The Green Sheet Online Edition
October 22, 2012 • Issue 12:10:02
Implementing 3-D Secure
To address the growing security concerns associated with online transactions, Visa Inc. introduced 3-D Secure, which allows issuers to validate cardholders during purchase transactions on e-commerce sites. Today, 3-D Secure is available for Visa, MasterCard Worldwide, American Express Co. and JCB International Co. Ltd. transactions. Each card brand has given it a different name; hence, you see names like Verified by Visa, MasterCard SecureCode, J/Secure or SafeKey.
3-D Secure basics
The basic concept of 3-D Secure is to authenticate a cardholder performing a transaction at an e-commerce site before an authorization transaction is sent. An authentication process is different than an authorization process. Authentication focuses on establishing the identity of the cardholder doing the transaction. This step precedes the authorization process that validates the payment transaction.
The authentication is driven by the activities done in tandem by the acquirer, issuer and interoperability domains.
The issuer domain consists of the card issuers, cardholders and the access control server (ACS) providers. ACS providers can be issuers, too. An issuer must establish an ACS that will respond to any 3-D Secure authentication request. This server must allow for validation of the bank identification number ranges that are eligible for 3-D Secure authentication.
Furthermore, cardholders must be enrolled in the 3-D Secure program and establish a secret code or password with the issuer to ensure proper authentication. This password will be required to authenticate the cardholder during purchase transactions. A cardholder need enroll only once. A cardholder may enroll at the issuer's website or during the initial checkout process.
The acquirer domain consists of merchants, gateways and acquiring processors. In this domain, merchants, gateways and acquirers all have to participate in the 3-D Secure program to allow for added cardholder authentication.
The merchant is responsible for the e-commerce website and its checkout flow. The merchant also operates the merchant-side software component that will allow for control of the 3-D Secure transaction flow. This software is generally called a merchant plug-in (MPI).
If a gateway is in the transaction flow or hosting the shopping cart functionality for a merchant's website, the gateway must establish the MPI for the merchant.
Acquirers are responsible for signing up merchants for the 3-D Secure program and for allowing transactions to pass through. Generally, card networks require authorization transactions to carry a response code from the authentication transaction under 3-D Secure message exchange.
The interoperability domain is responsible for connecting the acquiring domain to the issuer domain. Typically, this is provided by the card company networks, which also publish the specifications for connectivity and message exchange between the acquirer and the issuer domain.
A basic message exchange consists of the following:
- Card range request (to verify whether the card number is within the merchant's valid range) and response
- Verify enrollment request and response
- Payer authentication request and response
- Payer authentication transaction request and response
- Error message
Basic flow for authentication under 3-D Secure
Following is a description of the 3-D Secure authentication process, which is also illustrated in a chart accompanying this article. First, the MPI is required to obtain card ranges from the interoperability domain's directory and must be able to cache this information. The cache is generally refreshed at least once every day, more often if needed. This allows for checking that the card range is a 3-D Secure service participant without having to call the interoperability domain every time.
The merchant provides the website for e-commerce transactions, accepts the card number information from the customer and initiates the 3-D Secure process. If a gateway is providing the MPI, the gateway obtains the card number and other customer details.
At this time, the MPI initiates a verify enrollment process with the interoperability domain to verify whether the cardholder is enrolled in the 3-D Secure service. The interoperability domain initiates a request with the appropriate issuer ACS for validation of the cardholder information.
If the cardholder is indeed enrolled at the issuer ACS, the ACS returns a positive response to the interoperability domain, and the same is then returned to the MPI, including the ACS URL for the MPI to continue transacting. Then the MPI initiates a payer authentication request to the issuer ACS using the URL obtained in the previous step.
The ACS now responds with an HTML page for the gateway or merchant to display that will accept the password from the cardholder. If the cardholder password is accepted, the control of the website is returned to MPI. Furthermore, the ACS now sends a payer authentication transaction message to record in the transaction history for the cardholder. The MPI notifies the merchant's or gateway's payment subsystems of the results. If the authentication has been confirmed, the payment subsystems proceed with the authorization request.
If the card range is not enrolled in 3-D Secure or if the cardholder is not enrolled in the 3-D Secure program, the payment subsystem may still proceed with the regular authorization request outside the 3-D Secure authentication process. But if the authentication fails for a cardholder who is enrolled in 3-D Secure, the payment authorization request must not be sent.
The case for 3-D Secure
Implementing 3-D Secure reduces the scope of fraud drastically. And the networks provide incentives for implementing such technologies, including favorable interchange rates and liability protection.
The technology has existed for a long time and has stabilized in the marketplace. Cardholders are also quite aware of the risks of using credit cards online. Since most of the gateways cater to e-commerce clients, they should strongly consider implementing 3-D Secure technology as part of their offering.
Chandan Mukherjee is the co-founder of PayCube Inc., a San Francisco Bay Area-based payment consulting and IT services company providing custom software solutions and custom gateways for acquirers, ISOs, retailers and varied organizations in the world of payments and consumer transactions, including prepaid and gift card program, loyalty and promotion, payment start-up, POS solution, mobile payment and e-commerce players. PayCube uses a blend of on-site and offshore delivery capabilities, with a staff of retail and payments-focused software engineers, systems architects, project managers, tech leads and systems analysts. For more information, email firstname.lastname@example.org, call 510-545-6854 or visit www.paycubeinc.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.