
  5. Recommendations suggest that merchant whitelisting is available only in cases where SCA is necessary.
  6. Since both payment and whitelisting are happening simultaneously, a single SCA is sufficient according to PSD2 RTS.
  • Using issuing bank's online banking service

This would require issuers to make changes within their online banking service; the cardholder would be able to whitelist merchants in bulk, making the user experience much more friendly.

Suggested best practices include the following:

  1. Recommendations suggest that issuing banks add an MWL management functionality to their online banking service.
  2. A good practice would include offering cardholders their most frequent merchants (e.g. top 10), under the pre assumption that the mentioned merchants are eligible candidates according to the issuer's risk assessment. Recognizing cardholder's card-on-file and recurring payment agreements serves as a quality filter for determining their favorite merchants.
  3. Each individual adding of a merchant, or any change within the whitelist, requires SCA.

Editing and preview of a merchant whitelist

Cardholders need to be able to view, add and remove merchants from the whitelist using their online banking service. Each attempt to modify or view MWL should require SCA. This is due to having access to sensitive payment data.

Promoting merchant whitelisting

Relevant stakeholders, issuers and ACSs, are the primary promoters of the new functionality. They should therefore communicate the benefits of merchant whitelisting to the cardholders.

Use the following ''selling-points'' when educating cardholders:

  • Cardholders have full control over merchants who are a part of their whitelist. They are free to both add or remove the merchant.
  • Recommended by the card payment industry and regulators.
  • MWL enables fast checkout for merchant-initiated transactions (e.g. recurring payments of variable amounts), eliminating SCA.
  • SCA is applied in certain scenarios (shipping address mismatch, unfamiliar device, etc.)

Multiple cards enrollment

It is recommended that whitelisting is applied for one card at a time; the card being used for processing the payment. In case whitelisting is enabled for multiple cards, each card should require a separate SCA.

If you want to find out more, contact our ASEE 3D Secure Team or download the datasheet.

Want to learn more about cybersecurity trends and industry news?

SUBSCRIBE TO OUR NEWSLETTER

CyberSecurityhub

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram