1. The 3-D Secure Protocol
Vlad Petre
Bucharest Academy of Economic Studies
Faculty of Cybernetics, Statistics and Economic Informatics
Master of Science in Information Technology & Communications Security
Email: vlad@vladpetre.com
Date: 20.05.2012
Abstract
In 2001, VISA created a new security protocol called 3-D Secure. Its main purpose
was to accelerate the growth of electronic commerce through increased consumer
confidence. In a nutshell, 3-D Secure stands for „Three Domain Secure”. Today, VISA
3-D Secure is the payment industry’s Internet authentication standard.
Keywords: 3-D Secure, VISA, secure, payment, standard.
1. An introduction to the Internet payment systems
Electronic commerce, commonly known as e-commerce or e-business, defines the act of
buying and selling of products or services over electronic systems like the Internet or any
other computer network. With widespread of Internet usage, the amount of trade conducted
electronically has grown exponentially. The majority of the electronic commerce platforms
typically rely on the World Wide Web. Although a large percentage of the electronic
commerce transactions involve only virtual goods such as access to premium content on a
website, the vast majority of the electronic commerce transactions involve the transportation
of physical items in some way.
There are two major forms of electronic commerce: B2B and B2C. The B2B term stands for
business-to-business and it describes the electronic commerce transactions that are
conducted between businesses. The B2C term stands for business-to-consumer and it
describes the electronic commerce transactions that are conducted between business and
consumers.
In B2C, the majority of the online purchases are made with a credit card. Merchants like credit
card payments because an instant authorization mechanism guarantees that the credit card is
valid. On the other hand, consumers too like paying by credit cards because they can easily
cancel a transaction in case they change they’re minds or they are not satisfied with the
products or services bought.
While some of the credit card payments for online acquisitions are performed by phone, most
of the time, the payments are quickly made by filling in an electronic form. Credit card
information filled in the electronic form and submitted by the user is sent to the bank which
issued the card, in order to verify it. If the transaction is successfully approved by the bank,
the merchant notifies the customer about this and continues with the placing of the order. In
all this time, the bank will reserve the funds and will initiate the transfer of the money to the
merchant in a couple of hours or even days.
The two leading credit card companies in the world today are the competitors VISA and
MasterCard. They both operate over similar lines. In fact, as far as most consumers are
1
2. concerned, there is no real difference between the two. They are both very widely accepted in
over one hundred and fifty countries, and it is very rare to find a location that will accept one
but not the other. However, in reality neither MasterCard nor Visa actually issue any credit
cards themselves. They both represent methods of payments and they rely on banks to do
the actual issuing of the credit or debit cards that utilize their payment methods. The business
model of Visa and MasterCard relies on charging the retailer for using their payment methods.
In terms of electronic payment systems, we can define them as being non-credit-card online
payment systems. Their goal is to create analogs of checks and cash for the Internet. In order
to achieve this, they usually have to implement features like protecting the customers from
merchant’s fraud by keeping the numbers of the cards unknown to merchants or protecting
the confidentiality of the customers.
Several online payment systems emerged in the last 20 years, like Virtual PIN, DigiCash (or
E-Cash), CyberCash/CyberCoin, SET (Secure Electronic Transactions), PayPal, Smart
Cards, etc. Although most of these products are no longer in use, the ideas behind them can
be found implemented in other products.
Virtual PIN was launched in 1994 by a company called First Virtual Holding. It was a system
for making credit card payments over the Internet without exposing the credit card number to
the merchant. It relied on the difficulty of intercepting email and it required no special software
for a consumer to make a purchase. Even though no encryption was involved, an
eavesdropper could not use a virtual PIN without being able to intercept and answer the e-
mail message to confirm the purchase.
DigiCash (also known as E-Cash), was an electronic payment system, developed by Dr.
David Chaum. Dr. David Chaum is recognized as the inventor of the digital money. The
system was based on digital coins (digital tokens). Although the company declared itself
bankrupt, the algorithms used in DigiCash are considered fundamental in the development of
the digital cash.
SET (Secure Electronic Transactions) is an electronic payment protocol for sending money
over the Internet. MasterCard, Visa and several other companies developed it as a joint
venture. Because it is a standard protocol, it has the advantage of being built into a wide
variety of commercial products. However, it never became popular because of the trouble of
getting a digital wallet software and setting it up for each credit card.
3-D Secure is a payment protocol designed to add an extra layer of security for online credit
card and debit card transactions. 3-D Secure takes e-commerce security to a new level. It is a
new security standard developed by Visa in 2001. Its main purpose is to safeguard online
payment transactions and to mitigate the risk of fraud. Because of its simplicity and success,
It has been later adopted by MasterCard and JCB International. This new standard is
marketed as MasterCard Secure Code, J/Secure and Verified by Visa.
The principle of 3-D Secure is fairly simple. It allows cardholders to authenticate themselves
against their card-issuing bank during an online transaction. Basically, it adds an
authentication step for online payments. Under certain conditions, the merchants have the
possibility to shift the responsibility of fraudulent transactions to the bank that issued the card.
