All you need to know about 3D secure Protocol

3D secure is an xml based protocols designed with the intention of improving additional security to the internet payments made cards. 3D secure is mainly designed to reassure the cardholder by proving the sense of security and reduce the fraud transaction by making the stolen credit card details. 3D secure controlled by verified by Visa (VBV) & and MasterCard Secure Code (MSC).

We need to understand how 3D secure act as an important role in payment gateway and why because increasing online transaction every cardholder intended to initiate the transaction in online to pay for their online purchase. 

Internet Payment

Nowadays the internet plays a vital role between the business to business and business to customers and it tremendously increased over the World Wide Web. Because of all increasing online trades, the majority of the customer intended to purchase online. At the same time as the products are virtually listed and not sure about the quality of the product, some customer worrying about their payment and refund in case if the customer not satisfied with the product or wanted to cancel it for some other reason. Credit & Debit card helps to overcome this concern in the payment industry and for the merchant, it helps in another way by instant authorization mechanism and to identify that the card is valid.

Normal workflow of a card payment

In all E-commerce transaction, the payment process follows step by step mentioned below. Before we go to the step by step process we need to know the major parties involved in the e-commerce transaction

  • Card Holder – The person who is having a credit card and doing the online transaction(Customer for online Merchants)
  • Issuing Bank – The bank who issued the credit card to the cardholder
  • Merchant – Online trader from whom the cardholder purchasing
  • Acquiring bank – The merchant bank through which the cardholder process the card payment

Step 1: Cardholder enters their 16 digit card number along with additional information in the Merchant site payment gateway
Step 2: Merchant site submit the data to the Acquiring bank
Step 3: Acquiring bank verify the Credit card details and authorize the transaction by communicating with the Credit card issuing bank
Step 4: The success or failure response sent back to the cardholder
Step 5: In a periodic basis all the transaction details have been balanced by running their batches and tallied in case if there is any mismatch (Backend process)

Assume that in this process, if the cardholder does not use 3DS than he/she can claim that the transaction cannot be done by them since the card was lost or some fraudulent transaction is done, and the bank possibly believes the cardholder and chargeback the money. And the amount spent on online purchase will be taken to the consideration of Merchant fees.

On the other hand, if the Merchant does not use 3DS than the cardholder can claim that the actual purchase was not made by him/her that the bank believes the claim and directly take the money from the Merchant, and the Merchant is responsible to prove the transaction is not fraudulent. 

3DS secure card payment workflow

To avoid the above-mentioned situation that is confused and full of problems 3DS introduced since the early 2000s. For the 3DS process implementation, The banks are allowed freedom to choose the authentication method by the cardholder in a different way such as OTP, digitally generated token or providing device to automatically generate code, any message which inputted by the cardholder when the time of registering the 3D secure for their cards. 3DS stands for  3 Domain Server namely Issuer Domain, Interoperability Domain, and Acquirer Domain and there are 3 parties involved in 3 D secure processes 

  • Merchant – Online trader from whom the card holder purchasing
  • Acquiring bank – The merchant bank through which the cardholder process the card payment
  • Issuing Bank/Card Issuers - VISA and MasterCard

Step 1: Cardholder enters their 16 digit card number along with additional information in the Merchant site payment gateway
Step 2: Merchant site verify that the card is registered with 3D secure in the Directory server(DS) and redirect the request to the ACS(Access control Server) to verify the customer details by card information registered with is a success or fail and send the response back to DS.
Step 3: DS responds the success or failure response back to the Merchant, if the card is registered for 3D than the Merchant includes the ACS URL and redirect the URL to the cardholder along with their payment information.
Step 4: Cardholder can authenticate via ACS URL depending on the authentication method what they chose when the time of 3DS registration if the registered with the OTP the OTP will be sent to the cardholder to their registered number.
Step 5: Cardholder enters their OTP into the issuer bank authentication page, after getting authentication issuer bank to redirect into the Merchant site
Step 6: Merchant submit the card information and the result of 3Dsecure authentication to their Acquiring bank
Step 7: Acquiring bank verify the Credit card details and authorize the transaction by communicating with the Credit card issuing bank
Step 8: The success or failure response sent back to the cardholder and the History of the transaction being captured in Authentication History Server.
In this process, the cardholder receives their OTP to authenticate the secure payment and also make sure that the online payment is done with their consent. In the other hand, the Merchant can confirm the transaction done only by a verified customer after getting their consent. In this case, both cardholder and Merchant are safe from the fraudulent transaction and the issuing bank taking some responsibility for confirming the cardholder.

The advantage of 3D Secure

1. The consumer can feel their comfortable on spending the amount for online purchase in a secure way
2. Merchant no need to chargeback, as it is already verified by the Banker and the cardholder
3. Responsibility for Fraudulent transaction can be taken care of by the Bank as it already verified before payment process done by both cardholder and the Merchant 
The disadvantage of 3D secure
1. Sometime Merchant need to spend some additional cost to access the 3D secure directory
2. The additional step of verification(some cases, if other than OTP chosen by the cardholder for 3D secure)
3. Loss of phone/ change of number which leads to delay the transaction further as they will not allow updating their new contact number online and need to follow a lot of manual processes to get it to update.
4. The limited ability of Frictionless authorization based on dynamic risk scoring. 
To overcome this disadvantages of this 3DS and allow the issuer to approve transaction without the interaction of cardholder (Frictionless flow), 3DS 2.0 published since January 2015 will be discussed in next artifact.

Authored By - Ranjani Jeyapal
TCS Cyber Security Practice

Reference URL:
https://en.wikipedia.org/wiki/3-D_Secure
https://www.researchgate.net/figure/The-3D-Secure-protocol_fig2_278798231
https://www.slideshare.net/vladpetre88/the-3d-secure-protocol
https://www.modirum.com/3dsecure/

Rate this article: 
Average: 3 (10 votes)
Article category: