SlideShare uma empresa Scribd logo

The 3-D Secure Protocol

Vlad Petre
Vlad Petre

This is a paper I wrote in May 2012 for a course assignment in my Master's Program.

TecnologiaEconomia e finançasNegócios
1 de 7
Baixar para ler offline
The 3-D Secure Protocol Vlad Petre Bucharest Academy of Economic Studies Faculty of Cybernetics, Statistics and Economic Informatics Master of Science in Information Technology & Communications Security Email: vlad@vladpetre.com Date: 20.05.2012 Abstract In 2001, VISA created a new security protocol called 3-D Secure. Its main purpose was to accelerate the growth of electronic commerce through increased consumer confidence. In a nutshell, 3-D Secure stands for „Three Domain Secure”. Today, VISA 3-D Secure is the payment industry’s Internet authentication standard. Keywords: 3-D Secure, VISA, secure, payment, standard. 1. An introduction to the Internet payment systems Electronic commerce, commonly known as e-commerce or e-business, defines the act of buying and selling of products or services over electronic systems like the Internet or any other computer network. With widespread of Internet usage, the amount of trade conducted electronically has grown exponentially. The majority of the electronic commerce platforms typically rely on the World Wide Web. Although a large percentage of the electronic commerce transactions involve only virtual goods such as access to premium content on a website, the vast majority of the electronic commerce transactions involve the transportation of physical items in some way. There are two major forms of electronic commerce: B2B and B2C. The B2B term stands for business-to-business and it describes the electronic commerce transactions that are conducted between businesses. The B2C term stands for business-to-consumer and it describes the electronic commerce transactions that are conducted between business and consumers. In B2C, the majority of the online purchases are made with a credit card. Merchants like credit card payments because an instant authorization mechanism guarantees that the credit card is valid. On the other hand, consumers too like paying by credit cards because they can easily cancel a transaction in case they change they’re minds or they are not satisfied with the products or services bought. While some of the credit card payments for online acquisitions are performed by phone, most of the time, the payments are quickly made by filling in an electronic form. Credit card information filled in the electronic form and submitted by the user is sent to the bank which issued the card, in order to verify it. If the transaction is successfully approved by the bank, the merchant notifies the customer about this and continues with the placing of the order. In all this time, the bank will reserve the funds and will initiate the transfer of the money to the merchant in a couple of hours or even days. The two leading credit card companies in the world today are the competitors VISA and MasterCard. They both operate over similar lines. In fact, as far as most consumers are 1
concerned, there is no real difference between the two. They are both very widely accepted in over one hundred and fifty countries, and it is very rare to find a location that will accept one but not the other. However, in reality neither MasterCard nor Visa actually issue any credit cards themselves. They both represent methods of payments and they rely on banks to do the actual issuing of the credit or debit cards that utilize their payment methods. The business model of Visa and MasterCard relies on charging the retailer for using their payment methods. In terms of electronic payment systems, we can define them as being non-credit-card online payment systems. Their goal is to create analogs of checks and cash for the Internet. In order to achieve this, they usually have to implement features like protecting the customers from merchant’s fraud by keeping the numbers of the cards unknown to merchants or protecting the confidentiality of the customers. Several online payment systems emerged in the last 20 years, like Virtual PIN, DigiCash (or E-Cash), CyberCash/CyberCoin, SET (Secure Electronic Transactions), PayPal, Smart Cards, etc. Although most of these products are no longer in use, the ideas behind them can be found implemented in other products. Virtual PIN was launched in 1994 by a company called First Virtual Holding. It was a system for making credit card payments over the Internet without exposing the credit card number to the merchant. It relied on the difficulty of intercepting email and it required no special software for a consumer to make a purchase. Even though no encryption was involved, an eavesdropper could not use a virtual PIN without being able to intercept and answer the e- mail message to confirm the purchase. DigiCash (also known as E-Cash), was an electronic payment system, developed by Dr. David Chaum. Dr. David Chaum is recognized as the inventor of the digital money. The system was based on digital coins (digital tokens). Although the company declared itself bankrupt, the algorithms used in DigiCash are considered fundamental in the development of the digital cash. SET (Secure Electronic Transactions) is an electronic payment protocol for sending money over the Internet. MasterCard, Visa and several other companies developed it as a joint venture. Because it is a standard protocol, it has the advantage of being built into a wide variety of commercial products. However, it never became popular because of the trouble of getting a digital wallet software and setting it up for each credit card. 3-D Secure is a payment protocol designed to add an extra layer of security for online credit card and debit card transactions. 3-D Secure takes e-commerce security to a new level. It is a new security standard developed by Visa in 2001. Its main purpose is to safeguard online payment transactions and to mitigate the risk of fraud. Because of its simplicity and success, It has been later adopted by MasterCard and JCB International. This new standard is marketed as MasterCard Secure Code, J/Secure and Verified by Visa. The principle of 3-D Secure is fairly simple. It allows cardholders to authenticate themselves against their card-issuing bank during an online transaction. Basically, it adds an authentication step for online payments. Under certain conditions, the merchants have the possibility to shift the responsibility of fraudulent transactions to the bank that issued the card. For the 3-D Secure to work, the customers first have to sign up with their bank and activate the service. After this, whenever a cardholder visits an online shop that has previously adhered to the 3-D Secure protocol and initiates a payment for a product or a service, the 3-D Secure sends his purchase request to the merchant system and thus making user that the whole payment process is done against this secured protocol. 2
2. Technical description of the protocol The most recent version of the protocol is 1.0.2 (version 1.0.1 is discontinued and it is no longer supported). MasterCard and JCB International have adopted only the 1.0.2 version of the protocol. The protocol exchanges XML-formatted messages over SSL (Secure Sockets Layer). This ensures the authenticity of the server, as well as the client, by using digital certificates. The concept of the protocol is to link the authorization process with a form of online authentication. This authentication mechanism is based on a three-domain model (hence the 3-D in the name). These three domains are: • Issuer Domain – it represents the bank that issued the card • Acquirer Domain – it is the bank of the merchant to which the money is being transferred • Interoperability Domain – it is the infrastructure provided by the credit card scheme that supports the 3-D Secure protocol. This Domain includes the Internet, ACS (Access Control Server), MPI (Merchant Plug In), or any other software provider. The Issuer Domain can be decomposed in several other small components: Cardholder, Cardholder’s Browser, and Issuer. The Cardholder is the customer who wants to shop an online product or a service, and who provides an account name, a card number, and an expiration date. In response to the Purchase Authentication Page, the cardholder provides a password for the authentication process to successfully finalize. The Cardholder Browser acts as a way to transport messages between the Merchant Plug In (found in the Acquirer Domain) and the Access Control Server (in the Issuer Domain). The Issuer is usually the bank that issues the credit card. It can determine the cardholder’s eligibility to participate in the 3-D Secure payment process, it defines the card number ranges eligible to participate in the 3-D Secure payment process, it provides data about the cards to the Visa Directory Server, and it performs enrollment of the cardholder for each payment card account via an ACS. The Acquirer Domain can also be decomposed in several other small components: Merchant, Merchant Server Plug In, and Acquirer. The Merchant usually has a website that handles the user’s payment request by obtaining the card number and by