Understanding Chase’s awful terrible no good Verified by Visa integration.

This is a long and somewhat technical rant.

tl;dr: If you are planning to spend lengthy periods outside the United States, or are someone who frequently buys things on overseas websites, using the Chase Sapphire as your primary card is a major challenge due to the way Chase chooses to manage Verified by Visa authentication for Chase cards. The card also has a few other flaws (no embossed numbers, all family cards with the same number and CVV code), which further weaken the card’s reliability. You cannot count on it to always work abroad or to work when you need it most (e.g. time-sensitive situations where something is about to sell out). By using the Chase Sapphire as a primary card, you are also increasing the failure rate of your back-up credit cards cards as a result of underutilization (which increases precautionary card suspensions). This could leave you totally screwed when you need to pay for something urgently. I would cry too if it happened to you.

The details:

3-D Secure technologies, which add an additional layer of verification security to online credit card transactions, have been around for more than a decade. Verified by Visa, MasterCard SecureCode, and American Express Safe Key are the most popular examples of 3-D Secure deployments. If you use your credit card to buy online outside the United States, you’ve almost certainly come across these technologies.

The customer experience of this technology has largely remained unchanged since when it were first launched in the late 2000s: enter your card details – if they’re right, you’ll get some additional verification questions or be asked to enter a One Time Password from your mobile device, and if that’s authenticated, the transaction is then processed.

Two decisions are needed to make this system work. First, the easy one: merchants have to opt-in to use the technology. Adoption brings with it the benefits of lower risks from fraudulent transactions, but a higher risk of something going wrong with the transaction since it involves an extra processing step that requires a number of systems to talk to each other. It looks like this isn’t a big issue: adoption seems to be fairly wide spread in non-US markets (e.g. 82 percent in Netherlands). In the US, fears of addition additional friction to online transactions has led to very low adoption rates – around 5 percent.

Second, credit card issuing banks (e.g. Chase) need to make an investment decision. They need to decide what type of fence they will put in place for the additional authentication. This could be asking for your mother’s maiden name, a random sub-set of challenge questions, or a one-time password sent to your mobile device. So this decision involves adoption costs. The card company’s 3-D Secure system needs to be able to talk to the Bank’s customer information database to authenticate the extra security questions.

With merchant adoption rates high outside the US, Banks have long invested in running technologically costly – but easy to use – verification systems (e.g. challenge questions). Because the net benefits probably add up. So 3-D Secure transactions when you have both a non-US credit card – and a non-US based merchant – move like a breeze.

American Banks, which for the longest time have largely underinvested in these systems, have slowly begun to catch up. Slowly.

Enter Chase. A bank that prides itself on offering the very best of financial services for travelers, epitomized by its near-magnificent Chase Sapphire Card. The Sapphire is heralded by popular card review websites as the best thing since sliced bread for international travelers. And mostly, it is exactly that. No fees, travel credits, good earning rates, cash back, premium lounge services, etc. It’s marketed almost entirely as a card dedicated to the American on the go. Recently, I was at a restaurant with my manager and lead economist, and when it was time to pay our split bill, we all whipped out our Chase Sapphires at the same time to pay. Sad but true.

But while the bells and whistles are really cool (especially when you use points to buy tickets) the Chase Sapphire is highly unreliable as it relies on Chase’s terrible awful no-good junk approach to 3-D Secure (Verified by Visa) verification. For some reason – whether a genuine corporate cost-benefit decision, or a petty spat between Chase and Visa (as suggested to me by one of Chase’s fraud team managers) – Chase uses an extremely tedious and completely anachronistic method. To understand how VbV works for Chase cards, here is an example:

  1. Click to buy the last remaining seat on the aircraft.

  2. Review itinerary, and proceed to check out and pay for the ticket.

  3. Enter payment details: card number and details, address, etc.

  4. Press “Confirm” and wait.

  5. Merchant has opted to use Verified by Visa, so before the transaction is approved, it activates the VbV system.

  6. VbV talks to Chase and sends the customer Chase’s authentication approach.

  7. The customer sees a screen that says something to the effect of, “This transaction cannot be completed online. Please call Chase on xxx xxx xxx to complete it.”

