SlideShare uma empresa Scribd logo

The 3-D Secure Protocol

Vlad Petre
Vlad Petre

This is a paper I wrote in May 2012 for a course assignment in my Master's Program.

TecnologiaEconomia e finançasNegócios
1 de 7
Baixar para ler offline
The 3-D Secure Protocol Vlad Petre Bucharest Academy of Economic Studies Faculty of Cybernetics, Statistics and Economic Informatics Master of Science in Information Technology & Communications Security Email: vlad@vladpetre.com Date: 20.05.2012 Abstract In 2001, VISA created a new security protocol called 3-D Secure. Its main purpose was to accelerate the growth of electronic commerce through increased consumer confidence. In a nutshell, 3-D Secure stands for „Three Domain Secure”. Today, VISA 3-D Secure is the payment industry’s Internet authentication standard. Keywords: 3-D Secure, VISA, secure, payment, standard. 1. An introduction to the Internet payment systems Electronic commerce, commonly known as e-commerce or e-business, defines the act of buying and selling of products or services over electronic systems like the Internet or any other computer network. With widespread of Internet usage, the amount of trade conducted electronically has grown exponentially. The majority of the electronic commerce platforms typically rely on the World Wide Web. Although a large percentage of the electronic commerce transactions involve only virtual goods such as access to premium content on a website, the vast majority of the electronic commerce transactions involve the transportation of physical items in some way. There are two major forms of electronic commerce: B2B and B2C. The B2B term stands for business-to-business and it describes the electronic commerce transactions that are conducted between businesses. The B2C term stands for business-to-consumer and it describes the electronic commerce transactions that are conducted between business and consumers. In B2C, the majority of the online purchases are made with a credit card. Merchants like credit card payments because an instant authorization mechanism guarantees that the credit card is valid. On the other hand, consumers too like paying by credit cards because they can easily cancel a transaction in case they change they’re minds or they are not satisfied with the products or services bought. While some of the credit card payments for online acquisitions are performed by phone, most of the time, the payments are quickly made by filling in an electronic form. Credit card information filled in the electronic form and submitted by the user is sent to the bank which issued the card, in order to verify it. If the transaction is successfully approved by the bank, the merchant notifies the customer about this and continues with the placing of the order. In all this time, the bank will reserve the funds and will initiate the transfer of the money to the merchant in a couple of hours or even days. The two leading credit card companies in the world today are the competitors VISA and MasterCard. They both operate over similar lines. In fact, as far as most consumers are 1
concerned, there is no real difference between the two. They are both very widely accepted in over one hundred and fifty countries, and it is very rare to find a location that will accept one but not the other. However, in reality neither MasterCard nor Visa actually issue any credit cards themselves. They both represent methods of payments and they rely on banks to do the actual issuing of the credit or debit cards that utilize their payment methods. The business model of Visa and MasterCard relies on charging the retailer for using their payment methods. In terms of electronic payment systems, we can define them as being non-credit-card online payment systems. Their goal is to create analogs of checks and cash for the Internet. In order to achieve this, they usually have to implement features like protecting the customers from merchant’s fraud by keeping the numbers of the cards unknown to merchants or protecting the confidentiality of the customers. Several online payment systems emerged in the last 20 years, like Virtual PIN, DigiCash (or E-Cash), CyberCash/CyberCoin, SET (Secure Electronic Transactions), PayPal, Smart Cards, etc. Although most of these products are no longer in use, the ideas behind them can be found implemented in other products. Virtual PIN was launched in 1994 by a company called First Virtual Holding. It was a system for making credit card payments over the Internet without exposing the credit card number to the merchant. It relied on the difficulty of intercepting email and it required no special software for a consumer to make a purchase. Even though no encryption was involved, an eavesdropper could not use a virtual PIN without being able to intercept and answer the e- mail message to confirm the purchase. DigiCash (also known as E-Cash), was an electronic payment system, developed by Dr. David Chaum. Dr. David Chaum is recognized as the inventor of the digital money. The system was based on digital coins (digital tokens). Although the company declared itself bankrupt, the algorithms used in DigiCash are considered fundamental in the development of the digital cash. SET (Secure Electronic Transactions) is an electronic payment protocol for sending money over the Internet. MasterCard, Visa and several other companies developed it as a joint venture. Because it is a standard protocol, it has the advantage of being built into a wide variety of commercial products. However, it never became popular because of the trouble of getting a digital wallet software and setting it up for each credit card. 3-D Secure is a payment protocol designed to add an extra layer of security for online credit card and debit card transactions. 3-D Secure takes e-commerce security to a new level. It is a new security standard developed by Visa in 2001. Its main purpose is to safeguard online payment transactions and to mitigate the risk of fraud. Because of its simplicity and success, It has been later adopted by MasterCard and JCB International. This new standard is marketed as MasterCard Secure Code, J/Secure and Verified by Visa. The principle of 3-D Secure is fairly simple. It allows cardholders to authenticate themselves against their card-issuing bank during an online transaction. Basically, it adds an authentication step for online payments. Under certain conditions, the merchants have the possibility to shift the responsibility of fraudulent transactions to the bank that issued the card. For the 3-D Secure to work, the customers first have to sign up with their bank and activate the service. After this, whenever a cardholder visits an online shop that has previously adhered to the 3-D Secure protocol and initiates a payment for a product or a service, the 3-D Secure sends his purchase request to the merchant system and thus making user that the whole payment process is done against this secured protocol. 2
2. Technical description of the protocol The most recent version of the protocol is 1.0.2 (version 1.0.1 is discontinued and it is no longer supported). MasterCard and JCB International have adopted only the 1.0.2 version of the protocol. The protocol exchanges XML-formatted messages over SSL (Secure Sockets Layer). This ensures the authenticity of the server, as well as the client, by using digital certificates. The concept of the protocol is to link the authorization process with a form of online authentication. This authentication mechanism is based on a three-domain model (hence the 3-D in the name). These three domains are: • Issuer Domain – it represents the bank that issued the card • Acquirer Domain – it is the bank of the merchant to which the money is being transferred • Interoperability Domain – it is the infrastructure provided by the credit card scheme that supports the 3-D Secure protocol. This Domain includes the Internet, ACS (Access Control Server), MPI (Merchant Plug In), or any other software provider. The Issuer Domain can be decomposed in several other small components: Cardholder, Cardholder’s Browser, and Issuer. The Cardholder is the customer who wants to shop an online product or a service, and who provides an account name, a card number, and an expiration date. In response to the Purchase Authentication Page, the cardholder provides a password for the authentication process to successfully finalize. The Cardholder Browser acts as a way to transport messages between the Merchant Plug In (found in the Acquirer Domain) and the Access Control Server (in the Issuer Domain). The Issuer is usually the bank that issues the credit card. It can determine the cardholder’s eligibility to participate in the 3-D Secure payment process, it defines the card number ranges eligible to participate in the 3-D Secure payment process, it provides data about the cards to the Visa Directory Server, and it performs enrollment of the cardholder for each payment card account via an ACS. The Acquirer Domain can also be decomposed in several other small components: Merchant, Merchant Server Plug In, and Acquirer. The Merchant usually has a website that handles the user’s payment request by obtaining the card number and by