invoking the Merchant Plug In in order to conduct the payment authentication. If appropriate, after the payment is successfully authenticated, the merchant’s software platform may submit an authorization request to the Acquirer. The Merchant Plug In (MPI) is a software module that provides a communication interface between the Visa/MasterCard servers and the merchant’s servers. It is a flexible component that can be integrated either directly in the merchant’s website or it can be hosted by an external service provider / acquirer. The main purpose of the MPI is to verify the card issuer’s (bank’s) digital certificate used in the authentication process, to validate the enrollment and the authentication response messages, to encrypt and store certificates and passwords, and to fetch payment records as well as associated card details in order to resolve transaction conflicts. The Acquirer is usually a bank too. Only this time, it is the bank of the merchant, and it accepts payment requests with Visa cards. The Acquirer determines the merchant’s eligibility to use the 3-D Secure payment protocol. After the payment is successfully authenticated, the Acquirer performs its usual role like receiving the authorization requests from the merchant and forwarding them to an authorization system (e.g. VisaNet), providing authorization responses back to the merchant, and submitting the completed transaction to the settlement platform (e.g. VisaNet). The Access Control Server is a component on card issuer’s side. It serves two basic functions. One is to verify whether a 3-D Secure authentication is available for a particular 3
card number. The second is to authenticate the cardholder for a specific transaction or to provide a proof for an attempted authentication, when authentication is not available. The Visa Directory Server is operated by Visa and it receives messages from merchants querying for a specific card number, it determines the whether a card number is eligible to be used in the 3-D Secure protocol, it directs the request that authenticates the cardholder to the appropriate ACS or responds directly to the merchant, it receives the response from the ACS indicating whether payment authentication is available for the cardholder account, and it forwards the response to the merchant. The Visa Directory Server is a server in the Interoperability Domain. It enables the communications between the software of the merchant and the issuer of the card. In order to protect the security of the communications between the various entities participating in a 3-D Secure transaction, the protocol requires that the following links to be secured by using SSL: cardholder-merchant, cardholder-ACS, merchant-Visa Directory, and Visa Directory-ACS. enrollment_status enrollment_message 3-D Secure Payment Available? Processed? Y Authentication Yes No Available N Cardholder Not No Yes Enrolled U Unable to No Yes Authenticate E any error message No Yes here Figure 1: Enrollment Message and Status VISA ECI MC ECI Authentication Authentication Description status message 05 02 Y Authentication Cardholder was Successful successfully authenticated. 06 01 A Attempts Authentication could Processing not be performed but Performed a proof of authentication attempt was provided. - - N Authentication Cardholder Failed authentication failed. Authorization request shouldn't be submitted. 07 01 U Authentication Authentication could Could Not Be not be performed Performed due to a technical error or other problem. - - E any error An error occurred message here during the authentication process. Authorization request shouldn't be submitted. Figure 2: Electronic Commerce Indicator values 4
3. The network architecture Figure 3: The architecture of the 3-D Secure protocol The data flow is as follows: 1. The cardholder browses the merchant’s online website. When he decides to buy a product or a service, he initiates the purchase and he fills in an online form with the appropriate payment details, including the account number. 2. After the cardholder submits the payment purchase from, the merchant’s system creates an XML payment request and sends it to the payment gateway. 3. The payment gateway verifies if the merchant has previously adhered to the 3-D Secure protocol, as well as the credit card. If the credit card is not 3-D Secure compatible, the merchant’s system will initiate the standard authorization process. Otherwise, if the credit card is 3-D Secure enabled, then the payment gateway responds with an XML Payment Authentication Request which contains two fields specific for the 3-D Secure protocol: PAReq and AcsUrl. 4. Then, the merchant’s platform initiates an HTTP POST Payment Authentication Request back to the cardholder. The cardholder will now see a new inline window in his browser. 5. At step 5, the cardholder’s browser redirects a PAReq message to the issuer’s Access Control Server which authenticates the cardholder. This step is completed in two sub-steps. In the first sub-step, the cardholder’s browser initiates an HTTPS request to the ACS. In the second sub-step, the server parses the data and invokes a login page in the cardholder’s browser. The cardholder now fills in his password in the browser and returns the data back to the ACS. 6. With the received data, the Access Control Server can now authenticate the cardholder’s password. Then, it can construct the Issuer Authentication Value, and finally it can create an SSL-encrypted and digitally signed Payer Authentication Response. The encryption and the signature processes ensure that the cardholder cannot modify the content of the message on its way to the merchant’s software platform. 7. In step seven, the payment Authentication Response is posted by the Access Control Server into the merchant’s software platform’s URL via the cardholder’s web browser. 8. The merchant will continue the payment process with an additional request. This additional request is XML-based and it can be either authorization, preauthorization or a transaction request. This request must contain the PARes obtained in the previous step. 5
9. The payment gateway then submits an authorization request to the Acquirer and responds to the merchant with a successful authorization message. 10. Finally, the merchant’s software platform parses the XML response received from the payment gateway and shows the cardholder a payment confirmation message. 4. Advantages and disadvantages The 3-D Secure protocol has many advantages, like: • Safety against fraud loss: it provides security for merchants against fraud loss. • Reduced fraud risk: with this new technology, loss of payments is drastically reduced. • Greater customer content: 3-D Secure is proved to provide a greater customer satisfaction. Clients are now more comfortable with online payments. • More protection: 3-D Secure offers more protection as the authorization process requires confirmation of the identity and code from the card issuer. • Easy to install: by the merchant. • Easy to use: by the customer. Although it has many advantages, the 3-D Secure protocol is not perfect. Some if its disadvantages include: • Fraudulent phishing: it is very hard for the users to differentiate a legitimate “Verified by Visa” inline windows from a fraudulent one. • Mobile browsers incompatibility: currently, the mobile browsers present particular problems for 3-D Secure, due to the common lack of certain features such as frames and pop-ups. • Little security: in some cases, 3-D Secure ends up providing little security to the cardholder, an can act as a device to pass liability for fraudulent transactions from the bank or retailer to the cardholder. • Privacy: 3-D Secure provides less privacy than SET. 5. Conclusions Although the 3-D Secure protocol is not 100% secure, it is by far one of the best electronic payment protocols in terms of reliability and security. By adhering to the 3-D Secure standard, a merchant will be able to provide a generally safe method for its customers in order to purchase products or services from its online shop. After analyzing the implementation, as well as its pros and cons, it is no wonder the 3-D Secure protocol has become the industry standard for online credit card payments. 6
References [1] http://www.psbill.com/3-d-secure-verified-by-visa-mastercard-securecode.html, accessed May 2012. [2] http://cs.wellesley.edu/~ecom/lecture/payment.html, accessed May 2012. [3] http://en.wikipedia.org/wiki/E-commerce_credit_card_payment_system, accessed May 2012. [4] http://en.wikipedia.org/wiki/3-D_Secure, accessed May 2012. [5] http://wiki.answers.com/Q/What_is_the_difference_between_MasterCard_and_Vis a, accessed May 2012. [6] http://www.airbotswana.co.bw/up_mgr/3D%20Secure.pdf, accessed May 2012. [7] http://www.certodirect.com/documentation/merchant-anti-fraud-tools/3-d-secure- integration.html, accessed May 2012. [8] http://www.scribd.com/doc/57100492/3D-Secure-Architecture-and-the-Data-Flow, accessed May 2012. [9] http://www.gpayments.com/pdfs/GPayments_3-D_vs_SPA_Whitepaper.pdf, accessed May 2012. [10] http://www.instabill.com/articles/ecommerce-security-and-fraud-protection/3d- secure-and-its-advantages/ accessed May 2012. 7

