Online payments: 3-D Secure

Brother

Brother

Professional
Messages
2,590
Reaction score
483
Points
83
scale_1200


When paying via the Internet, you do not insert the card anywhere, but the payment is made. And to confirm the payment, we habitually enter the code from the SMS. All this is thanks to the 3-D Secure technology, which we will talk about today.

3-D here does not mean mind-blowing simulated visual effects, but a kind of "three domains" concept. All this was invented in order to radically improve the security when making payments through the network. Generally speaking, we are talking about CNP transactions, Card-Not-Present, cardless transactions. Why is this a cardless transaction, because when paying we enter all its details?

The fact is that in reality no card reading occurs, because we do not insert it either into the POS terminal or into the card reader. All we can do is enter the card details into the form on the website. And the card itself may not be at hand at all. Therefore, such transactions are called cardless. And that is why the question of security arises. Let's assume you have a chip card, not a magnetic stripe card. Because for a card with a magnetic stripe, there is no need to talk about security even with the presence of a card. Although in any case, 3-D Secure support seriously increases the security of CNP transactions.

What three domains are meant by the symbols "3-D"? These are the acquirer's domain, the issuer's domain, and the compatibility (payment system) domain. So, I feel, it became incomprehensible. Nothing, now we'll figure it out without this bureaucracy.

In general, in information technologies, there are a lot of different concepts, and there are no longer enough separate terms for them. You have to use all sorts of abstract names for this. The word "domain" in this situation gets under distribution very often. It means "data area, structure element". That is, this is the most blurry word and can mean anything. But you can't confuse us with domains. I myself only mentioned them here because they are included in the name of the technology.

In fact, the meaning of technology is as follows​

Before the advent of 3-D Secure, payment looked like this. The buyer entered his card details into the form on the website, and the website used it to transfer the data to the acquiring bank, which provides Internet acquiring services to this store.

If you are suddenly confused about what kind of fauna representatives they are - acquirers and issuers, then look at the series of articles about this, part 1 ,part 2 andpart 3 .
Click to expand...
The acquiring bank through the payment system conducts a card transaction according to the card data. The seller is responsible for stolen card transactions in this scheme. And the 3-D Secure technology, firstly, adds an additional check of the buyer, and secondly, it transfers responsibility from the seller (often instead of “seller”, tracing paper from the English “merchant” is used) to the issuing bank. Which, generally speaking, looks more logical. The problem of payment security, in theory, lies with the one who provides the service "working with money", in this case - the issuing bank. And the seller (merchant) runs his own business related to the sale of goods and services, and it is not good to impose responsibility on him for a technology he has nothing to do with.

Payment procedure​

When you click on the "Pay by credit card" link, the seller (LLC "Alpy", which sells Alpine air at retail) begins to interact with a certain virtual (e-commerce) terminal. By analogy with a POS terminal, this electronic terminal is usually not the property of the trader (merchant). At least the software on this terminal is not developed by the merchant. A bank (or a third-party manufacturer that certifies its programs). So, the merchant turns to an external system to form a request for payment. With this external system, he has a contract, access to perform tasks for generating payment requests, etc. Most often, this external system is a bank (let it be ZhadiBank), which provides Internet acquiring services. Occasionally there are other financial institutions, not banks. In general, within the framework of the technology, the program with which the merchant interacts is not called a terminal or even a payment gateway, but MPI - Merchant Plug In, the merchant's connection point. This is for the curious.

So, "pay" is clicked, the request for payment is generated, and you will be transferred to a special page of ZhadiBank. The address in the browser has changed, the site is different, and the letter "s" appeared in the protocol, if it was not there before, and it became "https". Although modern browsers often hide the protocol so as not to intimidate the user. But the fact of connection via an encrypted channel (SSL) is somehow necessarily shown. With a green padlock, the name of the certificate, etc. And on this page there are fields for entering card data. Generally speaking, it looks like it is more credible. There was a website of some LLC "Alpy", and when paying you find yourself on the payment gateway of ZhadiBank, with which, perhaps, you have even dealt with and trust it. You enter the card details of your SaveBank card not on the seller's website! And at the gateway of ZhadiBank.

Then a little magic happens. ZhadiBank refers to a second security domain called Interoperability (which is a payment system). Payment system Zhiza finds your issuer (let it be SaveBank), which in this technology is the third security domain - issuer, and asks if this card is subscribed to the 3-D Secure service. If not, payment may be refused. Or they can accept it according to the "old technology".

We now know that the card is subscribed to 3-D Secure. And now MPI of ZhadiBank generates a payment request and sends it to SaveBank. SaveBank returns an acknowledgment of the request and tells where to transfer the user (you).

And at this step, you are transferred to the page of your native SaveBank, the site and logo of which you perceive with love and trust. This page asks you to enter something extra. Most often, this is a code from an SMS on your phone, but options with a crypto calculator and other tricks are possible. For the sake of this step, everything was started.

In the old days you were face to face with an unfamiliar LLC "Alpy" and a strange and cold ZhadiBank. And here, in the process of buying, you find yourself on the warm site of your native SaveBank, which, among other things, also knows your phone, and therefore can use this channel in order to make sure that it is really you. Without this step, no one will withdraw money from your card. And on this page you will be called by name and patronymic, and the amount will be indicated, and the store will be reminded, and they can also show you a picture that you yourself uploaded in your Internet bank (the so-called security-avatar). And it is easy, reliable and comfortable for you: you are in the loving hands of a bank dear to you. Well, not you, but your money, and in this case it is not yet clear which is more pleasant.

If you entered the correct code, then SaveBank, or rather, the program on its website, which within the framework of this technology is called ACS, Access Control Server, generates a positive response and transfers you to one of the three addresses that the acquirer MPI (payment gateway of ZhadiBank ). One address is for a successful reply, one for an unsuccessful one, and one for the case when you canceled the payment. All these addresses simply lead to different pages of the ZhadiBank website, which shows you the relevant information.

And here you are again at the payment gateway of ZhadiBank, which serves you in the interests of Alpy LLC (well, in your own Internet, of course). At this moment, in fact, an ordinary transaction takes place, as it were from a POS terminal, but with a special flag that it occurs within the framework of a 3-D Secure transaction. And you are shown the payment result on the page.

That's it, the opera is over, all the participants strainedly sing the final tonic chord, the curtain closes. Oh, yes, you will also be shown a link "return to the seller's site" or will be redirected there automatically.

The main thing in this technology is the step in which you find yourself on the site of your SaveBank, where some second authentication factor (most often SMS) will be politely accepted from you. In general, SMS is far from the most reliable thing, but it will do for everyday use.

And yet another of 3-D Secure's advances is that there is a "shift of responsibility" from the merchant to the issuing bank, which is now responsible for ensuring that the transaction is secure. Which, in general, is quite logical.

This technology is not the most reliable, of course, but with its appearance, the number of fraudulent transactions for cardless transactions has decreased by orders of magnitude. So - we love, we love, and we activate 3-D Secure on our cards. Be rich and safe!
 
You must log in or register to reply here.

Similar threads

chushpan
How does a merchant work
Replies
1
Views
143
Man
Man
chushpan
How payment systems work
Replies
1
Views
244
Man
Man
chushpan
How does a payment gateway work
Replies
1
Views
148
Man
Man
Man
Errors when linking payments in Google Ads
Replies
0
Views
183
Man
Man
chushpan
How 2D-Secure Works
Replies
2
Views
56
Cloned Boy
Cloned Boy
Back
Top