invoking the Merchant Plug In in order to conduct the payment authentication. If appropriate, after the payment is successfully authenticated, the merchant’s software platform may submit an authorization request to the Acquirer. The Merchant Plug In (MPI) is a software module that provides a communication interface between the Visa/MasterCard servers and the merchant’s servers. It is a flexible component that can be integrated either directly in the merchant’s website or it can be hosted by an external service provider / acquirer. The main purpose of the MPI is to verify the card issuer’s (bank’s) digital certificate used in the authentication process, to validate the enrollment and the authentication response messages, to encrypt and store certificates and passwords, and to fetch payment records as well as associated card details in order to resolve transaction conflicts. The Acquirer is usually a bank too. Only this time, it is the bank of the merchant, and it accepts payment requests with Visa cards. The Acquirer determines the merchant’s eligibility to use the 3-D Secure payment protocol. After the payment is successfully authenticated, the Acquirer performs its usual role like receiving the authorization requests from the merchant and forwarding them to an authorization system (e.g. VisaNet), providing authorization responses back to the merchant, and submitting the completed transaction to the settlement platform (e.g. VisaNet). The Access Control Server is a component on card issuer’s side. It serves two basic functions. One is to verify whether a 3-D Secure authentication is available for a particular 3
card number. The second is to authenticate the cardholder for a specific transaction or to provide a proof for an attempted authentication, when authentication is not available. The Visa Directory Server is operated by Visa and it receives messages from merchants querying for a specific card number, it determines the whether a card number is eligible to be used in the 3-D Secure protocol, it directs the request that authenticates the cardholder to the appropriate ACS or responds directly to the merchant, it receives the response from the ACS indicating whether payment authentication is available for the cardholder account, and it forwards the response to the merchant. The Visa Directory Server is a server in the Interoperability Domain. It enables the communications between the software of the merchant and the issuer of the card. In order to protect the security of the communications between the various entities participating in a 3-D Secure transaction, the protocol requires that the following links to be secured by using SSL: cardholder-merchant, cardholder-ACS, merchant-Visa Directory, and Visa Directory-ACS. enrollment_status enrollment_message 3-D Secure Payment Available? Processed? Y Authentication Yes No Available N Cardholder Not No Yes Enrolled U Unable to No Yes Authenticate E any error message No Yes here Figure 1: Enrollment Message and Status VISA ECI MC ECI Authentication Authentication Description status message 05 02 Y Authentication Cardholder was Successful successfully authenticated. 06 01 A Attempts Authentication could Processing not be performed but Performed a proof of authentication attempt was provided. - - N Authentication Cardholder Failed authentication failed. Authorization request shouldn't be submitted. 07 01 U Authentication Authentication could Could Not Be not be performed Performed due to a technical error or other problem. - - E any error An error occurred message here during the authentication process. Authorization request shouldn't be submitted. Figure 2: Electronic Commerce Indicator values 4
3. The network architecture Figure 3: The architecture of the 3-D Secure protocol The data flow is as follows: 1. The cardholder browses the merchant’s online website. When he decides to buy a product or a service, he initiates the purchase and he fills in an online form with the appropriate payment details, including the account number. 2. After the cardholder submits the payment purchase from, the merchant’s system creates an XML payment request and sends it to the payment gateway. 3. The payment gateway verifies if the merchant has previously adhered to the 3-D Secure protocol, as well as the credit card. If the credit card is not 3-D Secure compatible, the merchant’s system will initiate the standard authorization process. Otherwise, if the credit card is 3-D Secure enabled, then the payment gateway responds with an XML Payment Authentication Request which contains two fields specific for the 3-D Secure protocol: PAReq and AcsUrl. 4. Then, the merchant’s platform initiates an HTTP POST Payment Authentication Request back to the cardholder. The cardholder will now see a new inline window in his browser. 5. At step 5, the cardholder’s browser redirects a PAReq message to the issuer’s Access Control Server which authenticates the cardholder. This step is completed in two sub-steps. In the first sub-step, the cardholder’s browser initiates an HTTPS request to the ACS. In the second sub-step, the server parses the data and invokes a login page in the cardholder’s browser. The cardholder now fills in his password in the browser and returns the data back to the ACS. 6. With the received data, the Access Control Server can now authenticate the cardholder’s password. Then, it can construct the Issuer Authentication Value, and finally it can create an SSL-encrypted and digitally signed Payer Authentication Response. The encryption and the signature processes ensure that the cardholder cannot modify the content of the message on its way to the merchant’s software platform. 7. In step seven, the payment Authentication Response is posted by the Access Control Server into the merchant’s software platform’s URL via the cardholder’s web browser. 8. The merchant will continue the payment process with an additional request. This additional request is XML-based and it can be either authorization, preauthorization or a transaction request. This request must contain the PARes obtained in the previous step. 5
9. The payment gateway then submits an authorization request to the Acquirer and responds to the merchant with a successful authorization message. 10. Finally, the merchant’s software platform parses the XML response received from the payment gateway and shows the cardholder a payment confirmation message. 4. Advantages and disadvantages The 3-D Secure protocol has many advantages, like: • Safety against fraud loss: it provides security for merchants against fraud loss. • Reduced fraud risk: with this new technology, loss of payments is drastically reduced. • Greater customer content: 3-D Secure is proved to provide a greater customer satisfaction. Clients are now more comfortable with online payments. • More protection: 3-D Secure offers more protection as the authorization process requires confirmation of the identity and code from the card issuer. • Easy to install: by the merchant. • Easy to use: by the customer. Although it has many advantages, the 3-D Secure protocol is not perfect. Some if its disadvantages include: • Fraudulent phishing: it is very hard for the users to differentiate a legitimate “Verified by Visa” inline windows from a fraudulent one. • Mobile browsers incompatibility: currently, the mobile browsers present particular problems for 3-D Secure, due to the common lack of certain features such as frames and pop-ups. • Little security: in some cases, 3-D Secure ends up providing little security to the cardholder, an can act as a device to pass liability for fraudulent transactions from the bank or retailer to the cardholder. • Privacy: 3-D Secure provides less privacy than SET. 5. Conclusions Although the 3-D Secure protocol is not 100% secure, it is by far one of the best electronic payment protocols in terms of reliability and security. By adhering to the 3-D Secure standard, a merchant will be able to provide a generally safe method for its customers in order to purchase products or services from its online shop. After analyzing the implementation, as well as its pros and cons, it is no wonder the 3-D Secure protocol has become the industry standard for online credit card payments. 6
References [1] http://www.psbill.com/3-d-secure-verified-by-visa-mastercard-securecode.html, accessed May 2012. [2] http://cs.wellesley.edu/~ecom/lecture/payment.html, accessed May 2012. [3] http://en.wikipedia.org/wiki/E-commerce_credit_card_payment_system, accessed May 2012. [4] http://en.wikipedia.org/wiki/3-D_Secure, accessed May 2012. [5] http://wiki.answers.com/Q/What_is_the_difference_between_MasterCard_and_Vis a, accessed May 2012. [6] http://www.airbotswana.co.bw/up_mgr/3D%20Secure.pdf, accessed May 2012. [7] http://www.certodirect.com/documentation/merchant-anti-fraud-tools/3-d-secure- integration.html, accessed May 2012. [8] http://www.scribd.com/doc/57100492/3D-Secure-Architecture-and-the-Data-Flow, accessed May 2012. [9] http://www.gpayments.com/pdfs/GPayments_3-D_vs_SPA_Whitepaper.pdf, accessed May 2012. [10] http://www.instabill.com/articles/ecommerce-security-and-fraud-protection/3d- secure-and-its-advantages/ accessed May 2012. 7

