The 3-D Secure protocol was developed by Visa to improve the security of Internet payments. It is designed to allow authentication of cardholders by their issuers at participating merchants.
The objective is to benefit all participants by providing issuers the ability to fully authenticate cardholders during an online purchase, reducing the likelihood of fraudulent usage of Visa cards. It has since been licensed by other card schemes such as MasterCard, JCB and American Express. Each card scheme has its own brand name for 3-D Secure:
| Scheme | 3-D Secure brand name |
|---|---|
| Visa | Verified by Visa |
| MasterCard | SecureCode |
| JCB | J/Secure |
| American Express | SafeKey |
The card holder verification takes place on a server called an Access Control Server (ACS) which is operated by the card issuer. The merchant or payment gateway is not involved in capturing or processing any of the authentication details.
The advantage for merchants is the reduction of “unauthorised transaction” chargebacks. The main advantage for cardholders is that there is a decreased risk of other people being able to use their payment cards fraudulently on the Internet.
With 3-D Secure, the issuing bank prompts the buyer for a password that is known only to the bank and the buyer. Since the merchant does not know this password and is not responsible for capturing it, it can be used by the issuing bank as evidence that the purchaser is indeed their cardholder. This decreases risk in two ways:
- Copying card details, either by writing down the numbers on the card itself or by way of
modified terminals or ATMs, does not result in the ability to purchase over the Internet
because of the additional password, which is not stored on or written on the card. - Since the merchant does not capture the password, there is a reduced risk from security
incidents at online merchants – there is no way for anyone to get the associated password.