3D Secure
Content
Introducing 3-D Secure ™
White Paper
Version 1.1.0
Introducing 3-D Secure
White Paper
This White Paper has been created by the Wirecard AG. Its content may be changed without prior notice. External web links are provided for information only. Wirecard does not claim liability for access to and correctness of the referenced content.
COPYRIGHT
Copyright © 2007 Wirecard AG All rights reserved. Printed in Germany / European Union Version 1.1.0 Last Updated: July 2007
TRADEMARKS
The Wirecard logo is a registered trademark of Wirecard AG. Other trademarks and service marks in this document are the sole property of the Wirecard AG or their respective owners.
The information contained in this document is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact Wirecard AG and delete the material from any computer.
CONTACT INFORMATION
For questions relating to this document please contact: Wirecard Technologies AG Bretonischer Ring 4 D-85630 Grasbrunn Germany phone: +49 89 4424 0400 e-mail: [email protected]
Version 1.1.0
2 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Contents
EXECUTIVE SUMMARY ................................................................................ 5 OVERVIEW .................................................................................................... 6
Internet Shopping and Fraud .......................................................................................... 6 3-D Fundamentals ........................................................................................................... 6 Available Programmes.................................................................................................. 7 Verified by Visa ............................................................................................................. 7 MasterCard SecureCode .............................................................................................. 7 Ultimate Protection .......................................................................................................... 7
HOW 3-D SECURE™ WORKS ...................................................................... 8
Participants ...................................................................................................................... 8 Cardholder.................................................................................................................... 8 Issuer ............................................................................................................................ 8 Merchant ...................................................................................................................... 8 Wirecard ....................................................................................................................... 8 Acquirer ........................................................................................................................ 8 Global Directory ............................................................................................................ 8 Network Architecture .................................................................................................... 9 Issuer Domain ............................................................................................................... 9 Interoperability Domain ................................................................................................ 9 Acquirer Domain ........................................................................................................... 9 Cardholder Enrollment ................................................................................................ 10 Standard Enrollment ................................................................................................... 10 Activation During Shopping ........................................................................................ 11 Activation Anytime ...................................................................................................... 12 Failed Enrollment ........................................................................................................ 12 Enrollment Example.................................................................................................... 13 Enrollment Check ....................................................................................................... 14 VEReq and VERes Messages ..................................................................................... 14 Payment Authentication ................................................................................................ 15 Attempted Authentication ........................................................................................... 15 Full Authentication ...................................................................................................... 15 Authentication Check .................................................................................................... 16 PAReq and PARes Messages..................................................................................... 16 ECI Values .................................................................................................................. 17 Authentication Example .............................................................................................. 18 Purchase Transaction Flow ........................................................................................ 19 Chargebacks .............................................................................................................. 21 Wirecard ..................................................................................................................... 21 Visa ............................................................................................................................. 21 MasterCard ................................................................................................................. 22 Best Practice .............................................................................................................. 23 Browser Setup ............................................................................................................ 23
© 2007 Wirecard AG 3 of 26 Version 1.1.0
Introducing 3-D Secure
White Paper
BENEFITS .................................................................................................... 25
Merchant Benefits .......................................................................................................... 25 No Installation ............................................................................................................. 25 No Certification .......................................................................................................... 25 Simple Setup .............................................................................................................. 25 Quick Security Check ................................................................................................. 25 Guaranteed Payment ................................................................................................. 25 Reduced Chargebacks ............................................................................................... 25 Higher Confidence ..................................................................................................... 25 Increased Sales .......................................................................................................... 26 Lower Interchange Rates ........................................................................................... 26 Higher Transaction Amounts ...................................................................................... 26 Cardholder Benefits........................................................................................................ 26 No Software Installation ............................................................................................. 26 One-Time Registration ............................................................................................... 26 Digital Signature ......................................................................................................... 26 Easy Use .................................................................................................................... 26 Confidence ................................................................................................................. 26 Fraud Protection ......................................................................................................... 26
Version 1.1.0
4 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
EXECUTIVE SUMMARY
Background Electronic commerce and online purchases are a growing trend. From the comfort of
their living room, shoppers enjoy the ease and convenience of the Internet. But the popularity of e-commerce and the anonymity of the Internet come at a price for online retailer. They have no way of telling if the shopper entering the payment card data is in fact the authorized holder of the card. Gaining the trust of Internet shoppers is key to the success of online merchants. In response to the globally increasing e-commerce fraud and payment disputes, a technology had to be found that reliably authenticates the cardholder's identity. The 3-D Secure protocol addresses this formidable challenge.
