Good day, carders!
With this article, I want to shed light on Internet acquiring in general, tell you what it is eaten with.
Purpose of the article: for general development.
E-commerce is an area of the economy that includes all financial and commercial transactions carried out using computer networks, and the business processes associated with conducting such transactions.
E-commerce includes:
• Electronic Information Exchange (Electronic Data Interchange, EDI),
* Electronic Capital Transfer (Electronic Funds Transfer, EFS),
• Electronic trade (e-trade),
• Electronic money (e-cash),
• Electronic marketing (e-marketing),
• Electronic banking (e-banking),
* Electronic insurance services (e-insurance).
Business schemes:
1) B2B or business-to-business
Enterprise trades with another enterprise. B2B is one of the most promising and actively developing areas of e-commerce today. An example of a B2B transaction is the sale of site templates to companies for later use as the basis for the design of the company's own web resource.
2) B2C or business-consumer
In this case, the company already trades directly with the client (not a legal entity, but an individual). Examples of this type of trade are traditional online stores, social commerce, or sales of goods and services in social networks.
3) C2C or consumer-consumer
Making transactions between two consumers, neither of whom is an entrepreneur in the legal sense of the word. As a rule, commerce under the C2C scheme is carried out on Online auction sites.
Internet acquiring is a general term that refers to accepting plastic card payments over the Internet using a specially designed web interface. Internet acquiring, as a component of e-commerce, is the activity of a credit institution (acquiring bank), which includes settlements with e-commerce organizations for transactions made using bank cards on the Internet. E-commerce organizations are usually connected by the acquiring bank with the technical support of Service providers that ensure payment security using the 3-D Secure authentication protocol and SSL, and are responsible for fraud monitoring of transactions conducted in the Online store. To pay using this system, you must have a credit card, the account of which is designed specifically for paying for goods and services not only on the Internet, but also in real stores.
Advantages of using it:
For organizations:
Global scale
cost Reduction
Improving supply chains
Business is always open (24/7/365)
Personalization
Rapid withdrawal of goods on the market
Low cost distribution of digital products
For consumers:
Ubiquity
Anonymity
Large selection of goods and services
Personalization
cheaper products and services
Fast delivery
Electronic socialization
For the company:
A wide range of services provided (for example, education, healthcare, public utilities)
Improving the standard of living
Improving national security
Reducing the digital divide
Online sales/ordering of goods / services reduces car traffic and reduces environmental pollution
Disadvantages:
For organizations:
Possible doubts of the parties about the ownership of a particular project to the company (negative anonymity)
Some difficulty in maintaining and legalizing the company's online activities
For consumers:
Consumer distrust of services sold via
the Internet Inability to" touch " the product with your hands
Waiting for delivery of purchased products
For the company:
An attractive platform for fraud (reducing the level of network security)
Displacement of commercial offline businesses from the market
For the state:
Shortfall of tax payments to the state budget when maintaining "gray" accounting schemes
Market participants:
1. Buyer — A Customer who has a computer with a Web browser and Internet access.
2. The issuing Bank. The buyer's current account is located here. The issuing bank issues the cards and is the guarantor of the client's financial obligations.
3. Sellers. E-Commerce servers that maintain product and service catalogs and accept customer purchase orders.
4. Acquiring banks. Each seller has a single bank where they keep their current account (Alfa-Bank, Rosbank, VTB 24, Raiffeisenbank, TransCreditBank).
The Acquirer Bank must have its own processing.
5. Internet payment system. Electronic components that serve as intermediaries between other participants.
6. Traditional payment system. A set of financial and technological tools for servicing this type of card. Ensuring the use of cards as a means of payment for goods and services, using banking services, making offsets, etc. (Visa Int., MasterCard WorldWide, Diners Club, Amex, JCB and China Union Pay).
7. Payment system Processing center. An organization that provides information and technological interaction between participants of a traditional payment system.
8. Settlement bank of the payment system. A credit institution that performs mutual settlements between payment system participants on behalf of the processing center.
