Good day, carders!
With this article I want to shed light on Internet acquiring in general and tell you what it comes with.
Purpose of the article: for general development.
E-commerce is a sector of the economy that includes all financial and trade transactions carried out using computer networks, and the business processes associated with such transactions.
E-commerce includes:
• Electronic information exchange (Electronic Data Interchange, EDI),
• Electronic capital movement (Electronic Funds Transfer, EFS),
• Electronic commerce (e-trade),
• Electronic money (e-cash),
• Electronic marketing (e-marketing),
• Electronic banking (e-banking),
• Electronic insurance services (e-insurance).
Business schemes:
1) B2B or business-to-business
An enterprise trades with another enterprise. B2B is one of the most promising and actively developing areas of e-commerce today. An example of a B2B transaction is the sale of website templates to companies for subsequent use as the basis for the design of the company’s own web resource.
2) B2C or business-to-consumer
In this case, the enterprise trades directly with the client (not a legal entity, but an individual). Examples of this type of trade are traditional online stores, social commerce, or the area of selling goods and services on social networks.
3) C2C or consumer-to-consumer
Transactions between two consumers, neither of whom is an entrepreneur in the legal sense of the word. As a rule, C2C commerce is carried out on Internet auction sites.
Internet acquiring is a general term that refers to the acceptance of payments by plastic cards via the Internet using a specially designed web interface. Internet acquiring, as a component of e-commerce, is the activity of a credit organization (acquiring bank), which includes settlements with e-commerce organizations for transactions made using bank cards on the Internet. Connection of e-commerce organizations by the acquiring bank, as a rule, is carried out with the technical support of Service Providers, who ensure the security of payments using the 3-D Secure and SSL authentication protocol, and are responsible for fraud monitoring of transactions carried out in the online store. To pay using this system, you must have a credit card, the account of which is designed specifically for paying for goods and services not only on the Internet, but also in real stores.
Benefits of using:
For organizations:
Global scale
Reducing costs
Improving supply chains
Business is always open (24/7/365)
Personalization
Fast time to market
Low cost of distribution of digital products
For consumers:
Ubiquity
Anonymity
Large selection of goods and services
Personalization
Cheaper products and services
Prompt delivery
Electronic socialization
For society:
A wide range of services provided (for example, education, healthcare, public services)
Increasing the standard of living
Increasing national security
Reducing the “digital” gap
Online sale/order of goods/services reduces car traffic and reduces environmental pollution environment
Disadvantages:
For organizations:
Possible doubts of the parties about the belonging of a particular project to the company (negative anonymity)
Some difficulty in conducting and legitimizing the activities of an enterprise on the Internet
For consumers:
Consumer distrust in services sold via the Internet
Inability to “touch” » goods by hand
Waiting for delivery of purchased products
For society:
An attractive platform for fraud (reduced level of network security)
Displacement of offline commercial enterprises from the market
For the state:
Shortage of tax payments to the state budget when maintaining “gray” accounting schemes
Market participants:
1 . Buyer - A client who has a computer with a Web browser and Internet access.
2. Issuing bank. The buyer's bank account is located here. The issuing bank issues cards and is the guarantor of the client’s financial obligations.
3. Sellers. E-Commerce servers on which catalogs of goods and services are maintained and customer purchase orders are accepted.
4. Acquiring banks. Each seller has a single bank in which he holds his
current account (Alfa Bank, Rosbank, VTB 24, Raiffeisenbank, TransCreditBank).
Acquire Bank must have its own processing.
5. Internet payment system. Electronic components that act as intermediaries between other participants.
6. Traditional payment system. A set of financial and technological means for servicing cards of this type. Ensuring the use of cards as a means of payment for goods and services, use of banking services, carrying out mutual settlements, etc. (Visa Int., MasterCard WorldWide, Diners Club, Amex, JCB and China Union Pay).
7. Payment system processing center. An organization that provides information and technological interaction between participants in the traditional payment system.
8. Settlement bank of the payment system. A credit organization that carries out mutual settlements between payment system participants on behalf of the processing center.