What is 3-D 3-D Secure takes e-commerce security to a new level. It is a new security standard developed by Visa and MasterCard to safeguard card payment transactions over the Secure
Internet and to alleviate online fraud. The principle of 3-D Secure is notably simple. It allows cardholders to authenticate themselves to their card-issuing bank during online purchase. In the event of chargebacks, merchants deploying this technology can, under certain conditions, shift the responsibility for fraudulent transactions to the issuer. As to the consumer, the technical implementation of the 3-D Secure will not change much. Online purchases will continue to work in the same way as before, with the exception of an additional security check: The cardholder is prompted to enter a password to confirm his identity, a process that is similar to the PIN at a bank machine. This new standard is offered by MasterCard SecureCode (MCSC) and Verified by Visa (VbV).
The This is how it works: For the 3-D Secure to function, the cardholder must have signed Technology up for this service with his bank. When a cardholder visits the online shop of a
participating merchant and pays with his card, 3-D Secure sends his purchase request to the merchant system which redirects it to the Wirecard platform for authentication handling and subsequent transaction processing. If the cardholder is not enrolled, the merchant can decide to stop the transaction, or alternatively continue with an unauthenticated purchase transaction, known as a "card-not-present transaction". If the cardholder is enrolled, the Wirecard will post a payment authentication request message, which the merchant passes on via the cardholder's web browser to the and card issuing bank. The bank, in turn, invokes an authentication window in the cardholder's browser, in which the cardholder enters his password. Having completed authentication, the cardholder redirected to the merchant who makes a second call to the Wirecard platform with the payment authentication response from the issuer. The Wirecard platform validates the digitally signed issuer response and posts the transaction the acquiring bank.
The Wirecard Solution
At Wirecard we take extensive precautions to secure the transmission and storage of payment card information using a high level of encryption over SSL and a robust firewall infrastructure. Wire Card's premium 3-D Secure solution offers merchants reliable and robust XML-based payment security, enabling real-time enrollment check, cardholder authentication and transaction processing. Compared to its sizable benefits, cardholder and merchant requirements are minimal. The APS approach requires no cumbersome installation of additional hardware such as a Merchant Plug-In (MPI), nor the deployment of a web interface. Instead of the conventional MPI, Wirecard conveniently hosts the 3D processing interface on its platform. Existing merchants can continue to use WireCard's XML processing interface. All they need to do is integrate a few additional security parameters. For technical details, see to the merchant interface specification 3-D Secure™ Card Processing.
© 2007 Wirecard AG
5 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
OVERVIEW
Consumers have increasingly become sensitive to protecting personal information. They want to be sure that they are dealing with a trusted business and that their personal identity and card details are in safe hands. Consequently, they are looking for technologies proving that their data is properly secured. 3-D Secure is the only technology providing reliable data protection and cardholder identification. This White Paper introduces the technology, presents the network interaction between participating parties and explains the underlying processes.
Internet Shopping and Fraud
Electronic retail is growing at a phenomenal rate posing new opportunities but also great challenges for online merchants. According to Visa and MasterCard market research, the number of online purchases increases annually by 35-40 percent. Admittedly, the market potential of online retail is formidable - but so is online fraud. Media coverage and consumer watchdogs pointing to security concerns with e-commerce have lead to many consumers holding back online shopping. Due to the very nature of online business, it is practically impossible to obtain and validate the signature of a cardholder, nor to record the security data by reading the card's magnetic stripe. Proving that the cardholder actually affected and authorized a purchase transaction is extremely difficult. With no signed sales receipt, there is no easy way for merchants and issuers to prove that a purchase was made by or with the consent of the legal owner of the card. As a result, chargeback rates have soared. The majority of Chargebacks<$elemtext are either directly fraud-related or caused by cardholders claiming non-participation in the executed transaction. To reduce the number of disputed purchases, a software had to be developed which verifies that the person making the online purchase is indeed the authorized cardholder.