Recomendados

Seamless 3-D Secure e-commerce experience
Seamless 3-D Secure e-commerce experienceSeamless 3-D Secure e-commerce experience
Seamless 3-D Secure e-commerce experience
Netcetera
 
3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar
Ivona M
 
Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)
Syed Taimoor Hussain Shah
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cards
Dilip Kumar
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
Sandeep Gupta
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transaction
Nishant Pahad
 
Digital signature
Digital signatureDigital signature
Digital signature
Hossain Md Shakhawat
 
Secure electronic transaction (set)
Secure electronic transaction (set)Secure electronic transaction (set)
Secure electronic transaction (set)
Agnė Chomentauskaitė
 

Recomendados

Seamless 3-D Secure e-commerce experience
Seamless 3-D Secure e-commerce experienceSeamless 3-D Secure e-commerce experience
Seamless 3-D Secure e-commerce experience
Netcetera
 
3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar
Ivona M
 
Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)
Syed Taimoor Hussain Shah
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cards
Dilip Kumar
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
Sandeep Gupta
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transaction
Nishant Pahad
 
Digital signature
Digital signatureDigital signature
Digital signature
Hossain Md Shakhawat
 
Secure electronic transaction (set)
Secure electronic transaction (set)Secure electronic transaction (set)
Secure electronic transaction (set)
Agnė Chomentauskaitė
 
EMV Overview
EMV OverviewEMV Overview
EMV Overview
Kona Software Lab Limited.
 