Acquiring scheme:
1. The client makes a purchase in the online store.
2. When choosing to pay for the order with a plastic card, the client is redirected to the Provider’s authorization page and enters payment details.
3. The provider generates an authentication request and directs the client to the issuing bank's authentication system (ACS).
4. After authentication, the Provider sends information for the authorization request to the Processor.
5. The processor sends a request for authorization of the transaction to the international payment system.
6. Depending on the result of authorization, the Processor generates a message to the Provider about the operation or refusal.
7. The provider informs the online store and the client about the results of the operation.
8. Depending on the result of the transaction, the online store makes a sale or cancels the order.
9. The processor sends the clearing file for settlement to the Settlement Bank.
10. The settlement bank transfers the refund for completed transactions to the account of the online store.
11. Submission of the final Act based on the results of the reporting period.
As part of Internet acquiring, Service providers offer a wide
range of services for e-commerce enterprises:
- Personal account;
— Virtual terminal — A program for authorizing payments via the Internet in real time, which is installed on the computer of an online store or offline store.
— A full set of fraud prevention methods;
— Generating an authorization request or transferring a file of financial transactions to the acquirer for further mutual settlements;
— Formation of chargebacks;
— Internal fraud detection and protection tools;
— Multicurrency payments
— Customer and technical support 24/7
— Competitive cost reduction policy
— Security standards;
— High level of service;
— Development of relationships with companies providing additional services to increase customer loyalty.
Fraud
Fraud (from the English Fraud) is a type of fraud in the field of information technology, in particular, unauthorized actions and unauthorized use of resources and services in communication networks.
Fraud and credit cards
Carding (from the English Carding) is a type of fraud in which a transaction is carried out using a payment card or its details that is not initiated or confirmed by its holder. Payment card details are usually taken from hacked servers of online stores, payment and settlement systems, as well as from personal computers (either directly or through Trojans and worms). Responsibility for such fraud falls on the seller if he does not use 3DSecure.
Phishing(English phishing, distorted “fishing” - “fishing”) - the creation by scammers of a site that will be trusted by the user, for example, a site similar to the site of the user’s bank, through which payment card details are stolen.
Skimming (from the English Skim - skim off the cream), which uses a skimmer - an attacker's tool for reading, for example, the magnetic track of a payment card. When carrying out this fraudulent operation, a complex of skimming devices is used:
Skimmer - A tool for reading the magnetic track of a payment card - is a device installed in the card reader and a card reader on the entrance door to the customer service area in the bank premises. It is a device with a magnetic reading head, an amplifier - converter, memory and an adapter for connecting to a computer. Skimmers can be portable or miniature. The main idea and task of skimming is to read the necessary data (contents of the track/track) of the magnetic stripe of the card for its subsequent reproduction on a fake one. Thus, when processing a transaction using a counterfeit card, the authorization request and debiting funds for the fraudulent transaction will be carried out from the account of the original, “skimmed” card. Skimmers can accumulate stolen information about plastic
cards, or transmit it remotely via radio to attackers nearby. After copying the information from the card, the scammers make a duplicate card and, knowing the PIN, withdraw all the money within the issuance limit, both in Russia and abroad.
A video camera installed on an ATM and directed to the input keyboard in the form of an ATM visor or extraneous overlays, for example, advertising materials, is used in conjunction with a skimmer to obtain the holder’s PIN, which allows you to receive cash at ATMs using a fake card (having track data and the original PIN).
These devices are powered by autonomous energy sources - miniature power batteries, and, to make detection difficult, are usually manufactured and disguised to match the color and shape of the ATM.
Fraud and GSM
Options for GSM fraud
1) When subscribing to some content, for a conditional fee the client is included in the contract with a very high unsubscribe rate, and then they do everything possible so that the client decides to unsubscribe.
2) Non-refunds on SIM cards of credit tariff plans.
3) Registration of SIM cards for lost documents so that the received SIM cards with roaming can be used abroad. In this case, the local operator sends bills for calls to the operator that issued the SIM card with some delay, but in the meantime pays for calls independently.