Acquiring scheme:
1. The customer makes a purchase in an online store.
2. When choosing to pay for an order with a plastic card, the client is redirected to the Provider's authorization page and enters payment details.
3. The provider forms an authentication request and sends the client to the issuing bank's authentication system (ACS).
4. After authentication, the Provider sends the information for the authorization request to the Processor.
5. The processor sends a request for authorization of the transaction to the international payment system.
6. Depending on the authorization result, the Processor generates a message to the Provider about the operation or refusal.
7. The Provider informs the Online Store and the client about the results of the operation.
8. Depending on the result of the operation, the online store makes a sale or cancels the order.
9. The processor sends the clearing file for settlement to the Settlement Bank.
10. The Settlement Bank transfers the refund for completed transactions to the Online store's account.
11. Sending the final Report based on the results of the reporting period.
As part of Internet acquiring, Service providers offer a wide
range of services for e-commerce businesses:
— Personal account.
- Virtual terminal — A program for authorizing payments via the Internet in real time, which is installed on the computer of an online store or offline store.
— A complete set of fraud prevention methods
— - Formation of an authorization request or transfer of a file of financial transactions to the acquirer for further settlement;
- Formation of chargebacks;
- Internal fraud detection and protection tools;
— Multi-currency payments
— 24/7 customer and technical support
— Competitive cost reduction policy
— Security standards;
- High level of service;
- Development of relationships with companies providing additional services to increase customer loyalty.
Fraud
Fraud is a type of fraud in the field of information technology, in particular, unauthorized actions and unauthorized use of resources and services in communication networks.
Fraud and credit cards
Carding is a type of fraud in which a transaction is made using a payment card or its details, which is not initiated or confirmed by its holder. Payment card details are usually taken from hacked servers of online stores, payment and settlement systems, as well as from personal computers (either directly or through "Trojans" and "worms"). Responsibility for such fraud lies with the seller, if he does not use 3DSecure.
Phishing (English phishing, distorted "fishing" — "fishing") is the creation by fraudsters of a site that will be trusted by the user, for example, a site similar to the user's bank site, through which payment card details are stolen.
Skimming( from the English Skim — skim cream), which uses a skimmer-an attacker's tool to read, for example, the magnetic track of a payment card. When performing this fraudulent operation, a complex of skimming devices is used:
Skimmer-A tool for reading the magnetic track of a payment card-is a device installed in a card reader and a card reader at the entrance door to the customer service area in the bank's premises. It is a device with a magnetic reading head, an amplifier — converter, memory and an adapter for connecting to a computer. Skimmers can be portable or miniature. The main idea and task of skimming is to read the necessary data (track content)of the card's magnetic stripe for subsequent playback on a fake one. Thus, when performing a transaction on a fake card, the authorization request and debiting funds for a fraudulent transaction will be made from the account of the original, "skimmed" card. Skimmers can accumulate stolen information about plastic
cards, or remotely transmit it via a radio channel to intruders located nearby. After copying the information from the card, fraudsters make a duplicate of the card and, knowing the PIN, withdraw all the money within the issue limit, both in Russia and abroad.
A video camera installed on an ATM and sent to the input keyboard in the form of an ATM visor or extraneous overlays, such as advertising materials, is used together with a skimmer to receive the PIN of the holder, which allows you to receive cash at ATMs using a fake card (having the track data and PIN of the original one).
These devices are powered by autonomous energy sources-miniature power supply batteries, and, to make detection more difficult, they are usually made and disguised as the color and shape of an ATM.
Fraud and GSM
GSM Fraud options
1) When subscribing to some content, a very high unsubscribe rate is included in the contract for a conditional fee to the client, and then they do everything possible to make the client decide to unsubscribe.
2) Non-refunds on SIM cards of credit tariff plans.
3) Issuing SIM cards for lost documents so that the received SIM cards with roaming can be used abroad. At the same time, the local operator sends invoices for calls to the operator who issued the SIM card with some delay, but in the meantime pays for calls independently.