Cryptography and network security
Cryptography and network security Cryptography and network security
Cryptography and network security
Mahipesh Satija
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)
Soham Kansodaria
 
CYBER SECURITY : DIGITAL SIGNATURE,
CYBER SECURITY : DIGITAL SIGNATURE,CYBER SECURITY : DIGITAL SIGNATURE,
CYBER SECURITY : DIGITAL SIGNATURE,
ShivangiSingh241
 
Digital Signature ppt
Digital Signature pptDigital Signature ppt
Digital Signature ppt
OECLIB Odisha Electronics Control Library
 
Emv Explained in few words
Emv Explained in few words Emv Explained in few words
Emv Explained in few words
Banque Populaire Du Rwanda
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
Adarsh Kumar Yadav
 
Mobile Wallet functions
Mobile Wallet functionsMobile Wallet functions
Mobile Wallet functions
Mikhail Miroshnichenko
 
Digital signature
Digital signatureDigital signature
Digital signature
CHESStest{perfect Kadhu}
 
CNS - Unit - 1 - Introduction
CNS - Unit - 1 - IntroductionCNS - Unit - 1 - Introduction
CNS - Unit - 1 - Introduction
Gyanmanjari Institute Of Technology
 
3d password 23 mar 14
3d password 23 mar 143d password 23 mar 14
3d password 23 mar 14
Saddam Ahmed
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SET
Ramesh Ogania
 
E mail security
E mail securityE mail security
E mail security
Soumya Vijoy
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
saurav5884
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
Digital signature
Digital signatureDigital signature
Digital signature
AJAL A J
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overview
Rishi Pathak
 
Electronic payment system(EPS)
Electronic payment system(EPS)Electronic payment system(EPS)
Electronic payment system(EPS)
rahul kundu
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
Simmi Kamra
 
Feature Of Mobile Commerce
Feature Of Mobile CommerceFeature Of Mobile Commerce
Feature Of Mobile Commerce
Saumen Ray
 
Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment System
Ritesh Goyal
 
The lecturer
The lecturerThe lecturer
The lecturer
ndifuna
 

Mais conteúdo relacionado

Mais procurados

Electronic payment system(EPS)
Electronic payment system(EPS)Electronic payment system(EPS)
Electronic payment system(EPS)
rahul kundu
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
Simmi Kamra
 
Feature Of Mobile Commerce
Feature Of Mobile CommerceFeature Of Mobile Commerce
Feature Of Mobile Commerce
Saumen Ray
 

Mais procurados (20)

EMV Overview
EMV OverviewEMV Overview
EMV Overview
 
Cryptography and network security
Cryptography and network security Cryptography and network security
Cryptography and network security
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)
 
CYBER SECURITY : DIGITAL SIGNATURE,
CYBER SECURITY : DIGITAL SIGNATURE,CYBER SECURITY : DIGITAL SIGNATURE,
CYBER SECURITY : DIGITAL SIGNATURE,
 
Digital Signature ppt
Digital Signature pptDigital Signature ppt
Digital Signature ppt
 
Emv Explained in few words
Emv Explained in few words Emv Explained in few words
Emv Explained in few words
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
Mobile Wallet functions
Mobile Wallet functionsMobile Wallet functions
Mobile Wallet functions
 
Digital signature
Digital signatureDigital signature
Digital signature
 
CNS - Unit - 1 - Introduction
CNS - Unit - 1 - IntroductionCNS - Unit - 1 - Introduction
CNS - Unit - 1 - Introduction
 
3d password 23 mar 14
3d password 23 mar 143d password 23 mar 14
3d password 23 mar 14
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SET
 
E mail security
E mail securityE mail security
E mail security
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overview
 
Electronic payment system(EPS)
Electronic payment system(EPS)Electronic payment system(EPS)
Electronic payment system(EPS)
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
Feature Of Mobile Commerce
Feature Of Mobile CommerceFeature Of Mobile Commerce
Feature Of Mobile Commerce
 

Semelhante a The 3-D Secure Protocol

Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment System
Ritesh Goyal
 
The lecturer
The lecturerThe lecturer
The lecturer
ndifuna
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...
Danail Yotov
 
Electronic payment systems - Presentation by IrfanAnsari.com
Electronic payment systems - Presentation by IrfanAnsari.comElectronic payment systems - Presentation by IrfanAnsari.com
Electronic payment systems - Presentation by IrfanAnsari.com
LearnInUrdu.com & Ustaadjee.com
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system
pankhadi
 
Mobile paymentmethodbased on public key
Mobile paymentmethodbased on public keyMobile paymentmethodbased on public key
Mobile paymentmethodbased on public key
IJCNCJournal
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testing
Atul Pant
 

Semelhante a The 3-D Secure Protocol (20)

Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment System
 
The lecturer
The lecturerThe lecturer
The lecturer
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...
 