Recomendados

Cryptography
CryptographyCryptography
CryptographyTushar Swami
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystemAbhishek Gautam
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 
Cryptography Intro
Cryptography IntroCryptography Intro
Cryptography IntroChristopher Martin
 
Basic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSSBasic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSSSURBHI SAROHA
 
AES Encryption
AES EncryptionAES Encryption
AES EncryptionRahul Marwaha
 
Elliptical curve cryptography
Elliptical curve cryptographyElliptical curve cryptography
Elliptical curve cryptographyBarani Tharan
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101n|u - The Open Security Community
 

Recomendados

Cryptography
CryptographyCryptography
CryptographyTushar Swami
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystemAbhishek Gautam
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 
Cryptography Intro
Cryptography IntroCryptography Intro
Cryptography IntroChristopher Martin
 
Basic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSSBasic Cryptography unit 4 CSS
Basic Cryptography unit 4 CSSSURBHI SAROHA
 
AES Encryption
AES EncryptionAES Encryption
AES EncryptionRahul Marwaha
 
Elliptical curve cryptography
Elliptical curve cryptographyElliptical curve cryptography
Elliptical curve cryptographyBarani Tharan
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101n|u - The Open Security Community
 
RSA
RSARSA
RSAbansidhar11
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSAShafaan Khaliq Bhatti
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Steganography and watermarking
Steganography and watermarkingSteganography and watermarking
Steganography and watermarkingsudip nandi
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMSathish Kumar
 
Secure electronic transaction (set)
Secure electronic transaction (set)Secure electronic transaction (set)
Secure electronic transaction (set)Agnė Chomentauskaitė
 
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyMd. Shafiul Alam Sagor
 
6. cryptography
6. cryptography6. cryptography
6. cryptography7wounders
 
Hybrid encryption
Hybrid encryption Hybrid encryption
Hybrid encryption ranjit banshpal
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash AlgorithmVishakha Agarwal
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptographydrewz lin
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & CryptographyArun ACE
 
Digital signature
Digital signatureDigital signature
Digital signatureAJAL A J
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmIndra97065
 
