The question of authentication
3D Secure is a payment authentication mechanism defined by Visa for use on all non-traditional networks such as the Internet, mobile and Interactive TV. The system puts an extra step into the checkout process that requests that the bank that issued the card verifies the online user and the legitimate cardholder. Once completed, the merchant can process the transaction as normal but is now guaranteed payment, even if the transaction is disputed. So in this case, liability shifts to the card issuer.
The consumer branding for this initiative is called Verified by Visa and Visa has stated that by 2005, issuing banks must support 3D Secure for their cardholders in order to conduct authenticated online transactions. Verified by Visa is already up and running in the US and was recently launched in Europe, where Visa, in agreement with BT Ignite, now provides a hosted service for issuing banks. Barclaycard Merchant Services and The Royal Bank of Scotland - two of the largest issuing banks - have announced that they will support Verified by Visa, while leading merchants that already support it include Dell, Blockbuster Video, Petsmart.com and United Airlines.
Visa estimates that the shift in liability away from the online retailers in the UK alone could save them up to £55 million a year. Overall Visa expects that the arrival of authentication initiatives like 3D Secure will reduce the level of Internet fraud by as much as 80%.
The importance of cryptography
To meet the new levels of security that customers, credit card associations and financial institutions require, the new generation of online payment services need to meet best practice security standards and address a wide range of threat scenarios. One of the key tools for this is cryptography that dates back to Egyptian hieroglyphics circa 1900 BC.
Today, cryptography is widely used in a variety of applications such as securing electronic documents and discouraging the copying of valuable material such as digital movies. But increasingly, cryptography is used to verify the identity of someone or something and to prove that an event actually happened.
The de-facto security standard used for Internet based transactions is SSL (Secure Sockets Layer). Originally developed in 1994 by the creators of the Netscape browser, SSL is commonly used to encrypt Internet communications and prove that you’re connected to the right Web site and not a fake. Sites that support SSL are clearly identified, usually by a padlock icon at the bottom right hand corner of the browser screen.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.