RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

3-D Secure

Product
Developers: Visa International
Branches: Financial Services, Investments and Auditing
Technology: Information Security - Authentication,  Information Security - Fraud Detection System (Fraud)

Content

3-D Secure - Internet transaction processing protocol, company development. Visa The 3D Secure system, when purchased via the Internet, verifies the client using dynamic code that is sent through. SMS He also has a license to use this technology, MasterCard which has its own SecureCode protection service.

The purpose of the protocol is to ensure the security of online payments made using credit or debit cards. Its other name Verified by Visa is in Visa terminology, or SecureCode in MasterCard terminology.

3-D Secure is a trademark of VISA Corporation.

The 3D Secure protocol is used by payment systems under the Verified by Visa and MasterCard SecureCode logos and provides cardholders with the ability to authenticate through their issuing bank when making online purchases through web browsers on personal computers.

Tasks

The purpose of using 3-D Secure is to simplify the maintenance of card transactions via the Internet while increasing the security of their implementation.

Three Domains System

The 3-D Secure model is implemented on the basis of three domains in which the generation and verification of transactions occurs:

  • the domain of the Issuer comprising the Cardholder and the Cardholder.
  • Acquier domain, which includes Bank Acquier and its clients (online merchants).
  • interaction domain contains elements that make it possible to conduct transactions between two other domains. He manages the networks and services of card associations.


Domains are independent in their rights and are an important part of the information transfer process in a common 3-D Secure infrastructure. Each domain has its own area of ​ ​ responsibility in conducting transactions:

  • In the issuer's domain, the issuing bank is responsible for authenticating the buyer and providing the correct information for the transaction.
  • In the acquiring domain, the online merchant is responsible for the commercial relationship with the buyer, as well as ensuring that the buyer has been sent to the correct issuing bank for verification. In the same domain, the acquirer is responsible for coordinating the transaction through traditional Visa or MasterCard networks.
  • In the interaction domain, the Visa or MasterCard payment system is responsible for the safety of information for each issuer (cardholder's bank, the issuer's Internet address) and providing this information for making a decision in case of conflict.

The 3-D Secure model provides a standard cross-domain communication protocol for transaction exchange and validation. It does not cause changes in relationships between members of the same domain:

  • Merchant and Acquier are free to choose any way to conduct their transactions and to manage relationships in their domains.
  • Issuers are free to choose any of their preferred mechanisms for authenticating the cardholder.

3-D Secure Architecture Components

The 3-D Secure architecture implements a set of special servers to service the transaction flow during its life cycle:

  • In the Issuer's domain, the Access Control Server (ACS) is responsible for managing the authentication processes between the Buyer and the Issuer and guarantees payment transactions for the Merchant.
  • In the Acquier domain, the Merchant Plug-In (or MPI) server manages the flow of transactions between Visa/MasterCard infrastructures, cardholder infrastructure, and payment infrastructure created by Acquier.
  • In the interaction domain, Visa/MasterCard Server-Directories (Directory) maintains information about the participants in the process. In the same domain, the Visa/MasterCard Authentication History Server (Authentication History Server or AHS) securely stores information on all transactions and guarantees its availability in case of conflict.
  • In the domains of the Issuer and the Acquirer, host systems are involved in the process of reconciling transactions in the bank's back office to ensure clearing offsets between participants for the purpose of further transfer of funds.

2021: Visa and Mastercard to introduce fees for using 3D Secure technology

International payment systems Visa MasterCard and will make the 3D Secure transaction confirmation service paid for. banks More. here

2020: Transition of Russian banks to 3D Secure 2.0

At the end of July 2020, it became known that banks in Russia had introduced a new 3D Secure 2.0 security standard, in connection with which they began to allow shopping on the Internet without an SMS code.

As told Izvestia in, 140 National Payment Card System (NSPK) "Mir" banks were connected to 3D Secure 2.0 technology for cards, and the rest of the credit organizations are certified. The new system is also introduced for and. Visa MasterCard

Mir cardholders were allowed to make purchases on the Internet without SMS

3D Secure 2.0 defines some of the operations as low-risk and does not require verification. It is designed to improve and speed up the shopping process - the client will not have to wait for confirmation with a message. At the same time, it is promised to maintain the proper level of cybersecurity

The technology is focused on the convenience and security of making payments not only through a web browser, but also directly in applications of various services in a mobile device. The new version also implements convenient support for user authentication when making regular payments, subscriptions to various services, a representative of Mir explained to the publication[1]

The new level security protocol is an attempt to find a reasonable compromise between security and convenience, says Dmitry Kuznetsov, director of methodology and standardization at Positive Technologies. On the one hand, the standard supports several mechanisms for verifying payers: along with passwords at the discretion of the issuing bank, biometrics and cryptography can be used. But on the other hand, in some regions of the world, even the first version of the standard - with confirmation only using a code from SMS - led to a noticeable decrease in the number of purchases.

President of the National Financial Association Vasily Zablotsky says that the transition to 3D Secure 2.0 will help banks save up to 30-80% of SMS costs and direct the saved funds to business development or profit.

2019: Online bank card payment vulnerability

On September 20, 2019, ChronoPay warned about the possibility of spoofing the recipient's data for some transactions during the online payment process with a bank card due to the peculiarities of the 3D Secure (3DS) protocol. Due to a vulnerability in the payer authentication request (PAReq), attackers can mislead the consumer by changing the payee's data on the transaction confirmation page.