4) Outright deception, when the caller says that by transferring a small amount to his phone, you are helping your
a relative who has been involved in an accident or other difficult situation.
5) It is possible to open a paid service, with a payment method via SMS messages. In this case, it is technically possible to obtain a negative balance on a SIM card with a debit tariff plan.
6) Exceeding the limit on the number of SMS requests sent, due to the technical capabilities of the OSS platform, leading to the subscriber receiving the ordered services without actually paying for them.
The International Association of GSM Network Operators has developed its own classification for fraud crimes:
Access Fraud - fraudulent access - unauthorized use of cellular services through deliberate or unintentional interference, manipulation or reprogramming of cell phone numbers ESN (Electronic Serial Number) and/or MIN (Mobile Identification Number). The method is possible on networks without authentication.
Stolen Phone Froud - unauthorized use of a stolen or lost cell phone. The method works until the owner notifies the company and it blocks access from the stolen phone.
Subscription Fraud - providing incorrect information when concluding a contract, using services on credit with the intention of not paying for them.
Contractual legal aspect
An acquiring agreement is a legal document, according to which a trade and service enterprise is obliged to operate both in accordance with current legislation and according to the rules established by payment systems and the acquiring bank. The basic requirements for this agreement are defined in the Payment System Rules (for example,
a specialized section of the Visa International Operating Regulations), however, acquirers have the right to change both the form and content of such agreements.
Connecting online acquiring:
- The online store contacts a service provider (electronic payment system) - Assist, MoneyOnline, etc.
- Having chosen one of these providers, the online store registers on its website, i.e. is fills out the registration form and indicates that he intends to accept plastic cards for payment and which bank he will be serviced from from the proposed list of banks that offer this service.
— The connection application is sent by the service provider to the bank.
— The bank processes this application and contacts the online store using the contact information specified in it.
— Online store, goes through all stages before signing the contract.
— As a result, the online store signs an agreement for online acquiring and begins to accept plastic cards for payment via the Internet.
Security technologies for electronic Internet payments using
plastic cards.
SSL Protocol (Secure Socket Layer) + 3D Secure Protocol
3-D Secure is an XML protocol that is used as an additional layer of security for online credit and debit cards, two-factor user authentication. It was developed by Visa to improve the security of online payments and offered customers the Verified by Visa (VbV) service. Services based on this protocol have also been adopted by MasterCard, under the name MasterCard SecureCode (MCC), and JCB International, as J/Secure. 3-D Secure adds another authentication step for online
payments.
3-D Secure should not be confused with the CVV2 code, which is printed on the back of the card.
3-D Secure is a trademark of VISA Corporation.
System of 3 domains:
The 3-D Secure model is implemented on the basis of 3 domains in which transactions are generated and verified:
Issuer Domain, which includes the Cardholder and the Bank issuing cards.
Acquirer domain, which includes the acquiring bank and its customers (online merchants).
An interaction domain contains elements that make transactions possible between two other domains. It primarily contains card association networks and services.
Domains are independent in their rights and are an important part of the information transfer process in the general 3-D Secure infrastructure. Each domain has its own responsibilities for conducting
transactions:
• In the Issuer domain, the issuing bank is responsible for authenticating the buyer and providing the correct information to complete the transaction.
• In the Acquirer domain, the online merchant is responsible for the commercial relationship with the buyer, as well as ensuring that the buyer is referred to the correct issuing bank for verification. In the same domain, the Acquirer is responsible for coordinating the transaction through the traditional Visa or MasterCard networks.
• In the interaction domain, the Visa or MasterCard payment system is responsible for the safety of information for each issuer (cardholder’s bank, issuer’s Internet address) and providing this information for making a decision in case of conflict situations.
• The 3-D Secure model provides a standard communication protocol between domains for exchanging and verifying transactions. It does not require changes in the relationships between participants in the same domain:
• The Merchant and the Acquirer are free to choose any method of conducting their transactions and to manage the relationships in their domains.
• Issuers are free to choose any mechanism they prefer for cardholder authentication.