The messaging from Chase at this stage is confusing. Often, the transaction is still on hold pending VbV verification – but the wording is so confusing that I’d bet my savings that most customers usually give up and redo the transaction to try another credit card.

In fact, the transaction is still active and pending VbV verification, but I needed to call Chase to complete the transaction. Without closing my browser window, I need to call Chase, answer some security questions that the VbV team will ask, and if they are correct, the VbV team will manually approve the VbV authentication.

Oh wait – there’s a catch: you will need to dial this number even if you are overseas and need to pay out of your nose for the phone call. The number you dial leads you to an automated operator, and then places you into a queue where you need to wait to speak to a VbV team member.  And while for general customer service Chase Sapphire members get premium phone lines, this one is a generic number that places you into a queue with all chase credit card customers waiting to deal with a fraud or VbV issue. 9 times out of 10 when I have had to do this, my transaction times out while I’m still waiting on the phone because the queues can be enormous. And when you’re abroad, the costs of that phone call can be exorbitant.

This entire circus is especially unsuitable for time-sensitive transactions. If you end up needing to VbV your Chase transaction, you are virtually guaranteed that you lost that last seat on the plane, and those tickets to the Taylor Swift concert in Amsterdam (that you set an alarm to wake up at 2 AM for so you could snatch a ticket in the first 30 seconds before the concert sold out). 👋🏽 Tay-Tay! Maybe next time.

I have lost plane seats, event tickets, low prices on things like cars, etc. It has been a nightmare. And more frequently these days, I’m noticing that whenever there’s a 3-D Secure (VbV) transaction involved, I am just getting outright rejections when I use my Chase card. Merchant processing banks may be blacklisting Chase’s VbV approach because of the huge delays it entails before a transaction can be finalized. I recently tried to buy some ferry tickets for a forthcoming trip to Cabo Verde and ran into this problem. Thankfully, my Capital One Card (which uses OTP based authentication to my mobile) worked and I managed to snap up the last few seats on the ferry.

Having a back-up card with you for VbV transactions certainly can help. But even then, there’s a catch for time-sensitive transactions. Because you probably don’t use your back-up card that often, in a time-sensitive overseas online transaction, there’s a high chance your back-up card may shut down the transaction for fraud. This happened to me with the ferry tickets – it got rejected the first time I tried, and I needed to call Capital One to lift the fraud hold, after which `the transaction (and the VbV) worked.

So if you are an American abroad or a frequent overseas traveller, and especially if you buy things online abroad where 3-D secure adoption is extremely high, think eighty times before deciding on a Chase credit card (like the Chase Sapphire) as your main card. I first noticed some basic coverage of this issue on this website, but thought I’d use this post to fill in the details of how and why it happens in case others are trying to understand what’s going on when they have a failed transaction and google “Chase verified by visa”. That article from 2015 also points out that not having a number embossed on your card can also cause issues overseas in case electronic payment terminals fail to work. The Chase Sapphire cannot be used when manual card processing is required (those old clunky machines that physically swipe over your card with high pressure to imprint the card number on an inked credit card charge slip). I would also add a third negative to the Sapphire (and possibly all Chase cards): all additional cards have the same number and CVV code as the main cardholder. So when one card gets stolen all cards have to be locked and replaced with a new card. And as you may have experienced first hand: credit cards tend to get stolen or lost a bit more often when you’re traveling overseas.

For an international traveler – it’s critical that your card works well with the systems it is interacting with overseas. The Chase Sapphire might have nice bells and whistles, but is an immensely flawed tool for a global traveler – one that is almost certain to bring you lots of frustration, and potentially some awkward and embarrassing moments. You’ve been warned.

Disclaimer: While I’m a payments systems aficionado, I’m not an expert, so I may have some of the more technical process details wrong or partially depicted in this post. But hopefully I have the right broad intuition of what goes on with 3-D S transactions more generally, and with Chase’s VbV implementation more specifically.

End of rant.