4) Outright deception, when the caller says that by transferring a small amount to his phone, you are helping your
relative who got into an accident or other difficult situation.
5) It is possible to open a paid service with the payment method via SMS messages. At the same time, it is technically possible to get a negative balance on a SIM card with a debit tariff plan.
6) Exceeding the limit on the number of SMS requests sent, due to the technical capabilities of the OSS platform, which leads to the subscriber receiving the ordered services without actually paying for them.
The International Association of GSM Network Operators has developed its own classification for fraud crimes:
Access Fraud — unauthorized use of cellular communication services due to fictitious or unintentional interference, manipulation or reprogramming of cell phone numbers ESN (Electronic Serial Number) and/or MIN (Mobile Identification Number). This method is available on networks without authentication.
Stolen Phone Froud — unauthorized use of a stolen or lost cell phone. This method works until the owner notifies the company and the company blocks access from the stolen phone.
Subscription Fraud — entering incorrect data when entering into a contract, using services on credit with the intention of not paying for them.
Contractual and legal aspect
An acquiring agreement is a legal document under which a trade and service company is required to operate both in accordance with the current legislation and according to the rules established by payment systems and the acquiring bank. The main requirements for this agreement are defined in the Rules of Payment systems (for example,
the specialized section of Visa International Operating Regulations), but acquirers have the right to change both the form and content of such agreements.
Connecting Internet acquiring services:
— The online store contacts the service provider (electronic payment system) – Assist, Moneyonline, etc
. - By selecting one of these providers, the online store registers on its website, i.e. it fills out the registration form and indicates that it intends to accept plastic cards for payment and in which bank it will be served from the proposed list of banks that offer this service.
— The connection request is sent by the service provider to the bank.
— The Bank processes this request and contacts the online store using the contact information specified in it.
— Online store that goes through all stages before signing the contract.
— As a result, the online store signs an agreement for online acquiring and starts accepting plastic cards for payment via the Internet.
Security technologies for electronic online payments
using plastic cards.
SSL-protocol(Secure Socket Layer) + 3D Secure Protocol
3-D Secure is an XML protocol that is used as an additional layer of security for online credit and debit cards, as well as two-factor user authentication. It was developed by Visa to improve the security of online payments and offered customers the Verified by Visa (VbV) service. Services based on this protocol have also been adopted by MasterCard, under the name MasterCard SecureCode (MCC), and JCB International, as J/Secure. 3-D Secure adds another authentication step for online
payments.
3-D Secure should not be confused with the CVV2 code, which is printed on the back of the card.
3-D Secure is a trademark of VISA Corporation.
3x domain system:
The 3-D Secure model is implemented on the basis of 3 domains in which transactions are generated and verified:
The Issuer's domain, which includes the Cardholder and the Bank that issues the cards.
Acquirer's domain, which includes the Acquiring bank and its clients (online merchants).
The interaction domain contains elements that make it possible to conduct transactions between two other domains. It mainly contains networks and services of card associations.
Domains are independent in their rights and are an important part of the information transfer process in a common 3-D Secure infrastructure. Each domain has its own scope of responsibility for conducting
transactions:
• In the Issuer's domain, the issuing bank is responsible for authenticating the buyer and providing correct information for conducting the transaction.
• In the Acquirer's domain, the online merchant is responsible for commercial relations with the buyer, as well as ensuring that the buyer has been referred to the correct issuing bank for verification. In the same domain, the Acquirer is responsible for coordinating the transaction through the traditional Visa or MasterCard networks.
• In the interaction domain, the Visa or MasterCard payment system is responsible for preserving information about each issuer (the cardholder's bank, the issuer's Internet address) and providing this information for making decisions in case of conflict situations.
* The 3-D Secure model provides a standard inter-domain communication protocol for exchanging and verifying transactions. It does not cause any changes in the relations between the participants of the same domain:
• The Merchant and Acquirer are free to choose any method of conducting their transactions and to manage relations in their domains.
* Issuers are free to choose any preferred mechanisms for cardholder authentication.
