In an offline environment credit cards can be authenticated at the point of sale. The merchant verifies that the individual making the purchase is also the person to whom the card belongs by checking the signature the cardholder provides with that on the reverse of the card. If the signatures match, and the card is verified, the sale is agreed. In an online environment, and indeed via other channels such as mail order and over the telephone, authentication is more difficult. The merchant is unable to see the card or to verify a signature. This weakness gives rise to CNP fraud since ultimately anybody can provide anybody else's credit card details and assuming the card has not been reported lost or stolen and the funds are available, the sale will be agreed.
The history of card scheme security initiatives has been a chequered one
A number of card scheme security initiatives have been launched over the last decade in order to tackle the problem of online card fraud. Secure Electronic Transaction (SET) was launched in 1996 following co-operation between Visa, MasterCard and American Express. SET built upon the security provided by Secure Sockets layer (SSL) by not only encrypting information transferred between customer and merchant but also by authenticating both parties using digital certificates issued by a trusted issuing authority. However, SET never really caught on achieving only limited roll-out in Scandinavia and continental Europe, and critically not in the US so often the global leader in this field. It was ultimately too complicated and engaging for cardholders and merchants especially since it required both parties to download additional software.
SET evolved into 3D-SET. 3D-SET sought to improve on SET by being server rather than customer based. However, it too failed to garner the interest of consumers, merchants and card issuers.
Initiatives have now been launched by Visa, MasterCard and Maestro
The most recent card scheme security initiatives have been launched within the last few years. Visa's Verified by Visa is based on the 3D-Secure protocol and requires that cardholders enrol at their card issuer's website. Once enrolled they are able use the service to purchase good and services from any participating online merchant. At the payment page they are requested to pass through an authentication procedure. Once their input is verified by the merchant and card issuer the sale can be completed.
MasterCard's Securecode functions in a similar way to Verified by Visa although in this case it is based on the Secure Payment Application (SPA) protocol and the cardholder is required to download a digital wallet from their card issuer. Maestro's eCommerce program is based on the Online Debit Solution and functions by replacing the 19-digit debit card number with a 12-19 digit 'credit card like' Internet-only number. This pseudo card number (PCN) is entered in the same way as a credit card number and are stored by a wallet downloaded by the cardholder.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.