The 3-D Secure Protocol


Published on

This is a paper I wrote in May 2012 for a course assignment in my Master's Program.

1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The 3-D Secure Protocol

  1. 1. The 3-D Secure Protocol Vlad Petre Bucharest Academy of Economic Studies Faculty of Cybernetics, Statistics and Economic Informatics Master of Science in Information Technology & Communications Security Email: Date: 20.05.2012 Abstract In 2001, VISA created a new security protocol called 3-D Secure. Its main purpose was to accelerate the growth of electronic commerce through increased consumer confidence. In a nutshell, 3-D Secure stands for „Three Domain Secure”. Today, VISA 3-D Secure is the payment industry’s Internet authentication standard. Keywords: 3-D Secure, VISA, secure, payment, standard.1. An introduction to the Internet payment systemsElectronic commerce, commonly known as e-commerce or e-business, defines the act ofbuying and selling of products or services over electronic systems like the Internet or anyother computer network. With widespread of Internet usage, the amount of trade conductedelectronically has grown exponentially. The majority of the electronic commerce platformstypically rely on the World Wide Web. Although a large percentage of the electroniccommerce transactions involve only virtual goods such as access to premium content on awebsite, the vast majority of the electronic commerce transactions involve the transportationof physical items in some way.There are two major forms of electronic commerce: B2B and B2C. The B2B term stands forbusiness-to-business and it describes the electronic commerce transactions that areconducted between businesses. The B2C term stands for business-to-consumer and itdescribes the electronic commerce transactions that are conducted between business andconsumers.In B2C, the majority of the online purchases are made with a credit card. Merchants like creditcard payments because an instant authorization mechanism guarantees that the credit card isvalid. On the other hand, consumers too like paying by credit cards because they can easilycancel a transaction in case they change they’re minds or they are not satisfied with theproducts or services bought.While some of the credit card payments for online acquisitions are performed by phone, mostof the time, the payments are quickly made by filling in an electronic form. Credit cardinformation filled in the electronic form and submitted by the user is sent to the bank whichissued the card, in order to verify it. If the transaction is successfully approved by the bank,the merchant notifies the customer about this and continues with the placing of the order. Inall this time, the bank will reserve the funds and will initiate the transfer of the money to themerchant in a couple of hours or even days.The two leading credit card companies in the world today are the competitors VISA andMasterCard. They both operate over similar lines. In fact, as far as most consumers are 1
  2. 2. concerned, there is no real difference between the two. They are both very widely accepted inover one hundred and fifty countries, and it is very rare to find a location that will accept onebut not the other. However, in reality neither MasterCard nor Visa actually issue any creditcards themselves. They both represent methods of payments and they rely on banks to dothe actual issuing of the credit or debit cards that utilize their payment methods. The businessmodel of Visa and MasterCard relies on charging the retailer for using their payment methods.In terms of electronic payment systems, we can define them as being non-credit-card onlinepayment systems. Their goal is to create analogs of checks and cash for the Internet. In orderto achieve this, they usually have to implement features like protecting the customers frommerchant’s fraud by keeping the numbers of the cards unknown to merchants or protectingthe confidentiality of the customers.Several online payment systems emerged in the last 20 years, like Virtual PIN, DigiCash (orE-Cash), CyberCash/CyberCoin, SET (Secure Electronic Transactions), PayPal, SmartCards, etc. Although most of these products are no longer in use, the ideas behind them canbe found implemented in other products.Virtual PIN was launched in 1994 by a company called First Virtual Holding. It was a systemfor making credit card payments over the Internet without exposing the credit card number tothe merchant. It relied on the difficulty of intercepting email and it required no special softwarefor a consumer to make a purchase. Even though no encryption was involved, aneavesdropper could not use a virtual PIN without being able to intercept and answer the e-mail message to confirm the purchase.DigiCash (also known as E-Cash), was an electronic payment system, developed by Dr.David Chaum. Dr. David Chaum is recognized as the inventor of the digital money. Thesystem was based on digital coins (digital tokens). Although the company declared itselfbankrupt, the algorithms used in DigiCash are considered fundamental in the development ofthe digital cash.SET (Secure Electronic Transactions) is an electronic payment protocol for sending moneyover the Internet. MasterCard, Visa and several other companies developed it as a jointventure. Because it is a standard protocol, it has the advantage of being built into a widevariety of commercial products. However, it never became popular because of the trouble ofgetting a digital wallet software and setting it up for each credit card.3-D Secure is a payment protocol designed to add an extra layer of security for online creditcard and debit card transactions. 