3-D Fundamentals
In a nutshell, 3-D Secure is card authentication anti-fraud protocol developed by Visa and MasterCard to verify a shopper's identity during online shopping. Alongside CVV, the Card Verification Value, a three-digit code printed on the signature panel on the back of a payment card, 3-D Secure offers an extra level of protection in any CNP (Card Not Present) transaction. As the name suggests the protocol interacts between Three Domains (3-D) providing secure communication between all participating parties (see the payment flow graphic in section Purchase Transaction Flow). Based on this new standard, Visa and MasterCard have rolled out their authentication programmes Verified by Visa (VbV) and MasterCard SecureCode (MCSC). Technically, both are very similar in nature. They validate the cardholder's authenticity in real time and ensure the cardholder is in control over his card. The programmes are designed to support the existing broad range of magnetic stripe and smart cards. 3-D Secure uses Secure Socket Layer (SSL) encryption and the concept of a Merchant Server Plug-in (MPI) to transfer data and authenticate cardholders during an online purchase. A merchant plug-in is typically a device or an application residing on the merchant's system which interoperates with the VbV or MCSC infrastructure. It controls the exchange of 3-D Secure messages between the participating parties across the three network domains (issuer domain, interoperability domain, acquirer domain).
Version 1.1.0
6 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Available Programmes
In response to challenges of online fraud, Visa and MasterCard each introduced their own 3-D-based security programme. Apart from some smaller differences in terminology and the succession of popup or inline windows for enrollment and authentication, Visa and MasterCard offer the same online security. As both programmes operate in the same way, the Wirecard 3-D Secure solution supports MasterCard SecureCode (including Maestro card) and Verified by Visa interchangeably.
Verified by Visa
Verified by Visa (VbV) is a global easy-to-use password-protected online payment authentication service by Visa International. Similar to using bank machine services, the cardholder must sign up for a personal password with his card issuer. VbV means that merchants will no longer be liable for chargebacks relating to authentication disputes with reason codes 83 (no possession of card) and 75 (cardholder does not recognize transaction). Shifting the liability from merchant to issuer under certain conditions is especially important since e-commerce transactions are 15-20 times more likely to be disputed and charged back than transactions undertaken face to face. By displaying the VbV logo on their websites, merchants raise awareness, leverage the consumers' desire for more security and instil confidence in the consumer.
MasterCard SecureCode
Similar to the VbV brand name, the MasterCard SecureCode (MCSC) programme supports all payment cards currently offered by MasterCard. The only difference to VbV lies in technical implementation. Compared to VbV, MCSC uses different transaction status flags and ECI values (electronic commerce indicator) in the payment authentication request and response messages (PARes and PAReq) and has different chargeback reason codes. For a description of status flags and message types, see the Wirecard interface specification 3-D Secure™ Card Processing. Merchants displaying the MCSC logo on their website must do so in English and only in the authorized artwork. Translations into other languages and alphabets are not permitted.
Ultimate Protection
VbV and MCSC take over where common authentication by Card Verification Value (CVV) or MasterCard's Card Verification Code (CVC) leave off. The 3-D Secure protocol adds another level of protection to card-not-present transactions checking security data which is not stored on the plastic itself (embossed, printed or digitally encoded). While traditional authentication and authorization technologies only capture data that is directly stored on the card, 3-D Secure requires cardholders to provide a password (similar to the PIN used for ATM cash withdrawals) that verifies their identity. Only after the shopper is authenticated, the card issuer authorizes the online purchase, which means that the issuer confirms that the referenced bank account exists and that the cardholder has sufficient funds in the account to cover the purchase. This means that when a thief steals a credit card or copies the card data (name, card number, expiration date, CVV/CVC) with a scanning device (card reader) or by hand, the possession of the card or card data alone will not suffice to make a purchase with a participating online retailer.