Electronic payment systems - Presentation by IrfanAnsari.com
Electronic payment systems - Presentation by IrfanAnsari.comElectronic payment systems - Presentation by IrfanAnsari.com
Electronic payment systems - Presentation by IrfanAnsari.com
 
Ecommerce 27-1.pptx
Ecommerce 27-1.pptxEcommerce 27-1.pptx
Ecommerce 27-1.pptx
 
electronicpaymentsystem-12697023522629-phpapp01.pdf
electronicpaymentsystem-12697023522629-phpapp01.pdfelectronicpaymentsystem-12697023522629-phpapp01.pdf
electronicpaymentsystem-12697023522629-phpapp01.pdf
 
Electronic payment by ahmad
Electronic payment by ahmadElectronic payment by ahmad
Electronic payment by ahmad
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system
 
Mobile paymentmethodbased on public key
Mobile paymentmethodbased on public keyMobile paymentmethodbased on public key
Mobile paymentmethodbased on public key
 
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYSUNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
UNVEILING THE WORLD OF ONLINE PAYMENT GATEWAYS
 
Electronic payment systems
Electronic payment systemsElectronic payment systems
Electronic payment systems
 
MIS 10 Electronic Payment System
MIS 10 Electronic Payment SystemMIS 10 Electronic Payment System
MIS 10 Electronic Payment System
 
Ch 2
Ch 2Ch 2
Ch 2
 
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryElectronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
 
Digital wallet
Digital walletDigital wallet
Digital wallet
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testing
 
21 ijcse-01230
21 ijcse-0123021 ijcse-01230
21 ijcse-01230
 
Class 13
Class 13Class 13
Class 13
 
Enforcing Set and SSL Protocols in E-Payment
Enforcing Set and SSL Protocols in E-PaymentEnforcing Set and SSL Protocols in E-Payment
Enforcing Set and SSL Protocols in E-Payment
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system
 

Mais de Vlad Petre

Founding a startup. DOs and DON'Ts.
Founding a startup. DOs and DON'Ts.Founding a startup. DOs and DON'Ts.
Founding a startup. DOs and DON'Ts.
Vlad Petre
 
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizareDiploma Project: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizare
Vlad Petre
 
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizareDiploma Presentation: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizare
Vlad Petre
 
Eneco: Energy Economy
Eneco: Energy EconomyEneco: Energy Economy
Eneco: Energy Economy
Vlad Petre
 
Kickstart Project: Android+Restlet+Hibernate+PostgreSQL
Kickstart Project: Android+Restlet+Hibernate+PostgreSQLKickstart Project: Android+Restlet+Hibernate+PostgreSQL
Kickstart Project: Android+Restlet+Hibernate+PostgreSQL
Vlad Petre
 
[SCS]Friloc - Scientific Paper
[SCS]Friloc - Scientific Paper[SCS]Friloc - Scientific Paper
[SCS]Friloc - Scientific Paper
Vlad Petre
 
Critica asupra lucrarii Proactive Computing
Critica asupra lucrarii Proactive ComputingCritica asupra lucrarii Proactive Computing
Critica asupra lucrarii Proactive Computing
Vlad Petre
 
Critica asupra Singularitatii lui Vernor Vinge
Critica asupra Singularitatii lui Vernor VingeCritica asupra Singularitatii lui Vernor Vinge
Critica asupra Singularitatii lui Vernor Vinge
Vlad Petre
 
Aplicare Filtre pe Imagini
Aplicare Filtre pe ImaginiAplicare Filtre pe Imagini
Aplicare Filtre pe Imagini
Vlad Petre
 
Voicenger - Software Architecture Document
Voicenger - Software Architecture DocumentVoicenger - Software Architecture Document
Voicenger - Software Architecture Document
Vlad Petre
 

Mais de Vlad Petre (20)

SSD pe intelesul tuturor!
SSD pe intelesul tuturor!SSD pe intelesul tuturor!
SSD pe intelesul tuturor!
 
Founding a startup. DOs and DON'Ts.
Founding a startup. DOs and DON'Ts.Founding a startup. DOs and DON'Ts.
Founding a startup. DOs and DON'Ts.
 
[Curs Android] C10 - Threaduri & Servicii (IPW 2011)
[Curs Android] C10 - Threaduri & Servicii (IPW 2011)[Curs Android] C10 - Threaduri & Servicii (IPW 2011)
[Curs Android] C10 - Threaduri & Servicii (IPW 2011)
 
[Curs Android] C09 - Stocarea Datelor (IPW 2011)
[Curs Android] C09 - Stocarea Datelor (IPW 2011)[Curs Android] C09 - Stocarea Datelor (IPW 2011)
[Curs Android] C09 - Stocarea Datelor (IPW 2011)
 
[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)
[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)
[Curs Android] C08 - Intents & Broadcast Receivers (IPW 2011)
 
[Curs Android] C07 - Liste (IPW 2011)
[Curs Android] C07 - Liste (IPW 2011)[Curs Android] C07 - Liste (IPW 2011)
[Curs Android] C07 - Liste (IPW 2011)
 
[Curs Android] C06 - DDMS & LogCat (IPW 2011)
[Curs Android] C06 - DDMS & LogCat (IPW 2011)[Curs Android] C06 - DDMS & LogCat (IPW 2011)
[Curs Android] C06 - DDMS & LogCat (IPW 2011)
 
[Curs Android] C05 - Emulator (IPW 2011)
[Curs Android] C05 - Emulator (IPW 2011)[Curs Android] C05 - Emulator (IPW 2011)
[Curs Android] C05 - Emulator (IPW 2011)
 
[Curs Android] C04 - User Interface (IPW 2011)
[Curs Android] C04 - User Interface (IPW 2011)[Curs Android] C04 - User Interface (IPW 2011)
[Curs Android] C04 - User Interface (IPW 2011)
 
[Curs Android] C02 - Aplicatii (IPW 2011)
[Curs Android] C02 - Aplicatii (IPW 2011)[Curs Android] C02 - Aplicatii (IPW 2011)
[Curs Android] C02 - Aplicatii (IPW 2011)
 
[Curs Android] C01 - Introducere (IPW 2011)
[Curs Android] C01 - Introducere (IPW 2011)[Curs Android] C01 - Introducere (IPW 2011)
[Curs Android] C01 - Introducere (IPW 2011)
 