Cryptography and applications
Cryptography and applicationsCryptography and applications
Cryptography and applicationsthai
 
Rsa
RsaRsa
RsaNavneet Sharma
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementationAkash Jadhav
 
Case study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj PawarCase study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj PawarAnuj Pawar
 
Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment SystemRitesh Goyal
 
The lecturer
The lecturerThe lecturer
The lecturerndifuna
 

Mais conteúdo relacionado

Mais procurados

Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Steganography and watermarking
Steganography and watermarkingSteganography and watermarking
Steganography and watermarkingsudip nandi
 
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyMd. Shafiul Alam Sagor
 
6. cryptography
6. cryptography6. cryptography
6. cryptography7wounders
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptographydrewz lin
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & CryptographyArun ACE
 
Digital signature
Digital signatureDigital signature
Digital signatureAJAL A J
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmIndra97065
 
Cryptography and applications
Cryptography and applicationsCryptography and applications
Cryptography and applicationsthai
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementationAkash Jadhav
 
Case study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj PawarCase study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj PawarAnuj Pawar
 

Mais procurados (20)

RSA
RSARSA
RSA
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Steganography and watermarking
Steganography and watermarkingSteganography and watermarking
Steganography and watermarking
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Secure electronic transaction (set)
Secure electronic transaction (set)Secure electronic transaction (set)
Secure electronic transaction (set)
 
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key Cryptography
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
 
Hybrid encryption
Hybrid encryption Hybrid encryption
Hybrid encryption
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash Algorithm
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptography
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & Cryptography
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography ppt
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm
 
Cryptography and applications
Cryptography and applicationsCryptography and applications
Cryptography and applications
 
Rsa
RsaRsa
Rsa
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementation
 
Case study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj PawarCase study on smart card tech. _Anuj Pawar
Case study on smart card tech. _Anuj Pawar
 

Semelhante a The 3-D Secure Protocol

Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment SystemRitesh Goyal
 
The lecturer
The lecturerThe lecturer
The lecturerndifuna
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Danail Yotov
 
Electronic payment systems - Presentation by IrfanAnsari.com
Electronic payment systems - Presentation by IrfanAnsari.comElectronic payment systems - Presentation by IrfanAnsari.com
Electronic payment systems - Presentation by IrfanAnsari.comLearnInUrdu.com & Ustaadjee.com
 
Ecommerce 27-1.pptx
Ecommerce 27-1.pptxEcommerce 27-1.pptx
Ecommerce 27-1.pptxAkash588342
 
electronicpaymentsystem-12697023522629-phpapp01.pdf
electronicpaymentsystem-12697023522629-phpapp01.pdfelectronicpaymentsystem-12697023522629-phpapp01.pdf
electronicpaymentsystem-12697023522629-phpapp01.pdfUjwalReddyPB
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment systempankhadi
 
Mobile paymentmethodbased on public key
Mobile paymentmethodbased on public keyMobile paymentmethodbased on public key
Mobile paymentmethodbased on public keyIJCNCJournal
 
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYSUNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYSIRJET Journal
 
Electronic payment systems
Electronic payment systemsElectronic payment systems
Electronic payment systemsscully d'souza
 
MIS 10 Electronic Payment System
MIS 10 Electronic Payment SystemMIS 10 Electronic Payment System
MIS 10 Electronic Payment SystemTushar B Kute
 
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryElectronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryGoutama Bachtiar
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testingAtul Pant
 

Semelhante a The 3-D Secure Protocol (20)

Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment System
 
The lecturer
The lecturerThe lecturer
The lecturer
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...
 
Electronic payment systems - Presentation by IrfanAnsari.com
Electronic payment systems - Presentation by IrfanAnsari.comElectronic payment systems - Presentation by IrfanAnsari.com
Electronic payment systems - Presentation by IrfanAnsari.com
 
Ecommerce 27-1.pptx
Ecommerce 27-1.pptxEcommerce 27-1.pptx
Ecommerce 27-1.pptx
 
electronicpaymentsystem-12697023522629-phpapp01.pdf
electronicpaymentsystem-12697023522629-phpapp01.pdfelectronicpaymentsystem-12697023522629-phpapp01.pdf
electronicpaymentsystem-12697023522629-phpapp01.pdf
 
Electronic payment by ahmad
Electronic payment by ahmadElectronic payment by ahmad
Electronic payment by ahmad
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system
 
Mobile paymentmethodbased on public key
Mobile paymentmethodbased on public keyMobile paymentmethodbased on public key
Mobile paymentmethodbased on public key
 
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYSUNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
 
Electronic payment systems
Electronic payment systemsElectronic payment systems
Electronic payment systems
 
MIS 10 Electronic Payment System
MIS 10 Electronic Payment SystemMIS 10 Electronic Payment System
MIS 10 Electronic Payment System
 
Ch 2
Ch 2Ch 2
Ch 2
 
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryElectronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
 
Digital wallet
Digital walletDigital wallet
Digital wallet
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testing
 
21 ijcse-01230
21 ijcse-0123021 ijcse-01230
21 ijcse-01230
 
Class 13
Class 13Class 13
Class 13
 
Enforcing Set and SSL Protocols in E-Payment
Enforcing Set and SSL Protocols in E-PaymentEnforcing Set and SSL Protocols in E-Payment
Enforcing Set and SSL Protocols in E-Payment
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system
 

Mais de Vlad Petre

SSD pe intelesul tuturor!
SSD pe intelesul tuturor!SSD pe intelesul tuturor!
SSD pe intelesul tuturor!Vlad Petre
 
Founding a startup. DOs and DON'Ts.
Founding a startup. DOs and DON'Ts.Founding a startup. DOs and DON'Ts.
Founding a startup. DOs and DON'Ts.Vlad Petre
 