The 3-D Secure architecture implements a set of dedicated servers to
serve the transaction flow during its lifecycle:
•In the Issuer's domain, the Access Control Server (ACS) is responsible for managing the authentication processes between the Buyer and the Issuer and guarantees payment transactions for the Merchant.
* In the Acquirer's domain, the Merchant Plug-In (or MPI) server manages the flow of transactions between the Visa/MasterCard infrastructure, the cardholder infrastructure, and the payment infrastructure created by the Acquirer.
* In the interaction domain, the Visa/MasterCard Directory Server maintains information about the process participants. In the same domain, the Visa/MasterCard Authentication History Server (AHS) securely stores information on all transactions and guarantees its availability in case of conflict situations.
* In the Issuer's and Acquirer's domains, Host Systems are involved in the process of reconciliation of transactions in the bank's back office to ensure clearing offsets between participants for the purpose of further transfer of funds.
* In accordance with the 3-D Secure protocol, issuers are now responsible for authenticating card holders!
- The buyer, having selected a product in the online store, clicks the " Pay " button.
- The buyer's browser is redirected to the payment system page, where the buyer enters the card details.
— The payment system server checks whether this card participates in payments under the 3D Secure protocol. If it does, the buyer's browser is redirected to the website of the issuing bank of this plastic card. If it doesn't participate in 3D Secure, the payment can be made using the MIA SET protocol.
— Let's assume that the map is part of 3D Secure. The buyer enters the issuing bank's website and is authenticated. The method of authentication is determined by the issuing bank.
— In case of successful authentication, the issuing bank returns to the payment system a signed message stating that the issuing bank believes this buyer and does not object to the operation on this plastic card.
— Next, the payment is processed as MIA SET.
SET
The SET (Secure Electronic Transaction) standard is a technology developed by Visa and MasterCard payment systems to ensure secure payments using plastic cards over an open network.
Identification of the parties during online payments is made by exchanging digital certificates certifying the right of the transaction participants to accept or use plastic cards. SET-the store's certificate contains the identification parameters of the point of sale. SET-The cardholder's certificate contains encrypted information about the main parameters of the card. Making a payment using a SET certificate does not require the customer to enter their card parameters and does not provide for the online store to receive this confidential information.
SET-Secure Electronic Transaction-performing an operation on the network, in which the buyer and seller can uniquely identify each other when making a transaction by exchanging digital certificates. This allows both parties to verify the legality of the operation performed by the other party.
SET-store's on-line certificate — a set of data in electronic format containing the Company's parameters (name, etc.) and a copy of the Company's public key, which is certified by the Bank's Certification Center in accordance with the standard procedure (SET standard). The Company's secret key is stored on the payment server. The certificate is intended for identifying the Enterprise in the payment system, as well as for enabling card payments to be made in full or truncated standard in SET, depending on the type of Certificate.
SET-cardholder certificate — a set of data in electronic format containing card parameters (card number, holder's full name, etc.) and a copy of the holder's public key, which is certified by an authorized Certificate Authority in accordance with SET technology.
MIA SET
The system also allows you to make payments using plastic cards and without using the client's SET certificates, if the clients do not have such certificates. In this case, the MIA SET (Merchant Initiated Authorization) technology is used. To ensure the security of payments using MIA SET technology, the RBS payment system provides powerful features to cut off fraudulent transactions. The anti-fraud subsystem enables customers — retail and service companies-to independently configure it to meet their own needs, choosing the appropriate anti-fraud criteria.
Thus, in case of payment using the 3D Secure protocol, the online store is not responsible for fraudulent use of the plastic card. It is up to the issuing bank to decide whether this plastic card transaction is legal or not. As a result of such serious changes in the security of online payments and the situation with card fraud in general, leading payment systems find it difficult to find a common language with issuers, acquirers, virtual acceptors and transaction processors
when trying to force them to install expensive systems and solutions for verifying the authenticity of holders.
In this article, I do not consider it necessary to describe the PCI DSS certification and standards.