The 3-D Secure architecture implements a set of special servers to
serve the transaction flow during its life cycle:
•In the Issuer domain, the Access Control Server (ACS) is responsible for managing the authentication processes between the Buyer and the Issuer and guarantees payment transactions for the Merchant.
•In the Acquirer domain, the Merchant Plug-In (or MPI) server manages the flow of transactions between the Visa/MasterCard infrastructures, the cardholder infrastructure, and the payment infrastructure created by the Acquirer.
•In the Server-Directory interaction domain, Visa/MasterCard maintains information about the participants in the process. In the same domain, the Visa/MasterCard Authentication History Server (Authentication History Server or AHS) securely stores information on all transactions and guarantees its availability in the event of conflict situations.
•In the Issuer and Acquirer domains, Host systems are involved in the transaction reconciliation process in the bank's back office to ensure clearing settlements between participants for the purpose of further transfer of funds.
•Under the 3-D Secure protocol, issuers are now responsible for authenticating cardholders!
— The buyer, having selected a product in the online store, presses the “Pay” button.
— The buyer’s browser is redirected to the payment system page, where the buyer enters the card details.
— The payment system server checks whether this card participates in payments using the 3D Secure protocol; if it does, the buyer’s browser is redirected to the website of the issuing bank of this plastic card. If it does not participate in 3D Secure, then the payment can be processed using the MIA SET protocol.
— Let’s say that the card participates in 3D Secure. The buyer, having arrived on the website of the issuing bank, undergoes authentication; the authentication method is determined by the issuing bank.
— In case of successful authentication, the issuing bank returns to the payment system a signed message that the issuing bank trusts this buyer and does not object to the transaction using this plastic card.
— Then the payment goes through as MIA SET.
SET
The SET (Secure Electronic Transaction) standard is a technology developed by the Visa and MasterCard payment systems to provide secure payments using plastic cards through an open network.
Identification of parties when making payments online is carried out by exchanging digital certificates certifying the right of transaction participants to accept or use plastic cards. The store's SET certificate contains the identification parameters of the outlet. The SET certificate of the cardholder carries encrypted information about the main parameters of the card. Making a payment using a SET certificate does not require the client to enter the parameters of his card and does not require the online store to receive this confidential information.
SET - Secure Electronic Transaction - conducting an operation on a network in which the buyer and seller can uniquely identify each other when making a transaction by exchanging digital certificates. This allows both parties to verify the legality of the transaction by the other party.
SET - on-line store certificate - a set of data in electronic format containing the parameters of the Enterprise (name, etc.) and a copy of the public key of the Enterprise, which is certified by the Bank Certification Center in accordance with the standard procedure (SET standard). The Company's secret key is stored on the payment server. The Certificate is intended to identify the Enterprise in the payment system, as well as to provide the ability to make card payments in the full or truncated standard in SET, depending on the type of Certificate.
SET - cardholder certificate - a set of data in electronic format containing card parameters (card number, full name of the holder, etc.) and a copy of the holder's public key, which is certified by an authorized Certification Center in accordance with SET technology.
MIA SET
The system also allows you to make payments using plastic cards and without using SET - client certificates, if clients do not have such certificates. In this case, MIA SET (Merchant Initiated Authorization) technology is used. To ensure the security of payments using MIA SET technology, the RBS payment system provides powerful capabilities for cutting off fraudulent transactions. The subsystem for combating fraudulent transactions allows clients—trade and service enterprises—to independently customize it to their own needs, choosing the appropriate anti-fraud criteria.
Thus, in the case of payment using the 3D Secure protocol, the online store is not responsible for the fraudulent use of a plastic card. The decision as to whether a given plastic card transaction is legal or not is made by the issuing bank. As a result, as a result of such serious changes in the field of online payment security and the situation with card fraud in general, leading payment systems are having difficulty finding a common language with issuers, acquirers, virtual acceptors and transaction processors
when trying to force them to install expensive systems and solutions for verifying the authenticity of holders .
In this article, I do not consider it necessary to describe PCI DSS certification and standards.