[Curs Android] C10 - Threaduri & Servicii (IPW 2011)
[Curs Android] C10 - Threaduri & Servicii (IPW 2011)[Curs Android] C10 - Threaduri & Servicii (IPW 2011)
[Curs Android] C10 - Threaduri & Servicii (IPW 2011)Vlad Petre
 
[Curs Android] C09 - Stocarea Datelor (IPW 2011)
[Curs Android] C09 - Stocarea Datelor (IPW 2011)[Curs Android] C09 - Stocarea Datelor (IPW 2011)
[Curs Android] C09 - Stocarea Datelor (IPW 2011)Vlad Petre
 
[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)
[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)
[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)Vlad Petre
 
[Curs Android] C07 - Liste (IPW 2011)
[Curs Android] C07 - Liste (IPW 2011)[Curs Android] C07 - Liste (IPW 2011)
[Curs Android] C07 - Liste (IPW 2011)Vlad Petre
 
[Curs Android] C06 - DDMS & LogCat (IPW 2011)
[Curs Android] C06 - DDMS & LogCat (IPW 2011)[Curs Android] C06 - DDMS & LogCat (IPW 2011)
[Curs Android] C06 - DDMS & LogCat (IPW 2011)Vlad Petre
 
[Curs Android] C05 - Emulator (IPW 2011)
[Curs Android] C05 - Emulator (IPW 2011)[Curs Android] C05 - Emulator (IPW 2011)
[Curs Android] C05 - Emulator (IPW 2011)Vlad Petre
 
[Curs Android] C04 - User Interface (IPW 2011)
[Curs Android] C04 - User Interface (IPW 2011)[Curs Android] C04 - User Interface (IPW 2011)
[Curs Android] C04 - User Interface (IPW 2011)Vlad Petre
 
[Curs Android] C02 - Aplicatii (IPW 2011)
[Curs Android] C02 - Aplicatii (IPW 2011)[Curs Android] C02 - Aplicatii (IPW 2011)
[Curs Android] C02 - Aplicatii (IPW 2011)Vlad Petre
 
[Curs Android] C01 - Introducere (IPW 2011)
[Curs Android] C01 - Introducere (IPW 2011)[Curs Android] C01 - Introducere (IPW 2011)
[Curs Android] C01 - Introducere (IPW 2011)Vlad Petre
 
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizareDiploma Project: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizareVlad Petre
 
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizareDiploma Presentation: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizareVlad Petre
 
Eneco: Energy Economy
Eneco: Energy EconomyEneco: Energy Economy
Eneco: Energy EconomyVlad Petre
 
Kickstart Project: Android+Restlet+Hibernate+PostgreSQL
Kickstart Project: Android+Restlet+Hibernate+PostgreSQLKickstart Project: Android+Restlet+Hibernate+PostgreSQL
Kickstart Project: Android+Restlet+Hibernate+PostgreSQLVlad Petre
 
[SCS]Friloc - Scientific Paper
[SCS]Friloc - Scientific Paper[SCS]Friloc - Scientific Paper
[SCS]Friloc - Scientific PaperVlad Petre
 
Critica asupra lucrarii Proactive Computing
Critica asupra lucrarii Proactive ComputingCritica asupra lucrarii Proactive Computing
Critica asupra lucrarii Proactive ComputingVlad Petre
 
Critica asupra Singularitatii lui Vernor Vinge
Critica asupra Singularitatii lui Vernor VingeCritica asupra Singularitatii lui Vernor Vinge
Critica asupra Singularitatii lui Vernor VingeVlad Petre
 
Aplicare Filtre pe Imagini
Aplicare Filtre pe ImaginiAplicare Filtre pe Imagini
Aplicare Filtre pe ImaginiVlad Petre
 
Voicenger - Software Architecture Document
Voicenger - Software Architecture DocumentVoicenger - Software Architecture Document
Voicenger - Software Architecture DocumentVlad Petre
 

Mais de Vlad Petre (20)

SSD pe intelesul tuturor!
SSD pe intelesul tuturor!SSD pe intelesul tuturor!
SSD pe intelesul tuturor!
 
Founding a startup. DOs and DON'Ts.
Founding a startup. DOs and DON'Ts.Founding a startup. DOs and DON'Ts.
Founding a startup. DOs and DON'Ts.
 
[Curs Android] C10 - Threaduri & Servicii (IPW 2011)
[Curs Android] C10 - Threaduri & Servicii (IPW 2011)[Curs Android] C10 - Threaduri & Servicii (IPW 2011)
[Curs Android] C10 - Threaduri & Servicii (IPW 2011)
 
[Curs Android] C09 - Stocarea Datelor (IPW 2011)
[Curs Android] C09 - Stocarea Datelor (IPW 2011)[Curs Android] C09 - Stocarea Datelor (IPW 2011)
[Curs Android] C09 - Stocarea Datelor (IPW 2011)
 
[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)
[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)
[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)
 
[Curs Android] C07 - Liste (IPW 2011)
[Curs Android] C07 - Liste (IPW 2011)[Curs Android] C07 - Liste (IPW 2011)
[Curs Android] C07 - Liste (IPW 2011)
 
[Curs Android] C06 - DDMS & LogCat (IPW 2011)
[Curs Android] C06 - DDMS & LogCat (IPW 2011)[Curs Android] C06 - DDMS & LogCat (IPW 2011)
[Curs Android] C06 - DDMS & LogCat (IPW 2011)
 
[Curs Android] C05 - Emulator (IPW 2011)
[Curs Android] C05 - Emulator (IPW 2011)[Curs Android] C05 - Emulator (IPW 2011)
[Curs Android] C05 - Emulator (IPW 2011)
 
