How do security protocols like 3D-Secure work?

[Mutt]

The 3D-Secure protocol is an additional layer of security for online transactions using payment cards, designed to prevent fraud. It adds a cardholder authentication step to ensure that the transaction is being made by the rightful user. Major payment systems such as Visa (Verified by Visa), Mastercard (SecureCode) and others use their own versions of 3D-Secure. Here's how it works:

1. General structure of 3D-Secure operation​

3D-Secure stands for "Three Domain Secure", where the three "domains" are:

• Issuer domain: the bank that issued the card (verifies the authenticity of the cardholder).
• Acquirer domain: the bank or payment system of the store (processes the transaction).
• Interoperability domain: the infrastructure of a payment system (e.g. Visa or Mastercard) that provides communication between the issuer and the acquirer.

The protocol adds an authentication step before completing a transaction to minimize the risk of unauthorized payments.

2. How 3D-Secure works (using versions 1.0 and 2.0 as an example)​

3D-Secure 1.0 (legacy version):​

• Step 1: Entering card details. The buyer enters the card details (number, expiration date, CVV) on the store's website.
• Step 2: Redirect to the bank page. If the store supports 3D-Secure, the buyer is redirected to the page of the card issuing bank.
• Step 3: Authentication. The buyer confirms their identity by entering a password, a one-time code (OTP) sent via SMS, or by answering a secret question.
• Step 4: Transaction Confirmation. Once authentication is successful, the bank confirms to the merchant that the transaction has been approved and the payment is completed.
• Limitations: This version often required remembering a password, which was inconvenient, and redirecting to another page reduced conversion in stores.

3D-Secure 2.0 (modern version, implemented since 2019):​

• Step 1: Data collection . When entering card data, the store transmits additional information to the issuing bank: IP address of the device, device type, purchase history, geolocation, etc. (up to 100 parameters).
• Step 2: Risk-Based Authentication. The bank analyzes the data using machine learning algorithms to assess the risk of fraud:
  • If a transaction is considered low risk (for example, a purchase from a familiar store on a familiar device), it is approved without additional verification ("frictionless flow").
  • If the risk is high, an additional authentication ("challenge flow") is launched.
• Step 3: Authentication (if required). The buyer is asked to confirm their identity via biometrics (fingerprint, face recognition), OTP via SMS, push notification in the banking app or other methods that comply with SCA (Strong Customer Authentication) standards.
• Step 4: Complete the transaction. Once verified successfully, the bank confirms the transaction and the store completes the payment.

3. Key Features of 3D-Secure 2.0​

• Improved user experience: Fewer redirects to separate pages, authentication often happens in the background or through a mobile app.
• Biometrics and SCA: Compliance with PSD2 (European Payment Services Directive), which requires two-factor authentication (e.g. knowledge + possession, possession + biometrics).
• Risk Analysis: Using big data and machine learning to minimize unnecessary checks, increasing conversion.
• Mobile payment support: Integration with Apple Pay, Google Pay and other systems where authentication often occurs through device biometrics.

4. Advantages of 3D-Secure​

• For buyers: Protection from unauthorized transactions, reduced risk of data theft.
• For stores: Reduces the number of fraudulent chargebacks, as the responsibility for verification falls on the issuing bank.
• For banks: Reduce fraud losses and increase customer confidence.

5. Disadvantages​

• Possible reduction in conversion due to additional authentication steps (especially in version 1.0).
• Dependence on the technical implementation of the store and bank (not all sites support 3D-Secure).
• Risk of OTP compromise (e.g. via phishing), although biometrics in 2.0 reduces this risk.

6. Example of a script​

You buy a product for $10 on a website. When you pay, the store sends the transaction data to your bank. The bank sees that you have already purchased from this store using the same device and approves the transaction without additional checks. If you use a new device in another country, the bank will request confirmation via a push notification in the app or a fingerprint.

7. Technical details (for those interested)​

• Communication protocols: 3D-Secure uses XML messages to exchange data between the store, bank and payment system via secure channels (SSL/TLS).
• Tokenization: In some cases, card data is replaced with a token to minimize the risk of leakage.
• SCA Standards: In the EU, 3D-Secure 2.0 complies with PSD2 requirements requiring two of the three authentication factors (knowledge, possession, biometrics).

If you want to dive deeper into a specific aspect (for example, how banks analyze risks or how to protect against OTP interception), let me know!