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizareDiploma Project: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Project: Friloc - Retea de socializare bazata pe geolocalizare
 
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizareDiploma Presentation: Friloc - Retea de socializare bazata pe geolocalizare
Diploma Presentation: Friloc - Retea de socializare bazata pe geolocalizare
 
Eneco: Energy Economy
Eneco: Energy EconomyEneco: Energy Economy
Eneco: Energy Economy
 
Kickstart Project: Android+Restlet+Hibernate+PostgreSQL
Kickstart Project: Android+Restlet+Hibernate+PostgreSQLKickstart Project: Android+Restlet+Hibernate+PostgreSQL
Kickstart Project: Android+Restlet+Hibernate+PostgreSQL
 
[SCS]Friloc - Scientific Paper
[SCS]Friloc - Scientific Paper[SCS]Friloc - Scientific Paper
[SCS]Friloc - Scientific Paper
 
Critica asupra lucrarii Proactive Computing
Critica asupra lucrarii Proactive ComputingCritica asupra lucrarii Proactive Computing
Critica asupra lucrarii Proactive Computing
 
Critica asupra Singularitatii lui Vernor Vinge
Critica asupra Singularitatii lui Vernor VingeCritica asupra Singularitatii lui Vernor Vinge
Critica asupra Singularitatii lui Vernor Vinge
 
Aplicare Filtre pe Imagini
Aplicare Filtre pe ImaginiAplicare Filtre pe Imagini
Aplicare Filtre pe Imagini
 
Voicenger - Software Architecture Document
Voicenger - Software Architecture DocumentVoicenger - Software Architecture Document
Voicenger - Software Architecture Document
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