With this article, I want to shed light on Internet acquiring in general, tell you what it is eaten with.
Purpose of the article: for general development.
E-commerce is an area of the economy that includes all financial and commercial transactions carried out using computer networks, and the business processes associated with conducting such transactions.
E-commerce includes:
• Electronic Information Exchange (Electronic Data Interchange, EDI),
* Electronic Capital Transfer (Electronic Funds Transfer, EFS),
• Electronic trade (e-trade),
• Electronic money (e-cash),
• Electronic marketing (e-marketing),
• Electronic banking (e-banking),
* Electronic insurance services (e-insurance).
Business schemes:
1) B2B or business-to-business
Enterprise trades with another enterprise. B2B is one of the most promising and actively developing areas of e-commerce today. An example of a B2B transaction is the sale of site templates to companies for later use as the basis for the design of the company's own web resource.
2) B2C or business-consumer
In this case, the company already trades directly with the client (not a legal entity, but an individual). Examples of this type of trade are traditional online stores, social commerce, or sales of goods and services in social networks.
3) C2C or consumer-consumer
Making transactions between two consumers, neither of whom is an entrepreneur in the legal sense of the word. As a rule, commerce under the C2C scheme is carried out on Online auction sites.
Internet acquiring is a general term that refers to accepting plastic card payments over the Internet using a specially designed web interface. Internet acquiring, as a component of e-commerce, is the activity of a credit institution (acquiring bank), which includes settlements with e-commerce organizations for transactions made using bank cards on the Internet. E-commerce organizations are usually connected by the acquiring bank with the technical support of Service providers that ensure payment security using the 3-D Secure authentication protocol and SSL, and are responsible for fraud monitoring of transactions conducted in the Online store. To pay using this system, you must have a credit card, the account of which is designed specifically for paying for goods and services not only on the Internet, but also in real stores.
Advantages of using it:
For organizations:
Global scale
cost Reduction
Improving supply chains
Business is always open (24/7/365)
Personalization
Rapid withdrawal of goods on the market
Low cost distribution of digital products
For consumers:
Ubiquity
Anonymity
Large selection of goods and services
Personalization
cheaper products and services
Fast delivery
Electronic socialization
For the company:
A wide range of services provided (for example, education, healthcare, public utilities)
Improving the standard of living
Improving national security
Reducing the digital divide
Online sales/ordering of goods / services reduces car traffic and reduces environmental pollution
Disadvantages:
For organizations:
Possible doubts of the parties about the ownership of a particular project to the company (negative anonymity)
Some difficulty in maintaining and legalizing the company's online activities
For consumers:
Consumer distrust of services sold via
the Internet Inability to" touch " the product with your hands
Waiting for delivery of purchased products
For the company:
An attractive platform for fraud (reducing the level of network security)
Displacement of commercial offline businesses from the market
For the state:
Shortfall of tax payments to the state budget when maintaining "gray" accounting schemes
Market participants:
1. Buyer — A Customer who has a computer with a Web browser and Internet access.
2. The issuing Bank. The buyer's current account is located here. The issuing bank issues the cards and is the guarantor of the client's financial obligations.
3. Sellers. E-Commerce servers that maintain product and service catalogs and accept customer purchase orders.
4. Acquiring banks. Each seller has a single bank where they keep their current account (Alfa-Bank, Rosbank, VTB 24, Raiffeisenbank, TransCreditBank).
The Acquirer Bank must have its own processing.
5. Internet payment system. Electronic components that serve as intermediaries between other participants.
6. Traditional payment system. A set of financial and technological tools for servicing this type of card. Ensuring the use of cards as a means of payment for goods and services, using banking services, making offsets, etc. (Visa Int., MasterCard WorldWide, Diners Club, Amex, JCB and China Union Pay).
7. Payment system Processing center. An organization that provides information and technological interaction between participants of a traditional payment system.
8. Settlement bank of the payment system. A credit institution that performs mutual settlements between payment system participants on behalf of the processing center.