[Curs Android] C04 - User Interface (IPW 2011)
[Curs Android] C04 - User Interface (IPW 2011)[Curs Android] C04 - User Interface (IPW 2011)
[Curs Android] C04 - User Interface (IPW 2011)
 
[Curs Android] C02 - Aplicatii (IPW 2011)
[Curs Android] C02 - Aplicatii (IPW 2011)[Curs Android] C02 - Aplicatii (IPW 2011)
[Curs Android] C02 - Aplicatii (IPW 2011)
 
[Curs Android] C01 - Introducere (IPW 2011)
[Curs Android] C01 - Introducere (IPW 2011)[Curs Android] C01 - Introducere (IPW 2011)
[Curs Android] C01 - Introducere (IPW 2011)
 
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizareDiploma Project: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizare
 
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizareDiploma Presentation: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizare
 
Eneco: Energy Economy
Eneco: Energy EconomyEneco: Energy Economy
Eneco: Energy Economy
 
Kickstart Project: Android+Restlet+Hibernate+PostgreSQL
Kickstart Project: Android+Restlet+Hibernate+PostgreSQLKickstart Project: Android+Restlet+Hibernate+PostgreSQL
Kickstart Project: Android+Restlet+Hibernate+PostgreSQL
 
[SCS]Friloc - Scientific Paper
[SCS]Friloc - Scientific Paper[SCS]Friloc - Scientific Paper
[SCS]Friloc - Scientific Paper
 
Critica asupra lucrarii Proactive Computing
Critica asupra lucrarii Proactive ComputingCritica asupra lucrarii Proactive Computing
Critica asupra lucrarii Proactive Computing
 
Critica asupra Singularitatii lui Vernor Vinge
Critica asupra Singularitatii lui Vernor VingeCritica asupra Singularitatii lui Vernor Vinge
Critica asupra Singularitatii lui Vernor Vinge
 
Aplicare Filtre pe Imagini
Aplicare Filtre pe ImaginiAplicare Filtre pe Imagini
Aplicare Filtre pe Imagini
 
Voicenger - Software Architecture Document
Voicenger - Software Architecture DocumentVoicenger - Software Architecture Document
Voicenger - Software Architecture Document
 

Último

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Último (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