3-D Secure takes e-commerce security to a new level. It is anew security standard developed by Visa in 2001. Its main purpose is to safeguard onlinepayment transactions and to mitigate the risk of fraud. Because of its simplicity and success,It has been later adopted by MasterCard and JCB International. This new standard ismarketed as MasterCard Secure Code, J/Secure and Verified by Visa.The principle of 3-D Secure is fairly simple. It allows cardholders to authenticate themselvesagainst their card-issuing bank during an online transaction. Basically, it adds anauthentication step for online payments. Under certain conditions, the merchants have thepossibility to shift the responsibility of fraudulent transactions to the bank that issued the card.For the 3-D Secure to work, the customers first have to sign up with their bank and activatethe service. After this, whenever a cardholder visits an online shop that has previouslyadhered to the 3-D Secure protocol and initiates a payment for a product or a service, the 3-DSecure sends his purchase request to the merchant system and thus making user that thewhole payment process is done against this secured protocol. 2
  3. 3. 2. Technical description of the protocolThe most recent version of the protocol is 1.0.2 (version 1.0.1 is discontinued and it is nolonger supported). MasterCard and JCB International have adopted only the 1.0.2 version ofthe protocol.The protocol exchanges XML-formatted messages over SSL (Secure Sockets Layer). Thisensures the authenticity of the server, as well as the client, by using digital certificates.The concept of the protocol is to link the authorization process with a form of onlineauthentication. This authentication mechanism is based on a three-domain model (hence the3-D in the name). These three domains are: • Issuer Domain – it represents the bank that issued the card • Acquirer Domain – it is the bank of the merchant to which the money is being transferred • Interoperability Domain – it is the infrastructure provided by the credit card scheme that supports the 3-D Secure protocol. This Domain includes the Internet, ACS (Access Control Server), MPI (Merchant Plug In), or any other software provider.The Issuer Domain can be decomposed in several other small components: Cardholder,Cardholder’s Browser, and Issuer. The Cardholder is the customer who wants to shop anonline product or a service, and who provides an account name, a card number, and anexpiration date. In response to the Purchase Authentication Page, the cardholder provides apassword for the authentication process to successfully finalize.The Cardholder Browser acts as a way to transport messages between the Merchant PlugIn (found in the Acquirer Domain) and the Access Control Server (in the Issuer Domain). TheIssuer is usually the bank that issues the credit card. It can determine the cardholder’seligibility to participate in the 3-D Secure payment process, it defines the card number rangeseligible to participate in the 3-D Secure payment process, it provides data about the cards tothe Visa Directory Server, and it performs enrollment of the cardholder for each payment cardaccount via an ACS.The Acquirer Domain can also be decomposed in several other small components:Merchant, Merchant Server Plug In, and Acquirer. The Merchant usually has a website thathandles the user’s payment request by obtaining the card number and by invoking theMerchant Plug In in order to conduct the payment authentication. If appropriate, after thepayment is successfully authenticated, the merchant’s software platform may submit anauthorization request to the Acquirer.The Merchant Plug In (MPI) is a software module that provides a communication interfacebetween the Visa/MasterCard servers and the merchant’s servers. It is a flexible componentthat can be integrated either directly in the merchant’s website or it can be hosted by anexternal service provider / acquirer. The main purpose of the MPI is to verify the card issuer’s(bank’s) digital certificate used in the authentication process, to validate the enrollment andthe authentication response messages, to encrypt and store certificates and passwords, andto fetch payment records as well as associated card details in order to resolve transactionconflicts.The Acquirer is usually a bank too. Only this time, it is the bank of the merchant, and itaccepts payment requests with Visa cards. The Acquirer determines the merchant’s eligibilityto use the 3-D Secure payment protocol. After the payment is successfully authenticated, theAcquirer performs its usual role like receiving the authorization requests from the merchantand forwarding them to an authorization system (e.g. VisaNet), providing authorizationresponses back to the merchant, and submitting the completed transaction to the settlementplatform (e.g. VisaNet).The Access Control Server is a component on card issuer’s side. It serves two basicfunctions. One is to verify whether a 3-D Secure authentication is available for a particular 3
  4. 4. card number. The second is to authenticate the cardholder for a specific transaction or toprovide a proof for an attempted authentication, when authentication is not available.The Visa Directory Server is operated by Visa and it receives messages from merchantsquerying for a specific card number, it determines the whether a card number is eligible to beused in the 3-D Secure protocol, it directs the request that authenticates the cardholder to theappropriate ACS or responds directly to the merchant, it receives the response from the ACSindicating whether payment authentication is available for the cardholder account, and itforwards the response to the merchant. The Visa Directory Server is a server in theInteroperability Domain. It enables the communications between the software of the merchantand the issuer of the card.In order to protect the security of the communications between the various entitiesparticipating in a 3-D Secure transaction, the protocol requires that the following links to besecured by using SSL: cardholder-merchant, cardholder-ACS, merchant-Visa Directory, andVisa Directory-ACS.enrollment_status enrollment_message 3-D Secure Payment Available? Processed?Y Authentication Yes No AvailableN Cardholder Not No Yes EnrolledU Unable to No Yes AuthenticateE any error message No Yes here Figure 1: Enrollment Message and StatusVISA ECI MC ECI Authentication Authentication Description status message05 02 Y Authentication Cardholder was Successful successfully authenticated.06 01 A Attempts Authentication could Processing not be performed but Performed a proof of authentication attempt was provided.