According to the company, the 3DS protocol is used when accepting online bank card payments. In order to make sure that the payment is made by the account holder, in addition to the bank card data, you also need a confirmation code that comes to the mobile phone number tied to the card in SMS. The buyer enters a confirmation code on a separate page on which the fraudster can fake the recipient's information. The 3DS method was designed to protect against theft of plastic card data and does not provide for countering online fraud from the payment recipients themselves.

As ChronoPay specialists found out, the problem is the lack of protection for the PAReq payer authentication request. When placing an order in an online store, paying government duties or ordering services, such a request is sent to the bank in the form of a simple address bar in the browser. In the current version of 3DS, it is not encrypted cryptographically and is not checked by the payment system. It is not difficult for attackers to replace any data in the request line and mislead the buyer on the payment confirmation page.

File:Aquote1.png
There are more and more fraudulent sites online that pose as well-known service providers, government services or branded online stores. A vulnerability in 3DS PAReq requests can convince a consumer that they are making a payment to a particular organization. The data on the payment confirmation page can be overridden. Fraudsters are actively using social engineering methods, convincing the client to make a payment on their website as quickly as possible. We recommend that users be extremely careful when making online payments.

told Pavel Vrublevsky, CEO of the processing company ChronoPay
File:Aquote2.png

To protect yourself from fraud, consumers should be extra vigilant. ChronoPay security experts recommend:

  • Check the address of the online store in which you are going to make a purchase (scammers often choose similar addresses). Especially if the site is replete with sales that end in a few minutes.
  • Do not make purchases using links from email letters - instead, independently find a legitimate site in the search engine.

this Information vulnerability was reported to representatives. FinCERT Experts expect that the vulnerability will be fixed in version 3DS 2.0, the transition to which is expected in the near future. In the meantime, experts from ChronoPay recommend that payers be careful when making online payment transactions.

2016: 3D Secure version 2.0

3D-Secure from the international payment system Visa, which requires an additional password for an online card payment, has begun to outlast itself. The development of mobile devices and e-commerce requires increased speed, convenience and security of online payments. For this reason, as well as the desire to get rid of Visa, a number of the largest payment systems, banks and e-commerce companies, united in the international consortium EMVCo, last year announced plans to develop their own version of card payment protection technology - 3D-Secure 2.0.

The e-commerce environment has changed significantly over the years, and EMVco is preparing 3D Secure version 2.0, striving to contribute to the creation of a global operational-compatible and most convenient environment for users of such new means and methods of payment as mobile phones and purchases from applications.

The release of the documentation is scheduled for the first half of 2017, while Visa reports that, for its part, it is already taking the necessary steps to ensure that Verified by Visa and the cardholder authentication service are ready even before the start of industrial launch by the middle of next year.

However, the plastic card industry giant clarifies that in order to provide all interested organizations with sufficient time to implement new products and services, the company will refrain from applying certain rules - such as protection against fraudulent chargebacks for 3D Secure 2.0 transactions - until the date the program is activated.

Activation dates will vary by region. In Europe, where 3D Secure of the first version is already operating almost everywhere, the implementation of version 2.0 is likely to take place in April 2018, but the timing for other markets has not yet been determined.

"The main difference between 3D-Secure 2.0 and the first version is that the decision to confirm the payment transaction will be made on the basis of new parameters. In particular, the data of the device from which the payment is made, browser settings, IP address, e-mail and others will be taken into account. In addition, an intelligent decision mechanism based on the analysis of the user's behavioral activity will be used for authentication

See also: "Mir" has begun testing 3D-Secure 2.0

2014: Visa and MasterCard remove passwords for 3D Secure

Visa and MasterCard announced in November 2014 plans to eliminate the need for password authentication in Verified by Visa and SecureCode platforms, which are designed to add an additional layer of security[2] online transactions[3].

In a press release, MasterCard announced that a feature of the revamped 3D Secure system, which will replace the current system this year, will be to work with "more extensive cardholder data" to reduce password delays in the payment process. If an authentication request is required, MasterCard plans to replace the static password with one-time passwords and fingerprint biometrics. MasterCard is also conducting commercial trials of face and voice recognition applications for use as future authenticators and heart rate authentication bracelets.

Threspost sought clarification from MasterCard about what the company meant by "more extensive cardholder data," but had not received a response at the time of publication.

3D Secure is a card-free payment protocol developed by Visa and implemented by a number of other payment companies. It was designed to address the growing problem of fraudulent purchases made online. When a Verified by Visa and SecureCode user transfers card information to a merchant, the merchant forwards Visa or MasterCard payment information. The payment company sends an iframe, which presents the user with an additional form of password authentication. If the customer enters the correct password, the merchant receives an authorization code for the transaction.

At the same time, the 3D Secure protocol is criticized due to the fact that it requires users to remember the next complex password, as well as for their interface, which is often mistaken for a phishing scheme.

"We all want a payment process that is safe and simple at the same time, not one of the two," said Ajay Bhalla, MasterCard's security president. 'We're going to identify people by who they are, not what they remember. We have to remember too many passwords, it creates additional problems for customers and businesses. "

See also

  • Assist Antifraud is an intelligent fraud prevention system for use in an online store.