The 3-D Secure Protocol

  • 1. The 3-D Secure Protocol Vlad Petre Bucharest Academy of Economic Studies Faculty of Cybernetics, Statistics and Economic Informatics Master of Science in Information Technology & Communications Security Email: vlad@vladpetre.com Date: 20.05.2012 Abstract In 2001, VISA created a new security protocol called 3-D Secure. Its main purpose was to accelerate the growth of electronic commerce through increased consumer confidence. In a nutshell, 3-D Secure stands for „Three Domain Secure”. Today, VISA 3-D Secure is the payment industry’s Internet authentication standard. Keywords: 3-D Secure, VISA, secure, payment, standard. 1. An introduction to the Internet payment systems Electronic commerce, commonly known as e-commerce or e-business, defines the act of buying and selling of products or services over electronic systems like the Internet or any other computer network. With widespread of Internet usage, the amount of trade conducted electronically has grown exponentially. The majority of the electronic commerce platforms typically rely on the World Wide Web. Although a large percentage of the electronic commerce transactions involve only virtual goods such as access to premium content on a website, the vast majority of the electronic commerce transactions involve the transportation of physical items in some way. There are two major forms of electronic commerce: B2B and B2C. The B2B term stands for business-to-business and it describes the electronic commerce transactions that are conducted between businesses. The B2C term stands for business-to-consumer and it describes the electronic commerce transactions that are conducted between business and consumers. In B2C, the majority of the online purchases are made with a credit card. Merchants like credit card payments because an instant authorization mechanism guarantees that the credit card is valid. On the other hand, consumers too like paying by credit cards because they can easily cancel a transaction in case they change they’re minds or they are not satisfied with the products or services bought. While some of the credit card payments for online acquisitions are performed by phone, most of the time, the payments are quickly made by filling in an electronic form. Credit card information filled in the electronic form and submitted by the user is sent to the bank which issued the card, in order to verify it. If the transaction is successfully approved by the bank, the merchant notifies the customer about this and continues with the placing of the order. In all this time, the bank will reserve the funds and will initiate the transfer of the money to the merchant in a couple of hours or even days. The two leading credit card companies in the world today are the competitors VISA and MasterCard. They both operate over similar lines. In fact, as far as most consumers are 1
  • 2. concerned, there is no real difference between the two. They are both very widely accepted in over one hundred and fifty countries, and it is very rare to find a location that will accept one but not the other. However, in reality neither MasterCard nor Visa actually issue any credit cards themselves. They both represent methods of payments and they rely on banks to do the actual issuing of the credit or debit cards that utilize their payment methods. The business model of Visa and MasterCard relies on charging the retailer for using their payment methods. In terms of electronic payment systems, we can define them as being non-credit-card online payment systems. Their goal is to create analogs of checks and cash for the Internet. In order to achieve this, they usually have to implement features like protecting the customers from merchant’s fraud by keeping the numbers of the cards unknown to merchants or protecting the confidentiality of the customers. Several online payment systems emerged in the last 20 years, like Virtual PIN, DigiCash (or E-Cash), CyberCash/CyberCoin, SET (Secure Electronic Transactions), PayPal, Smart Cards, etc. Although most of these products are no longer in use, the ideas behind them can be found implemented in other products. Virtual PIN was launched in 1994 by a company called First Virtual Holding. It was a system for making credit card payments over the Internet without exposing the credit card number to the merchant. It relied on the difficulty of intercepting email and it required no special software for a consumer to make a purchase. Even though no encryption was involved, an eavesdropper could not use a virtual PIN without being able to intercept and answer the e- mail message to confirm the purchase. DigiCash (also known as E-Cash), was an electronic payment system, developed by Dr. David Chaum. Dr. David Chaum is recognized as the inventor of the digital money. The system was based on digital coins (digital tokens). Although the company declared itself bankrupt, the algorithms used in DigiCash are considered fundamental in the development of the digital cash. SET (Secure Electronic Transactions) is an electronic payment protocol for sending money over the Internet. MasterCard, Visa and several other companies developed it as a joint venture. Because it is a standard protocol, it has the advantage of being built into a wide variety of commercial products. However, it never became popular because of the trouble of getting a digital wallet software and setting it up for each credit card. 3-D Secure is a payment protocol designed to add an extra layer of security for online credit card and debit card transactions. 3-D Secure takes e-commerce security to a new level. It is a new security standard developed by Visa in 2001. Its main purpose is to safeguard online payment transactions and to mitigate the risk of fraud. Because of its simplicity and success, It has been later adopted by MasterCard and JCB International. This new standard is marketed as MasterCard Secure Code, J/Secure and Verified by Visa. The principle of 3-D Secure is fairly simple. It allows cardholders to authenticate themselves against their card-issuing bank during an online transaction. Basically, it adds an authentication step for online payments. Under certain conditions, the merchants have the possibility to shift the responsibility of fraudulent transactions to the bank that issued the card. For the 3-D Secure to work, the customers first have to sign up with their bank and activate the service. After this, whenever a cardholder visits an online shop that has previously adhered to the 3-D Secure protocol and initiates a payment for a product or a service, the 3-D Secure sends his purchase request to the merchant system and thus making user that the whole payment process is done against this secured protocol. 2
  • 3. 2. Technical description of the protocol The most recent version of the protocol is 1.0.2 (version 1.0.1 is discontinued and it is no longer supported). MasterCard and JCB International have adopted only the 1.0.2 version of the protocol. The protocol exchanges XML-formatted messages over SSL (Secure Sockets Layer). This ensures the authenticity of the server, as well as the client, by using digital certificates. The concept of the protocol is to link the authorization process with a form of online authentication. This authentication mechanism is based on a three-domain model (hence the 3-D in the name). These three domains are: • Issuer Domain – it represents the bank that issued the card • Acquirer Domain – it is the bank of the merchant to which the money is being transferred • Interoperability Domain – it is the infrastructure provided by the credit card scheme that supports the 3-D Secure protocol. This Domain includes the Internet, ACS (Access Control Server), MPI (Merchant Plug In), or any other software provider. The Issuer Domain can be decomposed in several other small components: Cardholder, Cardholder’s Browser, and Issuer. The Cardholder is the customer who wants to shop an online product or a service, and who provides an account name, a card number, and an expiration date. In response to the Purchase Authentication Page, the cardholder provides a password for the authentication process to successfully finalize. The Cardholder Browser acts as a way to transport messages between the Merchant Plug In (found in the Acquirer Domain) and the Access Control Server (in the Issuer Domain). The Issuer is usually the bank that issues the credit card. It can determine the cardholder’s eligibility to participate in the 3-D Secure payment process, it defines the card number ranges eligible to participate in the 3-D Secure payment process, it provides data about the cards to the Visa Directory Server, and it performs enrollment of the cardholder for each payment card account via an ACS. The Acquirer Domain can also be decomposed in several other small components: Merchant, Merchant Server Plug In, and Acquirer. The Merchant usually has a website that handles the user’s payment request by obtaining the card number and by invoking the Merchant Plug In in order to conduct the payment authentication. If appropriate, after the payment