- - N Authentication Cardholder Failed authentication failed. Authorization request shouldnt be submitted.07 01 U Authentication Authentication could Could Not Be not be performed Performed due to a technical error or other problem.- - E any error An error occurred message here during the authentication process. Authorization request shouldnt be submitted. Figure 2: Electronic Commerce Indicator values 4
  5. 5. 3. The network architecture Figure 3: The architecture of the 3-D Secure protocolThe data flow is as follows: 1. The cardholder browses the merchant’s online website. When he decides to buy a product or a service, he initiates the purchase and he fills in an online form with the appropriate payment details, including the account number. 2. After the cardholder submits the payment purchase from, the merchant’s system creates an XML payment request and sends it to the payment gateway. 3. The payment gateway verifies if the merchant has previously adhered to the 3-D Secure protocol, as well as the credit card. If the credit card is not 3-D Secure compatible, the merchant’s system will initiate the standard authorization process. Otherwise, if the credit card is 3-D Secure enabled, then the payment gateway responds with an XML Payment Authentication Request which contains two fields specific for the 3-D Secure protocol: PAReq and AcsUrl. 4. Then, the merchant’s platform initiates an HTTP POST Payment Authentication Request back to the cardholder. The cardholder will now see a new inline window in his browser. 5. At step 5, the cardholder’s browser redirects a PAReq message to the issuer’s Access Control Server which authenticates the cardholder. This step is completed in two sub-steps. In the first sub-step, the cardholder’s browser initiates an HTTPS request to the ACS. In the second sub-step, the server parses the data and invokes a login page in the cardholder’s browser. The cardholder now fills in his password in the browser and returns the data back to the ACS. 6. With the received data, the Access Control Server can now authenticate the cardholder’s password. Then, it can construct the Issuer Authentication Value, and finally it can create an SSL-encrypted and digitally signed Payer Authentication Response. The encryption and the signature processes ensure that the cardholder cannot modify the content of the message on its way to the merchant’s software platform. 7. In step seven, the payment Authentication Response is posted by the Access Control Server into the merchant’s software platform’s URL via the cardholder’s web browser. 8. The merchant will continue the payment process with an additional request. This additional request is XML-based and it can be either authorization, preauthorization or a transaction request. This request must contain the PARes obtained in the previous step. 5
  6. 6. 9. The payment gateway then submits an authorization request to the Acquirer and responds to the merchant with a successful authorization message. 10. Finally, the merchant’s software platform parses the XML response received from the payment gateway and shows the cardholder a payment confirmation message.4. Advantages and disadvantagesThe 3-D Secure protocol has many advantages, like: • Safety against fraud loss: it provides security for merchants against fraud loss. • Reduced fraud risk: with this new technology, loss of payments is drastically reduced. • Greater customer content: 3-D Secure is proved to provide a greater customer satisfaction. Clients are now more comfortable with online payments. • More protection: 3-D Secure offers more protection as the authorization process requires confirmation of the identity and code from the card issuer. • Easy to install: by the merchant. • Easy to use: by the customer.Although it has many advantages, the 3-D Secure protocol is not perfect. Some if itsdisadvantages include: • Fraudulent phishing: it is very hard for the users to differentiate a legitimate “Verified by Visa” inline windows from a fraudulent one. • Mobile browsers incompatibility: currently, the mobile browsers present particular problems for 3-D Secure, due to the common lack of certain features such as frames and pop-ups. • Little security: in some cases, 3-D Secure ends up providing little security to the cardholder, an can act as a device to pass liability for fraudulent transactions from the bank or retailer to the cardholder. • Privacy: 3-D Secure provides less privacy than SET.5. ConclusionsAlthough the 3-D Secure protocol is not 100% secure, it is by far one of the best electronicpayment protocols in terms of reliability and security. By adhering to the 3-D Secure standard,a merchant will be able to provide a generally safe method for its customers in order topurchase products or services from its online shop.After analyzing the implementation, as well as its pros and cons, it is no wonder the 3-DSecure protocol has become the industry standard for online credit card payments. 6
  7. 7. References [1], accessed May 2012. [2], accessed May 2012. [3], accessed May 2012. [4], accessed May 2012. [5] a, accessed May 2012. [6], accessed May 2012. [7] integration.html, accessed May 2012. [8], accessed May 2012. [9], accessed May 2012. [10] secure-and-its-advantages/ accessed May 2012. 7