Acquiring scheme:
1. The customer makes a purchase in an online store.
2. When choosing to pay for an order with a plastic card, the client is redirected to the Provider's authorization page and enters payment details.
3. The provider forms an authentication request and sends the client to the issuing bank's authentication system (ACS).
4. After authentication, the Provider sends the information for the authorization request to the Processor.
5. The processor sends a request for authorization of the transaction to the international payment system.
6. Depending on the authorization result, the Processor generates a message to the Provider about the operation or refusal.
7. The Provider informs the Online Store and the client about the results of the operation.
8. Depending on the result of the operation, the online store makes a sale or cancels the order.
9. The processor sends the clearing file for settlement to the Settlement Bank.
10. The Settlement Bank transfers the refund for completed transactions to the Online store's account.
11. Sending the final Report based on the results of the reporting period.
As part of Internet acquiring, Service providers offer a wide
range of services for e-commerce businesses:
— Personal account.
- Virtual terminal — A program for authorizing payments via the Internet in real time, which is installed on the computer of an online store or offline store.
— A complete set of fraud prevention methods
— - Formation of an authorization request or transfer of a file of financial transactions to the acquirer for further settlement;
- Formation of chargebacks;
- Internal fraud detection and protection tools;
— Multi-currency payments
— 24/7 customer and technical support
— Competitive cost reduction policy
— Security standards;
- High level of service;
- Development of relationships with companies providing additional services to increase customer loyalty.
Fraud
Fraud is a type of fraud in the field of information technology, in particular, unauthorized actions and unauthorized use of resources and services in communication networks.
Fraud and credit cards
Carding is a type of fraud in which a transaction is made using a payment card or its details, which is not initiated or confirmed by its holder. Payment card details are usually taken from hacked servers of online stores, payment and settlement systems, as well as from personal computers (either directly or through "Trojans" and "worms"). Responsibility for such fraud lies with the seller, if he does not use 3DSecure.
Phishing (English phishing, distorted "fishing" — "fishing") is the creation by fraudsters of a site that will be trusted by the user, for example, a site similar to the user's bank site, through which payment card details are stolen.
Skimming( from the English Skim — skim cream), which uses a skimmer-an attacker's tool to read, for example, the magnetic track of a payment card. When performing this fraudulent operation, a complex of skimming devices is used:
Skimmer-A tool for reading the magnetic track of a payment card-is a device installed in a card reader and a card reader at the entrance door to the customer service area in the bank's premises. It is a device with a magnetic reading head, an amplifier — converter, memory and an adapter for connecting to a computer. Skimmers can be portable or miniature. The main idea and task of skimming is to read the necessary data (track content)of the card's magnetic stripe for subsequent playback on a fake one. Thus, when performing a transaction on a fake card, the authorization request and debiting funds for a fraudulent transaction will be made from the account of the original, "skimmed" card. Skimmers can accumulate stolen information about plastic
cards, or remotely transmit it via a radio channel to intruders located nearby. After copying the information from the card, fraudsters make a duplicate of the card and, knowing the PIN, withdraw all the money within the issue limit, both in Russia and abroad.
A video camera installed on an ATM and sent to the input keyboard in the form of an ATM visor or extraneous overlays, such as advertising materials, is used together with a skimmer to receive the PIN of the holder, which allows you to receive cash at ATMs using a fake card (having the track data and PIN of the original one).
These devices are powered by autonomous energy sources-miniature power supply batteries, and, to make detection more difficult, they are usually made and disguised as the color and shape of an ATM.
Fraud and GSM
GSM Fraud options
1) When subscribing to some content, a very high unsubscribe rate is included in the contract for a conditional fee to the client, and then they do everything possible to make the client decide to unsubscribe.
2) Non-refunds on SIM cards of credit tariff plans.
3) Issuing SIM cards for lost documents so that the received SIM cards with roaming can be used abroad. At the same time, the local operator sends invoices for calls to the operator who issued the SIM card with some delay, but in the meantime pays for calls independently.
