fbpx grantButton.addEventListener("click", function() { localStorage.setItem("consentGranted", "true"); function gtag() { dataLayer.push(arguments); } gtag('consent', 'update', { ad_user_data: 'granted', ad_personalization: 'granted', ad_storage: 'granted', analytics_storage: 'granted' }); // Load gtag.js script. var gtagScript = document.createElement('script'); gtagScript.async = true; gtagScript.src = 'https://www.googletagmanager.com/gtag/js?id=G-7HD8TM0H50'; var firstScript = document.getElementsByTagName('script')[0]; firstScript.parentNode.insertBefore(gtagScript,firstScript);


By 31 August 2022 December 15th, 2023 No Comments

How can credit and debit card issuers know that the person entering the details is actually the person who has the card? This has been one of the most difficult areas of card security and ever since the early days of credit cards, the copying of details has caused significant security issues.

Step forward 3-D secure, a part of the response to the ever-increasing threat of card fraud.

In this article, we cover:

  • The history of 3-D secure

  • How it works

  • Benefits of 3-D secure

  • Problems with 3-D secure

  • Alternatives to 3-D secure

  • Making online transactions safer


The history of 3-D secure

3-D secure isn’t a new concept. In fact, it has been around since the turn of the century.

Originally the system was developed by Celo Communications AB (later Thales) on behalf of Visa and the authentication method went through a number of different iterations ( and names) until it finally entered the market as Verified by Visa.

The protocol has been widely adopted over the years by some of the best-known names in card issuing including Master card (SecureCode), JCB International as J/Secure, and American Express as American Express SafeKey.

Development over the years has continued with version 2 of the protocol being published in 2016 with the aim of complying with new EU authentication requirements.


How 3-D secure works

The aim of the protocol is to combine physical card features with online information to provide a more secure transaction processing arrangement.

This additional security authentication is designed to operate across three domains which gives rise to the “3-D” in the name.

The system links the three domains of the merchant acquirer domain (the bank and the merchant to which the money is being paid), the card issuer domain and the Interoperability Domain.

When the merchant initiates a transaction the protocol redirects a webpage typically to a service page like Verified by Visa. The customer then completes the transaction by entering information (a password or PIN number) into the form that is only known to the card issuer.  Information is passed securely through the protocol between the card issuer and ultimately the customer using XML.

To most customers, the protocol section simply shows as a separate page (like Verified by Visa or SecureCode) but is still branded by the merchant. To all intents and purposes, they never leave the web page.


Benefits of 3-D secure

The first benefit is that it stops people from conducting transactions by copying card details whether that is by hand or using an electronic device.

The cardholder has a password that is only known to them and the merchant, so even if the user enters all of the card details they will still need to know this password.

3-D secure also reduces security incidents at online merchants as the merchant isn’t responsible for collecting or passing on the password. That way, staff at the merchant can’t intercept the card details and carry out fraudulent transactions or pass them on to someone who will.


Problems with 3-D secure

The first issue that merchants report regarding 3-D secure is that it adds another step into the checkout process. It’s well known that any form of friction in the buying process leads to abandoned carts, a complete no-no in the world of online sales.

Unfortunately, the great work done on consumer education with regards to security has proved to be a double-edged sword. Consumers have always been told to be wary when a website redirects them to an unfamiliar payment page which of course is exactly the point of 3-D secure!

It’s also important to remember that it is only usable on online payment sites so payments in the field with a card machine can’t use the protocol.

There is also an added compliance and technical burden on the merchant as they have to ensure that their website and sales practices accord with the rules of the protocol and work with the enabling systems.


Alternatives to 3-D secure

3-D secure has worked well in terms of reducing fraudulent transactions but it isn’t the complete answer.

As mentioned previously, consumer education plays a big part here and if cardholders can be helped to make the right choices with regard to security then this will go a long way in improving the environment.

As we noted above, 3-D secure doesn’t work with card machines so consumers should look for businesses like tapeeno that are fully compliant with the PCI certification scheme.

The highly secure software used in the tapeeno service is PCI certified to the latest CPoC standards (Contactless Payments on COTS (Commercial off-the-shelf)). Using the right tool for the right occasion is the way forward.


Making online transactions safer

Without a doubt, 3-D secure has made online payments a safer space.

The secure checking of information at arm’s length means that acquirers are able to ensure that the card user is in fact the cardholder and is entitled to make the payment.

It also helps to reduce the number of chargebacks that merchants experience, meaning that they can send out high-value orders with confidence.

But it is by no means a perfect solution and the higher level of cart abandonment seen by merchants means that there is always a trade-off between security and sales.

And of course, it is not a protocol that can be used if the merchant is out in the field taking orders using a SoftPOS app like tapeeno.

So in summary, 3-D secure is a useful tool (but by no means the only one) in the box of online security.