ROMSO Cyprus Knowledge Base
3D Secure
--- CONTENT ---
3-D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions. It was originally developed by Arcot Systems (now CA Technologies) and first deployed by Visa with the intention of improving the security of Internet payments, and is offered to customers under the Verified by Visa / Visa Secure brands. Protocol-based services have also been adopted by Mastercard as SecureCode, Discover as ProtectBuy and JCB International as J / Secure. American Express added 3-D Secure in selected markets on November 8, 2010 as American Express SafeKey, and continues to launch additional markets.
EMV 3-D Secure Three-Domain Secure (3DS) is a messaging protocol developed by EMVCo to allow consumers to authenticate with their card issuer when making transactions with non-present card (CNP). The additional safety layer helps to avoid unauthorized CNP transactions and protects the trader from exposure to fraud. The three Secure domains consist of the trader / acquirer domain, the issuer domain and the interoperability domain (e.g. payment systems).
The analysis of the first version of the protocol by the academy has shown that it has many security problems affecting the consumer, including a greater phishing area and a change in liability for fraudulent payments.
Description and basic aspects
The basic concept of the protocol is to link the financial authorization process to online authentication. This additional security authentication is based on a three-domain model (hence the 3-D in the name itself). The three domains are:
Domain of the acquirer (the bank and the trader to whom the money is paid).
The issuer's domain (the bank that issued the card being used).
Interoperability domain (the infrastructure provided by the card, credit, debit, prepayment or other payment card scheme, to support the 3-D Secure protocol). It includes the Internet, the commercial complement, the access control server and other software providers.
The protocol uses XML messages sent through SSL connections with customer authentication (this guarantees the authenticity of both pairs, the server and the client, using digital certificates).
A transaction using Verifed-by-Visa or SecureCode will start a readdress to the website of the card issuing bank to authorize the transaction. Each issuer could use any type of authentication method (the protocol does not cover this) but a password linked to the card is usually entered when making online purchases. The Verifed-by-Visa protocol recommends that the bank's verification page be loaded in an online framework session. In this way, the systems of the bank can