For the 3-D Secure to work, the customers first have to sign up with their bank and activate
the service. After this, whenever a cardholder visits an online shop that has previously
adhered to the 3-D Secure protocol and initiates a payment for a product or a service, the 3-D
Secure sends his purchase request to the merchant system and thus making user that the
whole payment process is done against this secured protocol.
2
3. 2. Technical description of the protocol
The most recent version of the protocol is 1.0.2 (version 1.0.1 is discontinued and it is no
longer supported). MasterCard and JCB International have adopted only the 1.0.2 version of
the protocol.
The protocol exchanges XML-formatted messages over SSL (Secure Sockets Layer). This
ensures the authenticity of the server, as well as the client, by using digital certificates.
The concept of the protocol is to link the authorization process with a form of online
authentication. This authentication mechanism is based on a three-domain model (hence the
3-D in the name). These three domains are:
• Issuer Domain – it represents the bank that issued the card
• Acquirer Domain – it is the bank of the merchant to which the money is being
transferred
• Interoperability Domain – it is the infrastructure provided by the credit card scheme
that supports the 3-D Secure protocol. This Domain includes the Internet, ACS
(Access Control Server), MPI (Merchant Plug In), or any other software provider.
The Issuer Domain can be decomposed in several other small components: Cardholder,
Cardholder’s Browser, and Issuer. The Cardholder is the customer who wants to shop an
online product or a service, and who provides an account name, a card number, and an
expiration date. In response to the Purchase Authentication Page, the cardholder provides a
password for the authentication process to successfully finalize.
The Cardholder Browser acts as a way to transport messages between the Merchant Plug
In (found in the Acquirer Domain) and the Access Control Server (in the Issuer Domain). The
Issuer is usually the bank that issues the credit card. It can determine the cardholder’s
eligibility to participate in the 3-D Secure payment process, it defines the card number ranges
eligible to participate in the 3-D Secure payment process, it provides data about the cards to
the Visa Directory Server, and it performs enrollment of the cardholder for each payment card
account via an ACS.
The Acquirer Domain can also be decomposed in several other small components:
Merchant, Merchant Server Plug In, and Acquirer. The Merchant usually has a website that
handles the user’s payment request by obtaining the card number and by invoking the
Merchant Plug In in order to conduct the payment authentication. If appropriate, after the
payment is successfully authenticated, the merchant’s software platform may submit an
authorization request to the Acquirer.
The Merchant Plug In (MPI) is a software module that provides a communication interface
between the Visa/MasterCard servers and the merchant’s servers. It is a flexible component
that can be integrated either directly in the merchant’s website or it can be hosted by an
external service provider / acquirer. The main purpose of the MPI is to verify the card issuer’s
(bank’s) digital certificate used in the authentication process, to validate the enrollment and
the authentication response messages, to encrypt and store certificates and passwords, and
to fetch payment records as well as associated card details in order to resolve transaction
conflicts.
The Acquirer is usually a bank too. Only this time, it is the bank of the merchant, and it
accepts payment requests with Visa cards. The Acquirer determines the merchant’s eligibility
to use the 3-D Secure payment protocol. After the payment is successfully authenticated, the
Acquirer performs its usual role like receiving the authorization requests from the merchant
and forwarding them to an authorization system (e.g. VisaNet), providing authorization
responses back to the merchant, and submitting the completed transaction to the settlement
platform (e.g. VisaNet).
The Access Control Server is a component on card issuer’s side. It serves two basic
functions. One is to verify whether a 3-D Secure authentication is available for a particular
3
4. card number. The second is to authenticate the cardholder for a specific transaction or to
provide a proof for an attempted authentication, when authentication is not available.
The Visa Directory Server is operated by Visa and it receives messages from merchants
querying for a specific card number, it determines the whether a card number is eligible to be
used in the 3-D Secure protocol, it directs the request that authenticates the cardholder to the
appropriate ACS or responds directly to the merchant, it receives the response from the ACS
indicating whether payment authentication is available for the cardholder account, and it
forwards the response to the merchant. The Visa Directory Server is a server in the
Interoperability Domain. It enables the communications between the software of the merchant
and the issuer of the card.
In order to protect the security of the communications between the various entities
participating in a 3-D Secure transaction, the protocol requires that the following links to be
secured by using SSL: cardholder-merchant, cardholder-ACS, merchant-Visa Directory, and
Visa Directory-ACS.
enrollment_status enrollment_message 3-D Secure Payment
Available? Processed?
Y Authentication Yes No
Available
N Cardholder Not No Yes
Enrolled
U Unable to No Yes
Authenticate
E any error message No Yes
here
Figure 1: Enrollment Message and Status
VISA ECI MC ECI Authentication Authentication Description
status message
05 02 Y Authentication Cardholder was
Successful successfully
authenticated.
06 01 A Attempts Authentication could
Processing not be performed but
Performed a proof of
authentication
attempt was
provided.
- - N Authentication Cardholder
Failed authentication failed.
Authorization request
shouldn't be
submitted.
07 01 U Authentication Authentication could
Could Not Be not be performed
Performed due to a technical
error or other
problem.
- - E any error An error occurred
message here during the
authentication
process.
