However, although the use of SSL can keep credit card numbers secret as they cross the Internet, this does not provide proof that the person typing in the card number is actually the card holder. With Visa 3D Secure and MasterCard’s implementation called SecureCode, cryptography is used to validate legitimate card users by asking them to prove their identity. Assuming this process is completed successfully the merchant in question is given approval to complete the transaction through the use of a secure message sent from the cardholder’s bank. This message becomes the merchant’s primary piece of evidence if at some later stage the transaction is disputed.

For consumers, the process is very simple. In the case of the Verified by Visa initiative, existing cardholders can visit their bank’s Web site and enrol in the system, by providing some basic personal information and a password which is stored by the bank. To make a purchase from an online merchant that supports the Verified by Visa system they will be presented with an extra screen in their browser to enter this information. Hidden from the merchant, this is provided directly to the issuing bank that authenticates the cardholder and authorises the transaction with the merchant.

Simple in practice, but the secure generation, storage and management of the cryptographic keys that underpin the core encryption, digital signature and cardholder validation processes, relies on sophisticated technology. Because of the severe security and branding implications of a successful attack, stringent measures have been defined by the card associations. To meet these challenges, software companies developing cardholder authentication solutions for the online payments market such as Arcot Systems and Cyota, are turning to specialists like nCipher to provide this additional level of security and functionality.


For example, Arcot's TransFort system uses cryptography in a variety of ways to protect sensitive information and to create digital signatures to provide a record of authenticity for transactions and payment authorisation. The integration of nCipher's new payShield hardware security module (HSM) establishes a safe, tamper-resistant hardware environment that overcomes the inherent security and performance problems associated with handling sensitive information or performing complex secure processes on unprotected server platforms.

Ensuring that the processing of encrypted customer data is performed within the boundaries of the payShield (HSM) helps to ensure that sensitive data is never exposed to potential attackers where it could be stolen or manipulated to create fraudulent authorisation of illegitimate transactions.