Visa estimates that the shift in liability away from the online retailers in the UK alone could save them up to £55 million a year. Overall Visa expects that the arrival of authentication initiatives like 3D Secure will reduce the level of Internet fraud by as much as 80%.
The importance of cryptography
To meet the new levels of security that customers, credit card associations and financial institutions require, the new generation of online payment services need to meet best practice security standards and address a wide range of threat scenarios. One of the key tools for this is cryptography that dates back to Egyptian hieroglyphics circa 1900 BC.
Today, cryptography is widely used in a variety of applications such as securing electronic documents and discouraging the copying of valuable material such as digital movies. But increasingly, cryptography is used to verify the identity of someone or something and to prove that an event actually happened.
The de-facto security standard used for Internet based transactions is SSL (Secure Sockets Layer). Originally developed in 1994 by the creators of the Netscape browser, SSL is commonly used to encrypt Internet communications and prove that you’re connected to the right Web site and not a fake. Sites that support SSL are clearly identified, usually by a padlock icon at the bottom right hand corner of the browser screen.
However, although the use of SSL can keep credit card numbers secret as they cross the Internet, this does not provide proof that the person typing in the card number is actually the card holder. With Visa 3D Secure and MasterCard’s implementation called SecureCode, cryptography is used to validate legitimate card users by asking them to prove their identity. Assuming this process is completed successfully the merchant in question is given approval to complete the transaction through the use of a secure message sent from the cardholder’s bank. This message becomes the merchant’s primary piece of evidence if at some later stage the transaction is disputed.
For consumers, the process is very simple. In the case of the Verified by Visa initiative, existing cardholders can visit their bank’s Web site and enrol in the system, by providing some basic personal information and a password which is stored by the bank. To make a purchase from an online merchant that supports the Verified by Visa system they will be presented with an extra screen in their browser to enter this information. Hidden from the merchant, this is provided directly to the issuing bank that authenticates the cardholder and authorises the transaction with the merchant.
Simple in practice, but the secure generation, storage and management of the cryptographic keys that underpin the core encryption, digital signature and cardholder validation processes, relies on sophisticated technology. Because of the severe security and branding implications of a successful attack, stringent measures have been defined by the card associations. To meet these challenges, software companies developing cardholder authentication solutions for the online payments market such as Arcot Systems and Cyota, are turning to specialists like nCipher to provide this additional level of security and functionality.