The 3-D Secure Protocol

  • 1. The 3-D Secure Protocol Vlad Petre Bucharest Academy of Economic Studies Faculty of Cybernetics, Statistics and Economic Informatics Master of Science in Information Technology & Communications Security Email: vlad@vladpetre.com Date: 20.05.2012 Abstract In 2001, VISA created a new security protocol called 3-D Secure. Its main purpose was to accelerate the growth of electronic commerce through increased consumer confidence. In a nutshell, 3-D Secure stands for „Three Domain Secure”. Today, VISA 3-D Secure is the payment industry’s Internet authentication standard. Keywords: 3-D Secure, VISA, secure, payment, standard. 1. An introduction to the Internet payment systems Electronic commerce, commonly known as e-commerce or e-business, defines the act of buying and selling of products or services over electronic systems like the Internet or any other computer network. With widespread of Internet usage, the amount of trade conducted electronically has grown exponentially. The majority of the electronic commerce platforms typically rely on the World Wide Web. Although a large percentage of the electronic commerce transactions involve only virtual goods such as access to premium content on a website, the vast majority of the electronic commerce transactions involve the transportation of physical items in some way. There are two major forms of electronic commerce: B2B and B2C. The B2B term stands for business-to-business and it describes the electronic commerce transactions that are conducted between businesses. The B2C term stands for business-to-consumer and it describes the electronic commerce transactions that are conducted between business and consumers. In B2C, the majority of the online purchases are made with a credit card. Merchants like credit card payments because an instant authorization mechanism guarantees that the credit card is valid. On the other hand, consumers too like paying by credit cards because they can easily cancel a transaction in case they change they’re minds or they are not satisfied with the products or services bought. While some of the credit card payments for online acquisitions are performed by phone, most of the time, the payments are quickly made by filling in an electronic form. Credit card information filled in the electronic form and submitted by the user is sent to the bank which issued the card, in order to verify it. If the transaction is successfully approved by the bank, the merchant notifies the customer about this and continues with the placing of the order. In all this time, the bank will reserve the funds and will initiate the transfer of the money to the merchant in a couple of hours or even days. The two leading credit card companies in the world today are the competitors VISA and MasterCard. They both operate over similar lines. In fact, as far as most consumers are 1
  • 2. concerned, there is no real difference between the two. They are both very widely accepted in over one hundred and fifty countries, and it is very rare to find a location that will accept one but not the other. However, in reality neither MasterCard nor Visa actually issue any credit cards themselves. They both represent methods of payments and they rely on banks to do the actual issuing of the credit or debit cards that utilize their payment methods. The business model of Visa and MasterCard relies on charging the retailer for using their payment methods. In terms of electronic payment systems, we can define them as being non-credit-card online payment systems. Their goal is to create analogs of checks and cash for the Internet. In order to achieve this, they usually have to implement features like protecting the customers from merchant’s fraud by keeping the numbers of the cards unknown to merchants or protecting the confidentiality of the customers. Several online payment systems emerged in the last 20 years, like Virtual PIN, DigiCash (or E-Cash), CyberCash/CyberCoin, SET (Secure Electronic Transactions), PayPal, Smart Cards, etc. Although most of these products are no longer in use, the ideas behind them can be found implemented in other products. Virtual PIN was launched in 1994 by a company called First Virtual Holding. It was a system for making credit card payments over the Internet without exposing the credit card number to the merchant. It relied on the difficulty of intercepting email and it required no special software for a consumer to make a purchase. Even though no encryption was involved, an eavesdropper could not use a virtual PIN without being able to intercept and answer the e- mail message to confirm the purchase. DigiCash (also known as E-Cash), was an electronic payment system, developed by Dr. David Chaum. Dr. David Chaum is recognized as the inventor of the digital money. The system was based on digital coins (digital tokens). Although the company declared itself bankrupt, the algorithms used in DigiCash are considered fundamental in the development of the digital cash. SET (Secure Electronic Transactions) is an electronic payment protocol for sending money over the Internet. MasterCard, Visa and several other companies developed it as a joint venture. Because it is a standard protocol, it has the advantage of being built into a wide variety of commercial products. However, it never became popular because of the trouble of getting a digital wallet software and setting it up for each credit card. 3-D Secure is a payment protocol designed to add an extra layer of security for online credit card and debit card transactions. 3-D Secure takes e-commerce security to a new level. It is a new security standard developed by Visa in 2001. Its main purpose is to safeguard online payment transactions and to mitigate the risk of fraud. Because of its simplicity and success, It has been later adopted by MasterCard and JCB International. This new standard is marketed as MasterCard Secure Code, J/Secure and Verified by Visa. The principle of 3-D Secure is fairly simple. It allows cardholders to authenticate themselves against their card-issuing bank during an online transaction. Basically, it adds an authentication step for online payments. Under certain conditions, the merchants have the possibility to shift the responsibility of fraudulent transactions to the bank that issued the card. For the 3-D Secure to work, the customers first have to sign up with their bank and activate the service. After this, whenever a cardholder visits an online shop that has previously adhered to the 3-D Secure protocol and initiates a payment for a product or a service, the 3-D Secure sends his purchase request to the merchant system and thus making user that the whole payment process is done against this secured protocol. 2
  • 3. 2. Technical description of the protocol The most recent version of the protocol is 1.0.2 (version 1.0.1 is discontinued and it is no longer supported). MasterCard and JCB International have adopted only the 1.0.2 version of the protocol. The protocol exchanges XML-formatted messages over SSL (Secure Sockets Layer). This ensures the authenticity of the server, as well as the client, by using digital certificates. The concept of the protocol is to link the authorization process with a form of online authentication. This authentication mechanism is based on a three-domain model (hence the 3-D in the name). These three domains are: • Issuer Domain – it represents the bank that issued the card • Acquirer Domain – it is the bank of the merchant to which the money is being transferred • Interoperability Domain – it is the infrastructure provided by the credit card scheme that supports the 3-D Secure protocol. This Domain includes the Internet, ACS (Access Control Server), MPI (Merchant Plug In), or any other software provider. The Issuer Domain can be decomposed in several other small components: Cardholder, Cardholder’s Browser, and Issuer. The Cardholder is the customer who wants to shop an online product or a service, and who provides an account name, a card number, and an expiration date. In response to the Purchase Authentication Page, the cardholder provides a password for the authentication process to successfully finalize. The Cardholder Browser acts as a way to transport messages between the Merchant Plug In (found in the Acquirer Domain) and the Access Control Server (in the Issuer Domain). The Issuer is usually the bank that issues the credit card. It can determine the cardholder’s eligibility to participate in the 3-D Secure payment process, it defines the card number ranges eligible to participate in the 3-D Secure payment process, it provides data about the cards to the Visa Directory Server, and it performs enrollment of the cardholder for each payment card account via an ACS. The Acquirer Domain can also be decomposed in several other small components: Merchant, Merchant Server Plug In, and Acquirer. The Merchant usually has a website that handles the user’s payment request by obtaining the card number and by invoking the Merchant Plug In in order to conduct the payment authentication. If appropriate, after the payment