Authorization request
shouldn't be
submitted.
Figure 2: Electronic Commerce Indicator values
4
5. 3. The network architecture
Figure 3: The architecture of the 3-D Secure protocol
The data flow is as follows:
1. The cardholder browses the merchant’s online website. When he decides to buy a
product or a service, he initiates the purchase and he fills in an online form with the
appropriate payment details, including the account number.
2. After the cardholder submits the payment purchase from, the merchant’s system
creates an XML payment request and sends it to the payment gateway.
3. The payment gateway verifies if the merchant has previously adhered to the 3-D
Secure protocol, as well as the credit card. If the credit card is not 3-D Secure
compatible, the merchant’s system will initiate the standard authorization process.
Otherwise, if the credit card is 3-D Secure enabled, then the payment gateway
responds with an XML Payment Authentication Request which contains two fields
specific for the 3-D Secure protocol: PAReq and AcsUrl.
4. Then, the merchant’s platform initiates an HTTP POST Payment Authentication
Request back to the cardholder. The cardholder will now see a new inline window in
his browser.
5. At step 5, the cardholder’s browser redirects a PAReq message to the issuer’s
Access Control Server which authenticates the cardholder. This step is completed in
two sub-steps. In the first sub-step, the cardholder’s browser initiates an HTTPS
request to the ACS. In the second sub-step, the server parses the data and invokes a
login page in the cardholder’s browser. The cardholder now fills in his password in the
browser and returns the data back to the ACS.
6. With the received data, the Access Control Server can now authenticate the
cardholder’s password. Then, it can construct the Issuer Authentication Value, and
finally it can create an SSL-encrypted and digitally signed Payer Authentication
Response. The encryption and the signature processes ensure that the cardholder
cannot modify the content of the message on its way to the merchant’s software
platform.
7. In step seven, the payment Authentication Response is posted by the Access Control
Server into the merchant’s software platform’s URL via the cardholder’s web browser.
8. The merchant will continue the payment process with an additional request. This
additional request is XML-based and it can be either authorization, preauthorization
or a transaction request. This request must contain the PARes obtained in the
previous step.
5
6. 9. The payment gateway then submits an authorization request to the Acquirer and
responds to the merchant with a successful authorization message.
10. Finally, the merchant’s software platform parses the XML response received from the
payment gateway and shows the cardholder a payment confirmation message.
4. Advantages and disadvantages
The 3-D Secure protocol has many advantages, like:
• Safety against fraud loss: it provides security for merchants against fraud loss.
• Reduced fraud risk: with this new technology, loss of payments is drastically reduced.
• Greater customer content: 3-D Secure is proved to provide a greater customer
satisfaction. Clients are now more comfortable with online payments.
• More protection: 3-D Secure offers more protection as the authorization process
requires confirmation of the identity and code from the card issuer.
• Easy to install: by the merchant.
• Easy to use: by the customer.
Although it has many advantages, the 3-D Secure protocol is not perfect. Some if its
disadvantages include:
• Fraudulent phishing: it is very hard for the users to differentiate a legitimate “Verified
by Visa” inline windows from a fraudulent one.
• Mobile browsers incompatibility: currently, the mobile browsers present particular
problems for 3-D Secure, due to the common lack of certain features such as frames
and pop-ups.
• Little security: in some cases, 3-D Secure ends up providing little security to the
cardholder, an can act as a device to pass liability for fraudulent transactions from the
bank or retailer to the cardholder.
• Privacy: 3-D Secure provides less privacy than SET.
5. Conclusions
Although the 3-D Secure protocol is not 100% secure, it is by far one of the best electronic
payment protocols in terms of reliability and security. By adhering to the 3-D Secure standard,
a merchant will be able to provide a generally safe method for its customers in order to
purchase products or services from its online shop.
After analyzing the implementation, as well as its pros and cons, it is no wonder the 3-D
Secure protocol has become the industry standard for online credit card payments.
6
7. References
[1] http://www.psbill.com/3-d-secure-verified-by-visa-mastercard-securecode.html,
accessed May 2012.
[2] http://cs.wellesley.edu/~ecom/lecture/payment.html, accessed May 2012.
[3] http://en.wikipedia.org/wiki/E-commerce_credit_card_payment_system, accessed
May 2012.
[4] http://en.wikipedia.org/wiki/3-D_Secure, accessed May 2012.
[5] http://wiki.answers.com/Q/What_is_the_difference_between_MasterCard_and_Vis
a, accessed May 2012.
[6] http://www.airbotswana.co.bw/up_mgr/3D%20Secure.pdf, accessed May 2012.
[7] http://www.certodirect.com/documentation/merchant-anti-fraud-tools/3-d-secure-
integration.html, accessed May 2012.
[8] http://www.scribd.com/doc/57100492/3D-Secure-Architecture-and-the-Data-Flow,
accessed May 2012.
[9] http://www.gpayments.com/pdfs/GPayments_3-D_vs_SPA_Whitepaper.pdf,
accessed May 2012.
[10] http://www.instabill.com/articles/ecommerce-security-and-fraud-protection/3d-
secure-and-its-advantages/ accessed May 2012.
7