With this article I want to shed light on Internet acquiring in general and tell you what it comes with.
Purpose of the article: for general development.
E-commerce is a sector of the economy that includes all financial and trade transactions carried out using computer networks, and the business processes associated with such transactions.
E-commerce includes:
• Electronic information exchange (Electronic Data Interchange, EDI),
• Electronic capital movement (Electronic Funds Transfer, EFS),
• Electronic commerce (e-trade),
• Electronic money (e-cash),
• Electronic marketing (e-marketing),
• Electronic banking (e-banking),
• Electronic insurance services (e-insurance).
Business schemes:
1) B2B or business-to-business
An enterprise trades with another enterprise. B2B is one of the most promising and actively developing areas of e-commerce today. An example of a B2B transaction is the sale of website templates to companies for subsequent use as the basis for the design of the company’s own web resource.
2) B2C or business-to-consumer
In this case, the enterprise trades directly with the client (not a legal entity, but an individual). Examples of this type of trade are traditional online stores, social commerce, or the area of selling goods and services on social networks.
3) C2C or consumer-to-consumer
Transactions between two consumers, neither of whom is an entrepreneur in the legal sense of the word. As a rule, C2C commerce is carried out on Internet auction sites.
Internet acquiring is a general term that refers to the acceptance of payments by plastic cards via the Internet using a specially designed web interface. Internet acquiring, as a component of e-commerce, is the activity of a credit organization (acquiring bank), which includes settlements with e-commerce organizations for transactions made using bank cards on the Internet. Connection of e-commerce organizations by the acquiring bank, as a rule, is carried out with the technical support of Service Providers, who ensure the security of payments using the 3-D Secure and SSL authentication protocol, and are responsible for fraud monitoring of transactions carried out in the online store. To pay using this system, you must have a credit card, the account of which is designed specifically for paying for goods and services not only on the Internet, but also in real stores.
Benefits of using:
For organizations:
Global scale
Reducing costs
Improving supply chains
Business is always open (24/7/365)
Personalization
Fast time to market
Low cost of distribution of digital products
For consumers:
Ubiquity
Anonymity
Large selection of goods and services
Personalization
Cheaper products and services
Prompt delivery
Electronic socialization
For society:
A wide range of services provided (for example, education, healthcare, public services)
Increasing the standard of living
Increasing national security
Reducing the “digital” gap
Online sale/order of goods/services reduces car traffic and reduces environmental pollution environment
Disadvantages:
For organizations:
Possible doubts of the parties about the belonging of a particular project to the company (negative anonymity)
Some difficulty in conducting and legitimizing the activities of an enterprise on the Internet
For consumers:
Consumer distrust in services sold via the Internet
Inability to “touch” » goods by hand
Waiting for delivery of purchased products
For society:
An attractive platform for fraud (reduced level of network security)
Displacement of offline commercial enterprises from the market
For the state:
Shortage of tax payments to the state budget when maintaining “gray” accounting schemes
Market participants:
1 . Buyer - A client who has a computer with a Web browser and Internet access.
2. Issuing bank. The buyer's bank account is located here. The issuing bank issues cards and is the guarantor of the client’s financial obligations.
3. Sellers. E-Commerce servers on which catalogs of goods and services are maintained and customer purchase orders are accepted.
4. Acquiring banks. Each seller has a single bank in which he holds his
current account (Alfa Bank, Rosbank, VTB 24, Raiffeisenbank, TransCreditBank).
Acquire Bank must have its own processing.
5. Internet payment system. Electronic components that act as intermediaries between other participants.
6. Traditional payment system. A set of financial and technological means for servicing cards of this type. Ensuring the use of cards as a means of payment for goods and services, use of banking services, carrying out mutual settlements, etc. (Visa Int., MasterCard WorldWide, Diners Club, Amex, JCB and China Union Pay).
7. Payment system processing center. An organization that provides information and technological interaction between participants in the traditional payment system.
8. Settlement bank of the payment system. A credit organization that carries out mutual settlements between payment system participants on behalf of the processing center.
