The basic concept of 3-D Secure Authentication Protocol is to tie the financial authorization process with online authentication and a driver of Self-sovereign Identity (SSI). This additional security authentication is based on a three-domain model (hence the 3-D in the name itself).
Analysis of the first version of the 3D Secure Authentication Protocol by academia has shown it to have many security issues that affect the consumer, including a greater surface area for phishing and a shift of liability in the case of fraudulent payments.
3-D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions. It was originally developed by Arcot Systems (now CA Technologies) and first deployed by Visa with the intention of improving the security of Internet payments, and is offered to customers under the Verified by Visa/Visa Secure brands. Services based on the protocol have also been adopted by Mastercard as SecureCode, Discover as ProtectBuy and by JCB International as J/Secure. American Express added 3-D Secure in selected markets on November 8, 2010 as American Express SafeKey, and continues to launch additional markets.
EMV 3-D Secure Three-Domain Secure (3DS) is a messaging protocol developed by EMVCo to enable consumers to authenticate themselves with their card issuer when making card not present (CNP) transactions. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from CNP exposure to fraud. The three domains consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (e.g. Payment Systems).
Mercator Advisory Group has published a new research report titled: “Distributed and Self-Sovereign Identity Solutions: Part 1, Technology Overview,” which recommends taking distributed ID and self-sovereign identity into account when deploying EMV 3D Secure authentication protocol and risk models.
Investments into 3D Secure Authentication Protocol are driven by technological issues led by the needs of distributed ID (DID).
The 20-page report discusses the impact of new technologies such as Secure DNS, distributed IDs and self-sovereign identity used by IBM, Microsoft and Mastercard. Tim Sloane, author and VP of Payments Innovation and Director, Emerging Technologies Advisory Service at Mercator Advisory Group, writes how distributed ID (DID) and self-sovereign identity solutions (SSI) will generate a merger between the two main identity and authentication platforms currently used by financial organizations.
3-D Secure – Three domains are:
- Acquirer domain (the bank and the merchant to which the money is being paid).
- Issuer domain (the bank which issued the card being used).
- Interoperability domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other types of a payment card, to support the 3-D Secure protocol). It includes the Internet, merchant plug-in, access control server, and other software providers
The protocol uses XML messages sent over SSL connections with client authentication (this ensures the authenticity of both peers, the server and the client, using digital certificates).
A transaction using Verified-by-Visa or SecureCode will initiate a redirection to the website of the card-issuing bank to authorize the transaction. Each issuer could use any kind of authentication method (the protocol does not cover this) but typically, a password tied to the card is entered when making online purchases. The Verified-by-Visa protocol recommends the bank’s verification page to load in an inline frame session. In this way, the bank’s systems can be held responsible for most security breaches. Today it is easy to send a one-time password as part of an SMS text message to users’ mobile phones and emails for authentication, at least during enrollment and for forgotten passwords.
The main difference between Visa and Mastercard implementations lies in the method to generate the UCAF (Universal Cardholder Authentication Field): Mastercard uses AAV (Accountholder Authentication Value) and Visa uses CAVV (Cardholder Authentication Verification Value)