How 3-D Secure System Works

Instead of going for the conventional methods, people choose more laxative and easy ways to route actions right from exchanging text to exchanging money.

As network technology advanced in earlier years, users build up the trust over web-sites stability and adopted wire transfer of money since it is a more comfortable method of transaction. But like all good things, the comfort comes with a cost. The darker side of online transactions is that if not done securely, the financial information can be misused, leaving a person bankrupt.To cope up with these advanced hacks of network data, 3-D secure system for password was introduced.

3-D secure is an e-commerce application for payment system, like the one used in airline reservation systems, and an XML based protocol for implementing better security on transactions made using credit and debit cards. 3-D stands for three domains, which forms a 3-D secure password and forms an authorization process:

• Acquirer domain: represents the merchant and the bank, to which the money is paid.
• Issuer Domain: the bank which issues the card, used for transaction.
• Interoperability Domain: it is the infrastructure provided by the credit card scheme to support 3-D secure protocol.

When the user starts their purchase from an e-commerce web-site and reaches the checkout counter of the web-site for final payment for the purchase, a series of steps are executed between the 3-D’s in order to authenticate both the merchant and user. When user hits the “pay” button in his browser, following events are executed in a series while assuming user is already enrolled for 3-D secure password:

1. The cardholder or user, sitting in the Issuer Domain, enters the information to trigger the transaction process like entering the account number or card number etc. All the information is transferred using the secure protocol to the merchant’s server, present in Acquirer Domain.
2. In Acquirer Domain, the merchant checks for the validity of the user, against the payment request made by the user. On successful authentication, merchant server directs the customer to the payment gateway.
3. The payment gateway, checks for the customer’s enrollment in 3-D secure system and responds with XML-based Payment Authentication Request (PAReq) to merchant’s server. Till now, these events take place in Acquirer Domain.
4. The merchant’s server sends this PAReq to the cardholder’s browser, who is sitting in Issuer Domain. Merchant’s server punches a parameter onto this PAReq message. This punched parameter routes the Payment Authentication Response (PARes) message to merchant’s web site, which contains the authentication results of the cardholder. It also contains in the Accountholder Authentication Value i.e. AVV, which further helps merchant to cross check the customer’s identity.
5. Inside Issuer Domain, PAReq message received at cardholder’s end is transferred to its bank server, to authenticate the cardholder or customer. In order to do so, server provides a login page at cardholder’s browser to enter the secret password known only by cardholder and the bank which issued the card.
6. On successful validation of password, server issues a Payment Authentication Response (PARes) message which is encrypted and digitally signed. Customer’s browser simply forwards this message to merchant’s site, present in Acquirer’s Domain.
7. Merchant’s web-site continuous with the payment process using its own authorization messages to compare the info provided by cardholder’s server or may simply proceed to transaction.
8. Here in Acquirer Domain, payment gateway sends an authorization request to merchant’s web-server and a response is sent to the merchant server.
9. While all this process of information sharing happens between cardholder and merchant’s web-site, using the Interoperability Domain. Internet is the medium required to facilitate machine to machine communication. But to transfer the digital cash between cardholder’s bank and acquirer’s bank, separate medium of the same interoperability domain, called as Visanet is used.
10. Finally, when transaction is complete and all monetary funds are transferred, merchant sends a conformation message to the cardholder.

The most interesting part of all these steps is the magic of technology as they execute in a span of few minutes. Imagine all the communication, encryption, validation and transaction happens in a span of 2-3 minutes. And this is something which shows how technology is working to improve the comfort level of individuals using wire, while marinating the security at the highest possible level.