4) Outright deception, when the caller says that by transferring a small amount to his phone, you are helping your
relative who got into an accident or other difficult situation.
5) It is possible to open a paid service with the payment method via SMS messages. At the same time, it is technically possible to get a negative balance on a SIM card with a debit tariff plan.
6) Exceeding the limit on the number of SMS requests sent, due to the technical capabilities of the OSS platform, which leads to the subscriber receiving the ordered services without actually paying for them.
The International Association of GSM Network Operators has developed its own classification for fraud crimes:
Access Fraud — unauthorized use of cellular communication services due to fictitious or unintentional interference, manipulation or reprogramming of cell phone numbers ESN (Electronic Serial Number) and/or MIN (Mobile Identification Number). This method is available on networks without authentication.
Stolen Phone Froud — unauthorized use of a stolen or lost cell phone. This method works until the owner notifies the company and the company blocks access from the stolen phone.
Subscription Fraud — entering incorrect data when entering into a contract, using services on credit with the intention of not paying for them.
Contractual and legal aspect
An acquiring agreement is a legal document under which a trade and service company is required to operate both in accordance with the current legislation and according to the rules established by payment systems and the acquiring bank. The main requirements for this agreement are defined in the Rules of Payment systems (for example,
the specialized section of Visa International Operating Regulations), but acquirers have the right to change both the form and content of such agreements.
Connecting Internet acquiring services:
— The online store contacts the service provider (electronic payment system) – Assist, Moneyonline, etc
. - By selecting one of these providers, the online store registers on its website, i.e. it fills out the registration form and indicates that it intends to accept plastic cards for payment and in which bank it will be served from the proposed list of banks that offer this service.
— The connection request is sent by the service provider to the bank.
— The Bank processes this request and contacts the online store using the contact information specified in it.
— Online store that goes through all stages before signing the contract.
— As a result, the online store signs an agreement for online acquiring and starts accepting plastic cards for payment via the Internet.
Security technologies for electronic online payments
using plastic cards.
SSL-protocol(Secure Socket Layer) + 3D Secure Protocol
3-D Secure is an XML protocol that is used as an additional layer of security for online credit and debit cards, as well as two-factor user authentication. It was developed by Visa to improve the security of online payments and offered customers the Verified by Visa (VbV) service. Services based on this protocol have also been adopted by MasterCard, under the name MasterCard SecureCode (MCC), and JCB International, as J/Secure. 3-D Secure adds another authentication step for online
payments.
3-D Secure should not be confused with the CVV2 code, which is printed on the back of the card.
3-D Secure is a trademark of VISA Corporation.
3x domain system:
The 3-D Secure model is implemented on the basis of 3 domains in which transactions are generated and verified:
The Issuer's domain, which includes the Cardholder and the Bank that issues the cards.
Acquirer's domain, which includes the Acquiring bank and its clients (online merchants).
The interaction domain contains elements that make it possible to conduct transactions between two other domains. It mainly contains networks and services of card associations.
Domains are independent in their rights and are an important part of the information transfer process in a common 3-D Secure infrastructure. Each domain has its own scope of responsibility for conducting
transactions:
• In the Issuer's domain, the issuing bank is responsible for authenticating the buyer and providing correct information for conducting the transaction.
• In the Acquirer's domain, the online merchant is responsible for commercial relations with the buyer, as well as ensuring that the buyer has been referred to the correct issuing bank for verification. In the same domain, the Acquirer is responsible for coordinating the transaction through the traditional Visa or MasterCard networks.
• In the interaction domain, the Visa or MasterCard payment system is responsible for preserving information about each issuer (the cardholder's bank, the issuer's Internet address) and providing this information for making decisions in case of conflict situations.
* The 3-D Secure model provides a standard inter-domain communication protocol for exchanging and verifying transactions. It does not cause any changes in the relations between the participants of the same domain:
• The Merchant and Acquirer are free to choose any method of conducting their transactions and to manage relations in their domains.
* Issuers are free to choose any preferred mechanisms for cardholder authentication.
