Review of 3-D Secure Protocol
Shweta Rathour, Assistant Professor, Computer Science and Engineering Department, I.T.S Engineering Collages, Greater Noida, India.
Manuscript received on July 05, 2013. | Revised Manuscript received on July 11, 2013. | Manuscript published on July 15, 2013. | PP: 32-34 | Volume-1 Issue-8, July 2013. | Retrieval Number: H0390071813/2013©BEIESP
Open Access | Ethics and Policies | Cite | Mendeley
© The Authors. Published By: Blue Eyes Intelligence Engineering and Sciences Publication (BEIESP). This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Abstract: Banks worldwide are starting to authenticate online card transactions using the `3-D Secure’ protocol, which is branded as Verified by Visa and MasterCard Secure Code. This has been partly driven by the sharp increase in online fraud that followed the deployment of EMV smart cards (EMV comes from the initial letters of Euro-pay, MasterCard, VISA) for cardholder-present payments. 3-D Secure has so far escaped academic scrutiny; yet it might be a textbook example of how not to design an authentication protocol. It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. Also, it provides a fascinating lesson in security economics. While other single sign-on schemes such as OpenID, Info Card and Liberty came up with decent technology they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. The 3-Domain Secure protocol specification defines an architecture and protocol for verifying cardholder account ownership during a purchase transaction in the remote environment. After initiating the final purchase action, the cardholder is placed into a dialog with his issuing financial institution. The Issuer authenticates the cardholder and sends a confirmation of identity back to the merchant; the merchant completes the transaction.
Keywords: Access Control Server (ACS), Address Verification Service (AVS), Payment Cards Industry Data Security Standard (PCIDSS), SSL/TLS Secure Socket Layer/Transport Layer Security, Secure Electronic Transaction (SET).