is successfully authenticated, the merchant’s software platform may submit an authorization request to the Acquirer. The Merchant Plug In (MPI) is a software module that provides a communication interface between the Visa/MasterCard servers and the merchant’s servers. It is a flexible component that can be integrated either directly in the merchant’s website or it can be hosted by an external service provider / acquirer. The main purpose of the MPI is to verify the card issuer’s (bank’s) digital certificate used in the authentication process, to validate the enrollment and the authentication response messages, to encrypt and store certificates and passwords, and to fetch payment records as well as associated card details in order to resolve transaction conflicts. The Acquirer is usually a bank too. Only this time, it is the bank of the merchant, and it accepts payment requests with Visa cards. The Acquirer determines the merchant’s eligibility to use the 3-D Secure payment protocol. After the payment is successfully authenticated, the Acquirer performs its usual role like receiving the authorization requests from the merchant and forwarding them to an authorization system (e.g. VisaNet), providing authorization responses back to the merchant, and submitting the completed transaction to the settlement platform (e.g. VisaNet). The Access Control Server is a component on card issuer’s side. It serves two basic functions. One is to verify whether a 3-D Secure authentication is available for a particular 3
  • 4. card number. The second is to authenticate the cardholder for a specific transaction or to provide a proof for an attempted authentication, when authentication is not available. The Visa Directory Server is operated by Visa and it receives messages from merchants querying for a specific card number, it determines the whether a card number is eligible to be used in the 3-D Secure protocol, it directs the request that authenticates the cardholder to the appropriate ACS or responds directly to the merchant, it receives the response from the ACS indicating whether payment authentication is available for the cardholder account, and it forwards the response to the merchant. The Visa Directory Server is a server in the Interoperability Domain. It enables the communications between the software of the merchant and the issuer of the card. In order to protect the security of the communications between the various entities participating in a 3-D Secure transaction, the protocol requires that the following links to be secured by using SSL: cardholder-merchant, cardholder-ACS, merchant-Visa Directory, and Visa Directory-ACS. enrollment_status enrollment_message 3-D Secure Payment Available? Processed? Y Authentication Yes No Available N Cardholder Not No Yes Enrolled U Unable to No Yes Authenticate E any error message No Yes here Figure 1: Enrollment Message and Status VISA ECI MC ECI Authentication Authentication Description status message 05 02 Y Authentication Cardholder was Successful successfully authenticated. 06 01 A Attempts Authentication could Processing not be performed but Performed a proof of authentication attempt was provided. - - N Authentication Cardholder Failed authentication failed. Authorization request shouldn't be submitted. 07 01 U Authentication Authentication could Could Not Be not be performed Performed due to a technical error or other problem. - - E any error An error occurred message here during the authentication process. Authorization request shouldn't be submitted. Figure 2: Electronic Commerce Indicator values 4
  • 5. 3. The network architecture Figure 3: The architecture of the 3-D Secure protocol The data flow is as follows: 1. The cardholder browses the merchant’s online website. When he decides to buy a product or a service, he initiates the purchase and he fills in an online form with the appropriate payment details, including the account number. 2. After the cardholder submits the payment purchase from, the merchant’s system creates an XML payment request and sends it to the payment gateway. 3. The payment gateway verifies if the merchant has previously adhered to the 3-D Secure protocol, as well as the credit card. If the credit card is not 3-D Secure compatible, the merchant’s system will initiate the standard authorization process. Otherwise, if the credit card is 3-D Secure enabled, then the payment gateway responds with an XML Payment Authentication Request which contains two fields specific for the 3-D Secure protocol: PAReq and AcsUrl. 4. Then, the merchant’s platform initiates an HTTP POST Payment Authentication Request back to the cardholder. The cardholder will now see a new inline window in his browser. 5. At step 5, the cardholder’s browser redirects a PAReq message to the issuer’s Access Control Server which authenticates the cardholder. This step is completed in two sub-steps. In the first sub-step, the cardholder’s browser initiates an HTTPS request to the ACS. In the second sub-step, the server parses the data and invokes a login page in the cardholder’s browser. The cardholder now fills in his password in the browser and returns the data back to the ACS. 6. With the received data, the Access Control Server can now authenticate the cardholder’s password. Then, it can construct the Issuer Authentication Value, and finally it can create an SSL-encrypted and digitally signed Payer Authentication Response. The encryption and the signature processes ensure that the cardholder cannot modify the content of the message on its way to the merchant’s software platform. 7. In step seven, the payment Authentication Response is posted by the Access Control Server into the merchant’s software platform’s URL via the cardholder’s web browser. 8. The merchant will continue the payment process with an additional request. This additional request is XML-based and it can be either authorization, preauthorization or a transaction request. This request must contain the PARes obtained in the previous step. 5
  • 6. 9. The payment gateway then submits an authorization request to the Acquirer and responds to the merchant with a successful authorization message. 10. Finally, the merchant’s software platform parses the XML response received from the payment gateway and shows the cardholder a payment confirmation message. 4. Advantages and disadvantages The 3-D Secure protocol has many advantages, like: • Safety against fraud loss: it provides security for merchants against fraud loss. • Reduced fraud risk: with this new technology, loss of payments is drastically reduced. • Greater customer content: 3-D Secure is proved to provide a greater customer satisfaction. Clients are now more comfortable with online payments. • More protection: 3-D Secure offers more protection as the authorization process requires confirmation of the identity and code from the card issuer. • Easy to install: by the merchant. • Easy to use: by the customer. Although it has many advantages, the 3-D Secure protocol is not perfect. Some if its disadvantages include: • Fraudulent phishing: it is very hard for the users to differentiate a legitimate “Verified by Visa” inline windows from a fraudulent one. • Mobile browsers incompatibility: currently, the mobile browsers present particular problems for 3-D Secure, due to the common lack of certain features such as frames and pop-ups. • Little security: in some cases, 3-D Secure ends up providing little security to the cardholder, an can act as a device to pass liability for fraudulent transactions from the bank or retailer to the cardholder. • Privacy: 3-D Secure provides less privacy than SET. 5. Conclusions Although the 3-D Secure protocol is not 100% secure, it is by far one of the best electronic payment protocols in terms of reliability and security. By adhering to the 3-D Secure standard, a merchant will be able to provide a generally safe method for its customers in order to purchase products or services from its online shop. After analyzing the implementation, as well as its pros and cons, it is no wonder the 3-D Secure protocol has become the industry standard for online credit card payments. 6
  • 7. References [1] http://www.psbill.com/3-d-secure-verified-by-visa-mastercard-securecode.html, accessed May 2012. [2] http://cs.wellesley.edu/~ecom/lecture/payment.html, accessed May 2012. [3] http://en.wikipedia.org/wiki/E-commerce_credit_card_payment_system, accessed May 2012. [4] http://en.wikipedia.org/wiki/3-D_Secure, accessed May 2012. [5] http://wiki.answers.com/Q/What_is_the_difference_between_MasterCard_and_Vis a, accessed May 2012. [6] http://www.airbotswana.co.bw/up_mgr/3D%20Secure.pdf, accessed May 2012. [7] http://www.certodirect.com/documentation/merchant-anti-fraud-tools/3-d-secure- integration.html, accessed May 2012. [8] http://www.scribd.com/doc/57100492/3D-Secure-Architecture-and-the-Data-Flow, accessed May 2012. [9] http://www.gpayments.com/pdfs/GPayments_3-D_vs_SPA_Whitepaper.pdf, accessed May 2012. [10] http://www.instabill.com/articles/ecommerce-security-and-fraud-protection/3d- secure-and-its-advantages/ accessed May 2012. 7