© 2007 Wirecard AG
7 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
HOW 3-D SECURE™ WORKS
The Wirecard 3-D Secure solution is remarkably easy to integrate. It is a two-tiered process consisting of cardholder enrollment and authentication. Using this technology does not require the installation of any proprietary software on the cardholder's computer, nor the deployment of a merchant application. This chapter discusses the key components involved in the 3-D Secure enrollment and authentication flow. Starting with an introduction of the inseparably linked participants, this chapter presents a comprehensive understanding of the network connectivity and data transfer.
Participants
Designed to work across a wide network, the Wirecard hosted 3-D Secure authentication solution is made up of the following players:
Cardholder
It all starts with the cardholder. Joe, as we call him, makes an online purchase. To him, the 3-D Secure transaction is almost transparent and not very different from an ordinary e-commerce transaction. Joe shops in the usual way. Only at checkout, when he enters his payment card data and clicks 'Order', the software verifies if he is registered and if so starts authentication.
Issuer
The issuer is Joe's bank, which issued his payment card. The issuer defines the range of card numbers which are eligible for the 3-D Secure programme. It conducts the online dialogue with Joe over a web browser, helps Joe enrol his card and authenticates it during a 3-D Secure purchase transaction.
Merchant
MERCHANT
To be able to make 3-D Secure authentication request calls and handle authorized payment transactions, the online merchant must have implemented Wire Card's 3-D Secure card processing interface. In addition to the standard transaction process types, the XML-based interface handles all enrollment checks and payment authentication.
Wirecard
The Wirecard gateway is a processing engine. It offers a set of features which normally reside as a plug-in on the merchant side. To facilitate the merchant's authentication request and response call handling, Wirecard hosts the merchant plug-in (MPI) in its core system, thereby minimizing technical prerequisites and operational overhead.
Acquirer
The acquirer is the bank of the merchant. It is in the acquirer's interest that all ecommerce transactions between cardholder and merchant are 3-D secured. The acquirer is responsible for encouraging the merchants to offer the 3-D Secure service and assigns and manages merchant IDs, passwords, or certificates needed to authenticate the merchants in the system.
Global Directory
The global directory belongs to the card association (e.g. Visa, MasterCard). It provides central decision-making capabilities to participating merchants through the Wirecard gateway and connects to the card issuer to determine if the cardholder is enrolled in the program.
Version 1.1.0
8 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Network Architecture
Because of the collaboration of some network components (cardholder with card issuing bank and card acquiring bank with Wirecard and merchant) the network architecture can be divided into three domains (see also the payment flow graphic in section Purchase Transaction Flow).
Issuer Domain
CARDHOLDER CARDHOLDER
This domain consists of the card Issuing Bank and the Cardholder. It handles all interactions between the two over the cardholder's web browser. It is the browser from where the cardholder starts the enrollment and authentication process. To enrol and/or activate a payment card, the cardholder connects from his browser to the issuer's Web Server. From here he connects to the Enrollment Server. The purpose of the Enrollment Server is to facilitate the sign-up of the cardholder and to perform enrollment checks to verify if a cardholder is registered and thereby legible to authentication. The cornerstone of the security model is the Access Control Server (ACS), which helps the card issuing bank authenticate the cardholder. This is done by contacting the Enrollment Database to check for registration data provided by the cardholder at the time of enrollment. The issuer later queries the Access Control Server (ACS) for cardholder details, validates the retrieved information, signs it electronically and returns a response message to the merchant. In the case of VbV, the issuer also sends a copy of the message to Authentication History Server (see interoperability domain), a database which provides transaction reporting to issuers and acquirers for dispute resolution.