is successfully authenticated, the merchant’s software platform may submit an authorization request to the Acquirer. The Merchant Plug In (MPI) is a software module that provides a communication interface between the Visa/MasterCard servers and the merchant’s servers. It is a flexible component that can be integrated either directly in the merchant’s website or it can be hosted by an external service provider / acquirer. The main purpose of the MPI is to verify the card issuer’s (bank’s) digital certificate used in the authentication process, to validate the enrollment and the authentication response messages, to encrypt and store certificates and passwords, and to fetch payment records as well as associated card details in order to resolve transaction conflicts. The Acquirer is usually a bank too. Only this time, it is the bank of the merchant, and it accepts payment requests with Visa cards. The Acquirer determines the merchant’s eligibility to use the 3-D Secure payment protocol. After the payment is successfully authenticated, the Acquirer performs its usual role like receiving the authorization requests from the merchant and forwarding them to an authorization system (e.g. VisaNet), providing authorization responses back to the merchant, and submitting the completed transaction to the settlement platform (e.g. VisaNet). The Access Control Server is a component on card issuer’s side. It serves two basic functions. One is to verify whether a 3-D Secure authentication is available for a particular 3
  • 4. card number. The second is to authenticate the cardholder for a specific transaction or to provide a proof for an attempted authentication, when authentication is not available. The Visa Directory Server is operated by Visa and it receives messages from merchants querying for a specific card number, it determines the whether a card number is eligible to be used in the 3-D Secure protocol, it directs the request that authenticates the cardholder to the appropriate ACS or responds directly to the merchant, it receives the response from the ACS indicating whether payment authentication is available for the cardholder account, and it forwards the response to the merchant. The Visa Directory Server is a server in the Interoperability Domain. It enables the communications between the software of the merchant and the issuer of the card. In order to protect the security of the communications between the various entities participating in a 3-D Secure transaction, the protocol requires that the following links to be secured by using SSL: cardholder-merchant, cardholder-ACS, merchant-Visa Directory, and Visa Directory-ACS. enrollment_status enrollment_message 3-D Secure Payment Available? Processed? Y Authentication Yes No Available N Cardholder Not No Yes Enrolled U Unable to No Yes Authenticate E any error message No Yes here Figure 1: Enrollment Message and Status VISA ECI MC ECI Authentication Authentication Description status message 05 02 Y Authentication Cardholder was Successful successfully authenticated. 06 01 A Attempts Authentication could Processing not be performed but Performed a proof of authentication attempt was provided. - - N Authentication Cardholder Failed authentication failed. Authorization request shouldn't be submitted. 07 01 U Authentication Authentication could Could Not Be not be performed Performed due to a technical error or other problem. - - E any error An error occurred message here during the authentication process. Authorization request shouldn't be submitted. Figure 2: Electronic Commerce Indicator values 4
  • 5. 3. The network architecture Figure 3: The architecture of the 3-D Secure protocol The data flow is as follows: 1. The cardholder browses the merchant’s online website. When he decides to buy a product or a service, he initiates the purchase and he fills in an online form with the appropriate payment details, including the account number. 2. After the cardholder submits the payment purchase from, the merchant’s system creates an XML payment request and sends it to the payment gateway. 3. The payment gateway verifies if the merchant has previously adhered to the 3-D Secure protocol, as well as the credit card. If the credit card is not 3-D Secure compatible, the merchant’s system will initiate the standard authorization process. Otherwise, if the credit card is 3-D Secure enabled, then the payment gateway responds with an XML Payment Authentication Request which contains two fields specific for the 3-D Secure protocol: PAReq and AcsUrl. 4. Then, the merchant’s platform initiates an HTTP POST Payment Authentication Request back to the cardholder. The cardholder will now see a new inline window in his browser. 5. At step 5, the cardholder’s browser redirects a PAReq message to the issuer’s Access Control Server which authenticates the cardholder. This step is completed in two sub-steps. In the first sub-step, the cardholder’s browser initiates an HTTPS request to the ACS. In the second sub-step, the server parses the data and invokes a login page in the cardholder’s browser. The cardholder now fills in his password in the browser and returns the data back to the ACS. 6. With the received data, the Access Control Server can now authenticate the cardholder’s password. Then, it can construct the Issuer Authentication Value, and finally it can create an SSL-encrypted and digitally signed Payer Authentication Response. The encryption and the signature processes ensure that the cardholder cannot modify the content of the message on its way to the merchant’s software platform. 7. In step seven, the payment Authentication Response is posted by the Access Control Server into the merchant’s software platform’s URL via the cardholder’s web browser. 8. The merchant will continue the payment process with an additional request. This additional request is XML-based and it can be either authorization, preauthorization or a transaction request. This request must contain the PARes obtained in the previous step. 5
  • 6. 9. The payment gateway then submits an authorization request to the Acquirer and responds to the merchant with a successful authorization message. 10. Finally, the merchant’s software platform parses the XML response received from the payment gateway and shows the cardholder a payment confirmation message. 4. Advantages and disadvantages The 3-D Secure protocol has many advantages, like: • Safety against fraud loss: it provides security for merchants against fraud loss. • Reduced fraud risk: with this new technology, loss of payments is drastically reduced. • Greater customer content: 3-D Secure is proved to provide a greater customer satisfaction. Clients are now more comfortable with online payments. • More protection: 3-D Secure offers more protection as the authorization process requires confirmation of the identity and code from the card issuer. • Easy to install: by the merchant. • Easy to use: by the customer. Although it has many advantages, the 3-D Secure protocol is not perfect. Some if its disadvantages include: • Fraudulent phishing: it is very hard for the users to differentiate a legitimate “Verified by Visa” inline windows from a fraudulent one. • Mobile browsers incompatibility: currently, the mobile browsers present particular problems for 3-D Secure, due to the common lack of certain features such as frames and pop-ups. • Little security: in some cases, 3-D Secure ends up providing little security to the cardholder, an can act as a device to pass liability for fraudulent transactions from the bank or retailer to the cardholder. • Privacy: 3-D Secure provides less privacy than SET. 5. Conclusions Although the 3-D Secure protocol is not 100% secure, it is by far one of the best electronic payment protocols in terms of reliability and security. By adhering to the 3-D Secure standard, a merchant will be able to provide a generally safe method for its customers in order to purchase products or services from its online shop. After analyzing the implementation, as well as its pros and cons, it is no wonder the 3-D Secure protocol has become the industry standard for online credit card payments. 6
  • 7. References [1] http://www.psbill.com/3-d-secure-verified-by-visa-mastercard-securecode.html, accessed May 2012. [2] http://cs.wellesley.edu/~ecom/lecture/payment.html, accessed May 2012. [3] http://en.wikipedia.org/wiki/E-commerce_credit_card_payment_system, accessed May 2012. [4] http://en.wikipedia.org/wiki/3-D_Secure, accessed May 2012. [5] http://wiki.answers.com/Q/What_is_the_difference_between_MasterCard_and_Vis a, accessed May 2012. [6] http://www.airbotswana.co.bw/up_mgr/3D%20Secure.pdf, accessed May 2012. [7] http://www.certodirect.com/documentation/merchant-anti-fraud-tools/3-d-secure- integration.html, accessed May 2012. [8] http://www.scribd.com/doc/57100492/3D-Secure-Architecture-and-the-Data-Flow, accessed May 2012. [9] http://www.gpayments.com/pdfs/GPayments_3-D_vs_SPA_Whitepaper.pdf, accessed May 2012. [10] http://www.instabill.com/articles/ecommerce-security-and-fraud-protection/3d- secure-and-its-advantages/ accessed May 2012. 7