3DS Explained, Continued
Below is my edited explanation of the steps above; I've attempted to keep the discussion at level sufficiently simple for all to understand. If you require precise technical information regarding 3DS, then both Visa and MasterCard have downloadable documentation that is very detailed.
|Step-1||The Shopper browses at merchant site, adds items to the shopping cart, then finalizes purchase.|
|Step-2||The Merchant Server sends information to the Directory Server; this acts as a traffic director that examines the initial number sequence of the credit card, and figures out which issuing bank is responsible for it.|
|Step-3||The Directory Server identifies the payer's issuing bank and queries that bank's Access Control Server (ACS) to determine if 3DS authentication is available. That is, has the payer enrolled in 3DS and been issued with a PIN or other pass phrase.|
|Step-4||The Banking ACS responds to the Directory Server.|
|Step-5||The Directory Server forwards the ACS response to the MPI-a plug-in piece of code on the merchant's site-to verify that the card holder is enrolled in 3DS. If not, then a traditional payment is processed.|
|Step-6||If the payer is enrolled in 3DS, then a Payer Authentication Request is made to the Issuing Bank's ACS via the shopper's browser.|
|Step-7||The ACS receives the Payer Authentication Request.|
|Step-8||The ACS authenticates the Shopper.|
|Step-9||The ACS returns the Payer Authentication Response to the MPI via the Shopper's browser device. The ACS sends the selected data to the Authentication History Server.|
|Step-10||The MPI receives the Payer Authentication Response.|
|Step-11||The MPI validates the Payer Authentication Response signature.|
|Step-12||The Merchant proceeds with authorization exchange with its acquirer.|
Okay, so what does this all really mean?
In a nutshell, the card holder will be issued with a personal ID Code that is either a PIN or a passphrase. Having submitted the credit card information for validation, a screen will appear that requires the card holder to enter that ID Code. Their card's issuing bank will verify that the entered code is correct, and the payment process will continue.
For the card holder, 3DS will not mean a complete usability upheaval. For everyone else who is engaged in managing that process, however, the headaches are considerably bigger. Software development design and implementation is costly, and when you require that many organizations to intercommunicate, the process gets really difficult. There are Internet technologies that allow different systems to communicate and exchange data in real time. The number of possible technical glitches is huge, however, and the potential for such systems to go out of synch during transaction processing is considerable.
If you are a credit card holder who shops on the Internet, you should be feeling a bit nervous right now. All is not lost, however. 3D Secure is a merchant-oriented protocol, and it will certainly prompt merchants to put much more merchandise onto the Internet, but there is a price to pay. The fact is that 2 Factor Authentication must become the normal standard for card holder security. 3D Secure still does not eliminate fraud that may occur as a result of session hijacking and other techniques described in previous articles in this series.