Enrollment Server
Web Server
Enrollment Database
Access Control Server Bank
Issuing
Issuing Bank
Interoperability Domain
Internet Internet
This domain facilitates the XML request-response exchange between the issuer domain and the acquirer domain using a common protocol and shared services supported by the Global Directory and VisaNet Network. The Global Directory Server is an Internet-based directory system provided by both Visa or MasterCard. It connects to the ACS of participating card issuers to determine if the shopper is enrolled with the issuing bank and if he is an authorized user of the payment card. Merchants communicate with the Global Directory through the Wirecard gateway. Card authorization is verified using the VisaNet communication channel between issuers and acquirers. The Authentication History Server (AHS) is contacted to verify an authentication in the case of a transaction dispute by the cardholder.
Authentication History Server Visa Directory Global Visa/MasterCard Directory
Visa Net Visa Net
Acquirer Domain
MERCHANT MERCHANT
WIRE CARD CARD WIRE payment payment gateway gateway
Acquring Acquring Bank Bank
The acquirer domain includes the Merchant, the Wirecard payment gateway and the acquiring financial institute (acquirer). The Acquirer is responsible for defining the procedures to ensure that online merchants are operating under a merchant agreement with the acquirer. Its second responsibility lies in providing the transaction processing for authenticated transactions. This is similar to a typical SSL environment. Signature validation is performed by Wire Card. It ensures that the encrypted digital signature sent with the purchase request has been successfully authenticated by the issuer. As part of its services, Wirecard is responsible for conducting the communication between the merchant system, the Global Directory and the acquirer. When a shopper makes a transaction, the Wirecard gateway contacts the global directory in the interoperability domain to determine the web link (URL) to the bank which issued the card used to make the purchase.
© 2007 Wirecard AG
9 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Cardholder Enrollment
Enrollment is the process whereby authorized cardholders contact their issuer to register and activate their payment cards for VbV or MCSC. Provided the issuer is a participating 3-D Secure partner, the cardholder can enrol and activate his card in three ways (self-enrollment): Standard Enrollment Activation During Shopping (ADS) Activation Anytime (AA) In all of the above cases the cardholder must be online to connect to his bank's enrollment server. Please note that the process of enrollment takes place between the cardholder and the card issuing bank and neither involves merchant nor payment card association (Visa or MasterCard) directly. As a fourth option some issuers may pre-enrol their cardholders. To date, this option is however not very common.
Standard Enrollment
The standard enrollment describes the sign-up of a cardholder prior to the purchase. The graphic below illustrates the standard sign-up flow.
CARDHOLDER 1 3
INTERNET
2
ISSUING BANK
3 W eb Server Enrollm ent Server 4
5 Enrollm ent Database Access Control Server
Scenario 1: Standard Enrollment
The Standard Enrollment process can be summarized as follows: Step 1 Step 2 Step 3 The cardholder connects to the website of the card issuing bank. The bank's web server invokes an inline 3-D Secure enrollment window on the cardholder's browser. The cardholder is asked to enter the enrollment data (payment card number etc.) to prove his identity to the bank and sends it to the bank's Enrollment Server.
Version 1.1.0
10 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Step 4
The issuer or a third party validates the submitted information to verify that the cardholder is entitled to use the payment card. In the case of a Visa smart card, the verification process also establishes that the cardholder has physical possession of the card at the time of enrollment. The enrollment data is stored for later validation during authentication processing. Once enrolled, the cardholder is ready to shop at any participating retailer.
Step 5
Activation During Shopping
Wire Card's card processing interface has been designed to check if a cardholder making an online purchase at the participating merchant's site is enrolled for 3-D Secure payment authentication. Unlike the standard enrollment, the cardholder can choose to activate his card during the purchase before checkout. This alternative is called Activation During Shopping (ADS). It is a simple and quick auto-enrollment process which has proven successful with merchants and very popular with consumers. It is an ideal way for the merchant to develop awareness and instil trust.
1
INTERNET
CARDHOLDER 3 2 MERCHANT
ISSUING BANK
3 Web Server Enrollment Server 4
5 Enrollment Database Access Control Server
Scenario 2: Activation During Shopping (ADS)
The ADS process can be summarized as follows: Step 1 Step 2 The shopper visits the online shop of a participating merchant, adds an item to his shopping cart and proceeds to the checkout. When the shopper clicks the order button, the merchant site invokes an inline window displaying the enrollment page of the issuing bank in the cardholder's browser. The cardholder is asked to enter the enrollment data (payment card number etc.) to prove his identity to the bank and sends it to the bank's Enrollment Server.
