Today, more than ever, people around the world are turning to credit, debit and pre-paid cards for their online shopping needs. As ecommerce picks up pace in the developing markets, so does the thirst for means to pay. With every benefit there generally comes a risk, ecommerce and the payment means used no different. There are thousands upon thousands of people who make a full time living out of exploiting the risks of such payment systems. Over the years, the techniques used have gotten ever more sophisticated from very detailed phishing websites, card skimmers on ATM and POS machines to full on attacks on banks and processors compromising your cards security.
A customer created solution that seems to be gathering pace of late is the adoption of lower value “online-only” Prepaid Cards. Customer reload their Prepaid Cards with just enough funds to use online without exposing a lot of their wealth to unscrupulous people who are ready to exploit. While this movement is gaining momentum it does not fully address the risks a normal Signature based or PIN based card presents.
The challenge has always been this: How do you authenticate a Cardholders Online ecommerce transaction? The traditional PIN that Cardholders are used to entering at the ATM unfortunately cannot be used online. The traditional PIN relies on a closed loop cryptography that requires a set of secure keys that be installed at both the sending and the receiving end, a challenge when you consider the fact that every internet enabled device in the world can become an ecommerce terminal for a transaction. Apart from this, the Expiry Date and CVV2/CVC2 controls really do not provide much of a challenge for the experienced fraudster who could have so easily taken a picture of your card or memorized the digits upon glance.
Fortunately, and surprisingly, the solution to protecting your transaction online in a globally acceptable and secure way has been around since 2001, it is called 3-D Secure. 3-D Secure is an additional layer of authentication for all ecommerce transactions. At the heart of it, 3-D Secure is an XML based protocol developed by Visa Inc that brings together 3 transactional domains for the purpose of authenticating a transaction: The Issuer (Your Bank where you got your card), The Acquirer (The Bank that has issued the terminal where you are transacting) and the Interoperability domain (Your interchanges and brands such as Visa Inc, MasterCard WorldWide etc.). Visa Inc was the first organization to go live with the 3-D Secure model with their Verified by Visa service, often abbreviated as VbV. MasterCard soon followed with their own implementation of it tagged SecureCode.
So how does it all work? To have a transaction occur in a 3-D Secure environment you need all 3 Domains to be participating in the programme. You must have a brand that supports 3-D Secure based services (such as Visa or MasterCard), you also need an ecommerce merchant (a website) that participates in the programme and can accept 3-D Secure transactions plus you need a cardholder whose bank supports the programme and he or she has also enrolled in this programme. Should the merchant, or the cardholder, not be a participant then the transaction would go the route of a normal “any other” transaction.
How does the experience change for the Cardholder? For a cardholder, the first part of 3-D Secure involves an “Enrolment” process. Once your bank starts providing these services you there might be a mandatory or optional enrolment that is processed online. Generally this involves a secure page that the customer must visit, enter a few essential details together with the card details and enrol themselves. It is at this point that the cardholder will create a secret token, in most cases a password, that he will use online on 3-D Secure enabled ecommerce website. Some banks prefer the Activation During Shopping (ADC) option. When the customer visits a 3-D Secure enabled website and wants to make a payment there he or she will be redirected to the banks website where they can enrol, create the secure token and continue shopping once done. The token management is left to the banks who decide on how long a token might be valid for. For example, some banks have a one-time token that doesn’t change unless the cardholder requests, others enforce a token change every set number of days or months (added security) while others create a one-time token that only lasts a couple of minutes sent securely to the cardholder for use during that short transaction period (maximum security, be it a little cumbersome).
So what does this all mean? The bottom line is: if you want your card transaction to be secured, to be protected against fraud and drastically decrease your risk and liability then 3-D Secure is for you. When shopping around for cards out there in the market from all the banks that are so eager to sell to you – be mindful. Evaluate the product well and ensure the bank is providing you the 3-D Secure difference. If your existing bank does not offer 3-D Secure yet, you’d better start knocking on their doors and waking them up. Do not wait for the liability and fraud to come to you – prepare yourself, secure yourself.