The purpose of this post is to familiarize online merchants and other merchant services industry players with 3D Secure program.
In e-commerce transactions, where the card is not physically involved, card fraud is more likely than in retail transactions. Therefore, special fraud protection measures are required, and 3D Secure is one of such.
In essence, 3D Secure is a special XML-based protocol, intended to provide additional security level for online credit and debit card transactions. 3D Secure program is implemented by Visa (as Verified by Visa), MasterCard (as Secure Code) and Amex (as Secure Key) for additional protection of cardholder data. In order to use 3D Secure service for a given card, the card-issuing bank must be enrolled in 3D Secure program.
If the card issuing bank participates (is enrolled in) the 3D Secure program, the cardholder can enroll the card and associate a special password with it. When an online purchase is made with the card, and the web-site supports 3D Secure, then additional authentication process happens, involving additional authentication factor.
The process is as follows. A customer makes an online purchase. When the time comes to pay for the purchase, the customer is redirected to the additional authentication page, where he or she enters his or her password associated with the card. As a result of the authentication a special value is generated, which is then passed to the gateway for the processing of the transaction. This value serves as the additional authentication factor (similarly to two-factor authentication described in our article on google authenticator).
If the password is invalid, the payment is not processed.
The unique value generated for 3D Secure-based authentication, associated with the card, is called Universal Cardholder Authentication Field. Visa and MasterCard implementations of the 3D Secure protocol use different methods to generate it: Visa uses Cardholder Authentication Verification Value, while MasterCard uses Accountholder Authentication Value.
A merchant who wants to enroll in 3D Secure program has to integrate with the MPI-provider and be able to transfer respective values to the payment gateway. When a merchant receives a payment request, a special Merchant Plug In (MPI) component checks if the card is enrolled in 3D Secure program. If the card is enrolled in 3D Secure, the component executes the redirect and the value is sent to the payment gateway for authentication.
The advantage of 3D Secure program for a cardholder is that if a card is stolen it is more difficult to use it for unauthorized online purchases. The advantage of the program for a merchant is that rejection of transactions which did not get through 3D Secure authentication process, potentially, reduces the number of chargebacks issued after unauthorized transactions.
Merchants, handling mostly online transactions and operating with international cards, are advised to enroll in 3D Secure program in order to protect themselves from potential online credit and debit card fraud.