Step 3
© 2007 Wirecard AG
11 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Step 4
The issuer or a third party validates the submitted information to verify that the cardholder is entitled to use the payment card being enrolled. In the case of a Visa smart card, the verification process also establishes that the cardholder has physical possession of the card at the time of enrollment. The enrollment data is stored for later validation during authentication processing. Once enrolled, the cardholder is ready to shop at any participating online merchant.
Step 5
Activation Anytime
This third option is currently investigated by Visa and MasterCard. It involves placing the VbV or MasterCard SecureCode logo on popular web portals with a one-click link to the enrollment site of the dedicated issuing banks. This allows Internet users to activate their payment cards from any website displaying the VbV or MasterCard SecureCode logo.
Failed Enrollment
When a cardholder tries to enrol but fails because the issuer is not participating in the program, the enrollment fails. If the enrollment is attempted during shopping (ADS), the request is simply aborted and the payment transaction submitted without subsequent payment authentication. In this case, the merchant system receives an attempted authentication response message and passes the transaction on to the Wirecard platform to be proceeded with a standard authorization request. The attempted authentication transaction response is transmitted and stored in the Authentication History Server (AHS) to be used as reference should the cardholder dispute the transaction in the future (see Attempted Authentication and Chargebacks).
Version 1.1.0
12 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Enrollment Example
Enrolling in 3-D Secure is easy. The example below shows how a cardholder enrols in the Verified by Visa programme. Cardholders who wish to enrol several payment cards must do so for each card separately. The cardholder's issuer will typically display an enrollment page similar to the one below:
The cardholder is asked to create a "personal assurance message". This is the message that will appear on the VbV popup window when the cardholder is shopping online. All the cardholder needs to do is to enter password and reconfirm it in the input field below. Some enrollment pages may ask the cardholder to enter a hint to help him remember the password.
After a few moments, the card issuing bank will display a screen to confirm that the cardholder's enrollment is complete. In some cases, the card issuer may also send an email confirmation to the cardholder. Now the cardholder is ready to shop online sites supporting VbV.
Once enrolled the cardholder can shop at the website of the participating merchant as before. Only when he proceeds to checkout he will be reminded that the purchase he is about to make is safeguarded by 3-D Secure. When he submits his order, the merchant system invokes a popup or inline window asking him to enter his authentication password.
© 2007 Wirecard AG
13 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Enrollment Check
There are three reasons why a cardholder may not be enrolled: he simply does not want to be, he is unaware of the option or his card is not eligible for cardholder authentication since the card issuing bank does not support the additional security.
VEReq and VERes Messages
Before the 3-D Secure software tries to authenticate a cardholder, it checks if the cardholder is enrolled. This process is known as Enrollment Check and is based on a sequence of interconnected verification requests and responses, called Verify Enrollment Request (VEReq) and Verify Enrollment Response (VERes). It is through the exchange of these messages that the merchant is informed if the payment card of the shopper buying at his online store is 3-D Secure enabled. Step 1 When the cardholder has completed the checkout process, Wirecard sends a VEReq message to the Global Directory Server to determine whether authentication is available for the specific card number. The Directory Server searches for a card range that includes the cardholder PAN received in the VEReq message. If the PAN is identified in a participating card range, the Visa Directory Server forwards the VEReq message to the URL of the ACS associated with that card range. The ACS receives the VEReq message and checks the participation of the card number and returns a VERes message that contains the URL of the ACS for either authentication processing (full or attempted authentication). The Directory Server forwards the VERes message to the Wirecard system. If the Visa Directory Server cannot identify a card range that includes the PAN received in the VEReq message, the Visa Directory Server returns a VERes message to Wirecard with the status flag 'N' for Cardholder not Enrolled.