Acquiring scheme:
1. The client makes a purchase in the online store.
2. When choosing to pay for the order with a plastic card, the client is redirected to the Provider’s authorization page and enters payment details.
3. The provider generates an authentication request and directs the client to the issuing bank's authentication system (ACS).
4. After authentication, the Provider sends information for the authorization request to the Processor.
5. The processor sends a request for authorization of the transaction to the international payment system.
6. Depending on the result of authorization, the Processor generates a message to the Provider about the operation or refusal.
7. The provider informs the online store and the client about the results of the operation.
8. Depending on the result of the transaction, the online store makes a sale or cancels the order.
9. The processor sends the clearing file for settlement to the Settlement Bank.
10. The settlement bank transfers the refund for completed transactions to the account of the online store.
11. Submission of the final Act based on the results of the reporting period.
As part of Internet acquiring, Service providers offer a wide
range of services for e-commerce enterprises:
- Personal account;
— Virtual terminal — A program for authorizing payments via the Internet in real time, which is installed on the computer of an online store or offline store.
— A full set of fraud prevention methods;
— Generating an authorization request or transferring a file of financial transactions to the acquirer for further mutual settlements;
— Formation of chargebacks;
— Internal fraud detection and protection tools;
— Multicurrency payments
— Customer and technical support 24/7
— Competitive cost reduction policy
— Security standards;
— High level of service;
— Development of relationships with companies providing additional services to increase customer loyalty.
Fraud
Fraud (from the English Fraud) is a type of fraud in the field of information technology, in particular, unauthorized actions and unauthorized use of resources and services in communication networks.
Fraud and credit cards
Carding (from the English Carding) is a type of fraud in which a transaction is carried out using a payment card or its details that is not initiated or confirmed by its holder. Payment card details are usually taken from hacked servers of online stores, payment and settlement systems, as well as from personal computers (either directly or through Trojans and worms). Responsibility for such fraud falls on the seller if he does not use 3DSecure.
Phishing(English phishing, distorted “fishing” - “fishing”) - the creation by scammers of a site that will be trusted by the user, for example, a site similar to the site of the user’s bank, through which payment card details are stolen.
Skimming (from the English Skim - skim off the cream), which uses a skimmer - an attacker's tool for reading, for example, the magnetic track of a payment card. When carrying out this fraudulent operation, a complex of skimming devices is used:
Skimmer - A tool for reading the magnetic track of a payment card - is a device installed in the card reader and a card reader on the entrance door to the customer service area in the bank premises. It is a device with a magnetic reading head, an amplifier - converter, memory and an adapter for connecting to a computer. Skimmers can be portable or miniature. The main idea and task of skimming is to read the necessary data (contents of the track/track) of the magnetic stripe of the card for its subsequent reproduction on a fake one. Thus, when processing a transaction using a counterfeit card, the authorization request and debiting funds for the fraudulent transaction will be carried out from the account of the original, “skimmed” card. Skimmers can accumulate stolen information about plastic
cards, or transmit it remotely via radio to attackers nearby. After copying the information from the card, the scammers make a duplicate card and, knowing the PIN, withdraw all the money within the issuance limit, both in Russia and abroad.
A video camera installed on an ATM and directed to the input keyboard in the form of an ATM visor or extraneous overlays, for example, advertising materials, is used in conjunction with a skimmer to obtain the holder’s PIN, which allows you to receive cash at ATMs using a fake card (having track data and the original PIN).
These devices are powered by autonomous energy sources - miniature power batteries, and, to make detection difficult, are usually manufactured and disguised to match the color and shape of the ATM.
Fraud and GSM
Options for GSM fraud
1) When subscribing to some content, for a conditional fee the client is included in the contract with a very high unsubscribe rate, and then they do everything possible so that the client decides to unsubscribe.
2) Non-refunds on SIM cards of credit tariff plans.
3) Registration of SIM cards for lost documents so that the received SIM cards with roaming can be used abroad. In this case, the local operator sends bills for calls to the operator that issued the SIM card with some delay, but in the meantime pays for calls independently.
