21-09-2013, 04:46 PM
3-D Secure
3-D Secure.doc (Size: 113 KB / Downloads: 19)
INTRODUCTION
3-D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions. It was developed by Visa with the intention of improving the security of Internet payments and offered to customers as the Verified by Visa service. Services based on the protocol have also been adopted by MasterCard, under the name MasterCard SecureCode, and by JCB International as J/Secure. American Express added SafeKey to the UK and Singapore on 8 November 2010.[1] Analysis of the protocol by academia has shown it to have many security issues that affect the consumer, including greater surface area for phishing and a shift of liability in the case of fraudulent payments. [2]
ACS providers
In the 3-D Secure protocol, ACS (Access Control Server) is on the issuer side (banks). Currently, most banks outsource ACS to a third party. Commonly, the buyer's web browser shows the domain name of the ACS provider, rather than banks' domain name, however this is not required by the protocol. Dependent on the ACS provider, it is possible to specify a bank owned domain name for use by the ACS
MPI providers
Each 3-D secure transaction involves two internet request/response pairs: VEReq/VERes and PAReq/PARes. Visa and MasterCard don't license merchants for sending requests to their servers. They isolate their servers by licensing software providers which are called MPI (merchant plug-in) providers.
Verifiability of site identity
The system involves a pop-up window or inline frame appearing during the online transaction process, requiring the cardholder to enter a password which, if the transaction is legitimate, their card-issuing bank will be able to authenticate. The problem for the cardholder is determining if the pop-up window or frame is really from their card issuer, when it could be from a fraudulent website attempting to harvest the cardholder's details. Such pop-up windows or script-based frames lack any access to any security certificate, eliminating any way to confirm the credentials of the implementation of 3-DS.
The "Verified by Visa" system has drawn some criticism,[3][4][5][6] since it is hard for users to differentiate between the legitimate Verified by Visa pop-up window or inline frame, and a fraudulentphishing site.
Geographic discrimination
Banks and merchants may use 3-D Secure systems unevenly with regard to banks that issue cards in several geographic locations, creating differentiations, for example, between domestic US- and non-US-issued cards. For example, since VISA and MasterCard treat the United States territory of Puerto Rico as an non-US international, rather than a domestic US location, cardholders there may confront a greater incidence of 3-D Secure queries than cardholders in the 50 states. Complaints to that effect have been received by Puerto Rico's Department of Consumer Affairs "equal treatment" economic discrimination site, http://daco.pr.gov.