Is 3D Secure the solution for on-line card payments? Part II

22 10 2006


I have received some feedback about the post on card payment solutions and one of the things it is important to say is that CAM and CVM are just components of the solution that secures POS (Point of Sale) card payments.

If we look into card payment as a process, we can see its many sub-processes. For example:

– POS card payments, when the payer pays the merchant using a card in a POS as the payment instrument on the merchant premises;

– Online card payments, when the payer uses information as the payment instrument and authenticate himself using remote solutions

– ATM operations, where the conditions in which the card is checked and the identity of the holder is authenticated are different because the ATM is a trusted piece of hardware.

If we expand on those, assuming that what we discussed in the last post is just part of the process, we then can talk about the challenges of on line card payments.

Back on the times of CD-Universe, where credit card numbers were stolen from a central database and was one of the factors that led the pioneer online CD selling company to bankruptcy, things have improved a bit.

It is very difficult to have precise fraud numbers. Credit card companies and banks are not very happy to talk about their losses, mainly because that is a threat to the confidence we put on the payment options they offer us. The fact is that we know the losses are huge, otherwise we would not see such a big investment on fraud identification and control as we see today.

VISA LogoOne of the latest solutions to avoid fraud on the online world is the 3D Secure, an “enhanced security scheme for online payments” currently being developed by MasterCard and VISA.

What is this all about? 3D Secure basically a process that uses technology like SSL with client authentication and HTTP redirection as basis to guarantee payee and payer authentication and avoid eavesdropping of the payment communication. That way the system would be secure in the sense that a malicious third party could not impersonate the payer nor capture the instrument for replay.

While the message flow through a payment would be a good way of going through the process, it would be too detailed and probably confuse most of the readers. It is a long 12 step process and I can refer you to the Professor Chris Mitchell’s MSc. lecture notes for the inner workings. The most important and relevant things about 3D Secure are:

– Apart from the bank, the payer and the merchant, a trusted third party (ACS – Access Control Server) is introduced to authenticate the payer and vouch for the payee identity. The way the payer is referred to that ACS and back to the merchant is through HTTP-Redirection (using methods like POST for data transfer)

– As the system uses SSL, it is dependant on an existing PKI. As security professionals we all know the complications that this implies… Also, users must know how to use digital certificates… I bet you all have been through the pain of user awareness before. Do you think it is easy to explain to a 60 year old lady how to check if a digital certificate presented to her is false or not?

– It needs a common infrastructure connecting the merchants, banks, brands and ACS. While communication is not an issue these days, who will pay for this is, as long as guaranteeing minimum access to those resources to avoid fraud.

In the end of the day, online card payments are STILL a complicated thing to do. It is very difficult to put security in mechanisms not designed to be secure on the first place, and let’s be hones: the web was not designed to be secure! So what is the solution? E-commerce won’t stop…

Credit cardsIt is all about common sense. None of the institutions interested in this want to give a step back and pay for the solution, but while we don’t collaborate fraud will still be a major issue. A solution involves the use of mutually multiple factor authentication, simple procedures, training, constant monitoring for system abuse and heavy penalties for those who try to fool the system!

By having mutually authentication all parties involved in the transaction know who is who, and that entity authentication is the base of everything else. The way to do it is using multiple factor authentication. The most secure forms to do it involve digital certificates. Question mark here: who will develop a wide adopted PKI?

Training has to come hands tied with simple procedures. Any wide scale solution should be simple. Why most people do know how to turn on the TV but still don’t know how to program or set the clocks on their VCRs?

Constant monitoring and heavy penalties also come together. While monitoring is important both for improving the system by identifying errors through audit, it also sends a message for who tries to fraud the system and gets caught. In any system there are usually a small number of people who are responsible for most of the damage. If we deal with them in an efficient fashion we send a message for all that wants to “play” with the system. It is part of user education. It is important to say that this require decent legislation. I wonder if our politicians are ready to build good laws to address this problem.

So, what is the solution to fraud? Common sense… if banks, brands and the financial sector stop to create short sighted high technology solutions and address the problem through a multidisciplinary approach (people, process and technology) things are going to start making sense.

God bless us all… 🙂


– Card Watch:
– VISA 3DSecure:
– Application and Business Security Developments – Royal Holloway, University of London Chris Mitchel’s lecture notes:




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: