The 3D Secure Era

3-d secure forms one of the most innovative birth in the family of online payments. Ideation and development of the then Arcot Systems, it was deployed successfully first by Visa, with only one Motive: strengthening the security of online payments. Later, it took the name Verified by Visa.

The root of the protocol lies in the idea to link the financial authorization process to an online authentication. This overhead security authentication is based on a three-domain model (hence the name 3-D). The three domains are:

  • Acquirer Domain (the bank and the merchant to which the money is transferred).
  • Issuer Domain (the bank that issued the card in use).
  • Interoperability Domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other type of finance card, to support the 3-D secure protocol). It includes the Internet, MPI, Access Control Server (ACS) and other service providers.

Each 3-D secure version 1 transaction involves two Internet request/response pairs:

VEReq/VERes Verifying Enrollment request/Response PAReq/PARes Payment Request/response

Visa and MasterCard do not license merchants for sending requests to their servers. They isolate their servers by licensing software providers, which go by the name MPI (Merchant Plug-In) providers.

Let us view the process in terms of MasterCard’s SecureCode. The registration for 3D secure includes the bank asking prospect a lot of information about his/her card details, Date of Birth, Aadhar No. or ID Card Number, Billing Address, ATM PIN, etc. The cherry on the cake lies with the next step, where prospect will be asked to create a password; that adds a completely new parity to security.

Let us assume the code is 799876.  Now this is the MasterCard SecureCode.

Now, let’s play out a scenario, a man goes to a petrol pump, fills petrol in car and hands over the card to the attendant to pay for it. Unbeknownst to him, they very quickly take a front/back picture of his card. Because it is night, they ask him for his ID, which he gladly presents, they look at it, and again, not knowing, they are recording every information shown on the ID, via a small camera in their breast pocket (of which he has no clue, or are oblivious).This is the point where his information is compromised.

However, the officials at pump do not have the key to enter: the SecureCode!

By this time, the Interpol is already on the way to catch the fraudster because he failed the 3 D Secure test.


Basic illustration of a 3 D secure transaction