4) Outright deception, when the caller says that by transferring a small amount to his phone, you are helping your
a relative who has been involved in an accident or other difficult situation.
5) It is possible to open a paid service, with a payment method via SMS messages. In this case, it is technically possible to obtain a negative balance on a SIM card with a debit tariff plan.
6) Exceeding the limit on the number of SMS requests sent, due to the technical capabilities of the OSS platform, leading to the subscriber receiving the ordered services without actually paying for them.
The International Association of GSM Network Operators has developed its own classification for fraud crimes:
Access Fraud - fraudulent access - unauthorized use of cellular services through deliberate or unintentional interference, manipulation or reprogramming of cell phone numbers ESN (Electronic Serial Number) and/or MIN (Mobile Identification Number). The method is possible on networks without authentication.
Stolen Phone Froud - unauthorized use of a stolen or lost cell phone. The method works until the owner notifies the company and it blocks access from the stolen phone.
Subscription Fraud - providing incorrect information when concluding a contract, using services on credit with the intention of not paying for them.
Contractual legal aspect
An acquiring agreement is a legal document, according to which a trade and service enterprise is obliged to operate both in accordance with current legislation and according to the rules established by payment systems and the acquiring bank. The basic requirements for this agreement are defined in the Payment System Rules (for example,
a specialized section of the Visa International Operating Regulations), however, acquirers have the right to change both the form and content of such agreements.
Connecting online acquiring:
- The online store contacts a service provider (electronic payment system) - Assist, MoneyOnline, etc.
- Having chosen one of these providers, the online store registers on its website, i.e. is fills out the registration form and indicates that he intends to accept plastic cards for payment and which bank he will be serviced from from the proposed list of banks that offer this service.
— The connection application is sent by the service provider to the bank.
— The bank processes this application and contacts the online store using the contact information specified in it.
— Online store, goes through all stages before signing the contract.
— As a result, the online store signs an agreement for online acquiring and begins to accept plastic cards for payment via the Internet.
Security technologies for electronic Internet payments using
plastic cards.
SSL Protocol (Secure Socket Layer) + 3D Secure Protocol
3-D Secure is an XML protocol that is used as an additional layer of security for online credit and debit cards, two-factor user authentication. It was developed by Visa to improve the security of online payments and offered customers the Verified by Visa (VbV) service. Services based on this protocol have also been adopted by MasterCard, under the name MasterCard SecureCode (MCC), and JCB International, as J/Secure. 3-D Secure adds another authentication step for online
payments.
3-D Secure should not be confused with the CVV2 code, which is printed on the back of the card.
3-D Secure is a trademark of VISA Corporation.
System of 3 domains:
The 3-D Secure model is implemented on the basis of 3 domains in which transactions are generated and verified:
Issuer Domain, which includes the Cardholder and the Bank issuing cards.
Acquirer domain, which includes the acquiring bank and its customers (online merchants).
An interaction domain contains elements that make transactions possible between two other domains. It primarily contains card association networks and services.
Domains are independent in their rights and are an important part of the information transfer process in the general 3-D Secure infrastructure. Each domain has its own responsibilities for conducting
transactions:
• In the Issuer domain, the issuing bank is responsible for authenticating the buyer and providing the correct information to complete the transaction.
• In the Acquirer domain, the online merchant is responsible for the commercial relationship with the buyer, as well as ensuring that the buyer is referred to the correct issuing bank for verification. In the same domain, the Acquirer is responsible for coordinating the transaction through the traditional Visa or MasterCard networks.
• In the interaction domain, the Visa or MasterCard payment system is responsible for the safety of information for each issuer (cardholder’s bank, issuer’s Internet address) and providing this information for making a decision in case of conflict situations.
• The 3-D Secure model provides a standard communication protocol between domains for exchanging and verifying transactions. It does not require changes in the relationships between participants in the same domain:
• The Merchant and the Acquirer are free to choose any method of conducting their transactions and to manage the relationships in their domains.
• Issuers are free to choose any mechanism they prefer for cardholder authentication.