The 3-D Secure architecture implements a set of dedicated servers to
serve the transaction flow during its lifecycle:
•In the Issuer's domain, the Access Control Server (ACS) is responsible for managing the authentication processes between the Buyer and the Issuer and guarantees payment transactions for the Merchant.
* In the Acquirer's domain, the Merchant Plug-In (or MPI) server manages the flow of transactions between the Visa/MasterCard infrastructure, the cardholder infrastructure, and the payment infrastructure created by the Acquirer.
* In the interaction domain, the Visa/MasterCard Directory Server maintains information about the process participants. In the same domain, the Visa/MasterCard Authentication History Server (AHS) securely stores information on all transactions and guarantees its availability in case of conflict situations.
* In the Issuer's and Acquirer's domains, Host Systems are involved in the process of reconciliation of transactions in the bank's back office to ensure clearing offsets between participants for the purpose of further transfer of funds.
* In accordance with the 3-D Secure protocol, issuers are now responsible for authenticating card holders!
- The buyer, having selected a product in the online store, clicks the " Pay " button.
- The buyer's browser is redirected to the payment system page, where the buyer enters the card details.
— The payment system server checks whether this card participates in payments under the 3D Secure protocol. If it does, the buyer's browser is redirected to the website of the issuing bank of this plastic card. If it doesn't participate in 3D Secure, the payment can be made using the MIA SET protocol.
— Let's assume that the map is part of 3D Secure. The buyer enters the issuing bank's website and is authenticated. The method of authentication is determined by the issuing bank.
— In case of successful authentication, the issuing bank returns to the payment system a signed message stating that the issuing bank believes this buyer and does not object to the operation on this plastic card.
— Next, the payment is processed as MIA SET.
SET
The SET (Secure Electronic Transaction) standard is a technology developed by Visa and MasterCard payment systems to ensure secure payments using plastic cards over an open network.
Identification of the parties during online payments is made by exchanging digital certificates certifying the right of the transaction participants to accept or use plastic cards. SET-the store's certificate contains the identification parameters of the point of sale. SET-The cardholder's certificate contains encrypted information about the main parameters of the card. Making a payment using a SET certificate does not require the customer to enter their card parameters and does not provide for the online store to receive this confidential information.
SET-Secure Electronic Transaction-performing an operation on the network, in which the buyer and seller can uniquely identify each other when making a transaction by exchanging digital certificates. This allows both parties to verify the legality of the operation performed by the other party.
SET-store's on-line certificate — a set of data in electronic format containing the Company's parameters (name, etc.) and a copy of the Company's public key, which is certified by the Bank's Certification Center in accordance with the standard procedure (SET standard). The Company's secret key is stored on the payment server. The certificate is intended for identifying the Enterprise in the payment system, as well as for enabling card payments to be made in full or truncated standard in SET, depending on the type of Certificate.
SET-cardholder certificate — a set of data in electronic format containing card parameters (card number, holder's full name, etc.) and a copy of the holder's public key, which is certified by an authorized Certificate Authority in accordance with SET technology.
MIA SET
The system also allows you to make payments using plastic cards and without using the client's SET certificates, if the clients do not have such certificates. In this case, the MIA SET (Merchant Initiated Authorization) technology is used. To ensure the security of payments using MIA SET technology, the RBS payment system provides powerful features to cut off fraudulent transactions. The anti-fraud subsystem enables customers — retail and service companies-to independently configure it to meet their own needs, choosing the appropriate anti-fraud criteria.
Thus, in case of payment using the 3D Secure protocol, the online store is not responsible for fraudulent use of the plastic card. It is up to the issuing bank to decide whether this plastic card transaction is legal or not. As a result of such serious changes in the security of online payments and the situation with card fraud in general, leading payment systems find it difficult to find a common language with issuers, acquirers, virtual acceptors and transaction processors
when trying to force them to install expensive systems and solutions for verifying the authenticity of holders.
In this article, I do not consider it necessary to describe the PCI DSS certification and standards.