The 3-D Secure architecture implements a set of special servers to
serve the transaction flow during its life cycle:
•In the Issuer domain, the Access Control Server (ACS) is responsible for managing the authentication processes between the Buyer and the Issuer and guarantees payment transactions for the Merchant.
•In the Acquirer domain, the Merchant Plug-In (or MPI) server manages the flow of transactions between the Visa/MasterCard infrastructures, the cardholder infrastructure, and the payment infrastructure created by the Acquirer.
•In the Server-Directory interaction domain, Visa/MasterCard maintains information about the participants in the process. In the same domain, the Visa/MasterCard Authentication History Server (Authentication History Server or AHS) securely stores information on all transactions and guarantees its availability in the event of conflict situations.
•In the Issuer and Acquirer domains, Host systems are involved in the transaction reconciliation process in the bank's back office to ensure clearing settlements between participants for the purpose of further transfer of funds.
•Under the 3-D Secure protocol, issuers are now responsible for authenticating cardholders!
— The buyer, having selected a product in the online store, presses the “Pay” button.
— The buyer’s browser is redirected to the payment system page, where the buyer enters the card details.
— The payment system server checks whether this card participates in payments using the 3D Secure protocol; if it does, the buyer’s browser is redirected to the website of the issuing bank of this plastic card. If it does not participate in 3D Secure, then the payment can be processed using the MIA SET protocol.
— Let’s say that the card participates in 3D Secure. The buyer, having arrived on the website of the issuing bank, undergoes authentication; the authentication method is determined by the issuing bank.
— In case of successful authentication, the issuing bank returns to the payment system a signed message that the issuing bank trusts this buyer and does not object to the transaction using this plastic card.
— Then the payment goes through as MIA SET.
SET
The SET (Secure Electronic Transaction) standard is a technology developed by the Visa and MasterCard payment systems to provide secure payments using plastic cards through an open network.
Identification of parties when making payments online is carried out by exchanging digital certificates certifying the right of transaction participants to accept or use plastic cards. The store's SET certificate contains the identification parameters of the outlet. The SET certificate of the cardholder carries encrypted information about the main parameters of the card. Making a payment using a SET certificate does not require the client to enter the parameters of his card and does not require the online store to receive this confidential information.
SET - Secure Electronic Transaction - conducting an operation on a network in which the buyer and seller can uniquely identify each other when making a transaction by exchanging digital certificates. This allows both parties to verify the legality of the transaction by the other party.
SET - on-line store certificate - a set of data in electronic format containing the parameters of the Enterprise (name, etc.) and a copy of the public key of the Enterprise, which is certified by the Bank Certification Center in accordance with the standard procedure (SET standard). The Company's secret key is stored on the payment server. The Certificate is intended to identify the Enterprise in the payment system, as well as to provide the ability to make card payments in the full or truncated standard in SET, depending on the type of Certificate.
SET - cardholder certificate - a set of data in electronic format containing card parameters (card number, full name of the holder, etc.) and a copy of the holder's public key, which is certified by an authorized Certification Center in accordance with SET technology.
MIA SET
The system also allows you to make payments using plastic cards and without using SET - client certificates, if clients do not have such certificates. In this case, MIA SET (Merchant Initiated Authorization) technology is used. To ensure the security of payments using MIA SET technology, the RBS payment system provides powerful capabilities for cutting off fraudulent transactions. The subsystem for combating fraudulent transactions allows clients—trade and service enterprises—to independently customize it to their own needs, choosing the appropriate anti-fraud criteria.
Thus, in the case of payment using the 3D Secure protocol, the online store is not responsible for the fraudulent use of a plastic card. The decision as to whether a given plastic card transaction is legal or not is made by the issuing bank. As a result, as a result of such serious changes in the field of online payment security and the situation with card fraud in general, leading payment systems are having difficulty finding a common language with issuers, acquirers, virtual acceptors and transaction processors
when trying to force them to install expensive systems and solutions for verifying the authenticity of holders .
In this article, I do not consider it necessary to describe PCI DSS certification and standards.