Step 2
Step 3
With each VERes message, the Directory Server returns a letter which clearly indicates the enrollment status of the cardholder. The following table presents the status codes and their meaning: Cardholder enrolled Cardholder not enrolled Y Enrollment successful: The card is enrolled in the 3-D Secure program and the payer is eligible for authentication processing. Enrollment attempt accepted: The checked card is eligible for the 3-D Secure (it is within the card associations range of accepted cards) but the card issuing bank does not participate in the VbV or MCSC program. If the cardholder later disputes the purchase, the issuer may not submit a chargeback to the merchant. Enrollment failed: The card associations were unable to verify if the cardholder is registered. As the card is ineligible for 3-D Secure, merchants can choose to accept the card nonetheless and proceed the purchase as non-authenticated and submits authorization with ECI 7. The Acquirer/Merchant retains liability if the cardholder later disputes making the purchase. Enrollment failed: The Wirecard system encountered an error. This card is flagged as 3-D ineligible. The card can be accepted for payment, yet the merchant may not claim a liability shift on this transaction in case of a dispute with the cardholder.
N
Unable to verify enrolment
U
System Error
E
Version 1.1.0
14 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Payment Authentication
When the cardholder is enrolled, he is automatically legible for authentication through any standard SSL-encrypted browser connection. To recap, only those cardholders are successfully authenticated who are enrolled in either VbV or MCSC and have entered the correct password requested by the issuer. Shown below is a sequence of inline windows cardholders may see at checkout at a participating retailer's site. When the cardholder selects the 'Submit' button, a window is invoked by the issuer's Access Control Server prompting the cardholder to enter the card number. If the card is enrolled, a second window appears asking the cardholder to enter a unique private code which he received from his bank during enrollment. By submitting the code that binds the cardholder to the transaction (much like a signature on a sales receipt), the cardholder is authenticated and the purchase completed. Step 1 Step 2 Step 3
Payment authentication occurs after checking out the items in a shopping cart but prior to authorization of the credit card. If a cardholder cannot be authenticated, the merchant can decide to accept the credit card as is and proceed with the standard transaction process, or reject the payment request and decline the purchase. As most merchants prefer to accept an unauthenticated card rather than losing the business, the card associations allow both fully and attempted authentications to qualify for chargeback protection (see Chargebacks).
Attempted Authentication
An attempted authentication is the intention of a cardholder to be authenticated. Imagine the following scenario. The shopper who is a VISA cardholder notices the VbV logo at checkout and decides it's a good idea to pay using additional security. He tries to enrol his card directly (by ADS) but fails because his card issuer is not participating. The enrollment process is aborted (see Failed Enrollment) and the payment transaction is submitted without payer verification. In this case, the merchant receives an attempted authentication response message with a CAVV and ECI 5 and passes the transaction on to the Wirecard platform to be proceeded with a standard authorization request. The attempted authentication request is stored on the card association's Authentication History Server (AHS) where it is called upon in the event the shopper later disputes the transaction. For the merchant the attempted authentication means that he is protected against certain chargebacks (see Chargebacks).
Full Authentication
In a full authentication, all parties concerned (cardholder, issuer, merchant and acquirer) are participating in the authentication program. Following a successful enrollment, the cardholder and the merchant enjoy the full benefits of the VbV or MCSC programme (see Merchant Benefits). When the cardholder makes a purchase at a participating online shop, the issuer verifies the cardholder by a password or other identity information. In the case of VbV, the merchant receives an Authentication Response with a CAVV and ECI 6.
© 2007 Wirecard AG 15 of 26 Version 1.1.0
Introducing 3-D Secure
White Paper
Authentication Check
The authentication check is based on a message exchange routine very similar to the enrollment check. Upon receipt of the Verification Enrollment Response (VERes) with the value "Y", the merchant system must start the authentication check with a Payer Authentication Request (PAReq).
PAReq and PARes Messages
Payer Authentication Request (PAReq) and Payer Authentication Response (PARes) Messages correlate in the following manner: Step 1 The merchant sends a PAReq message through the hosted Wirecard authentication system to the URL of issuer's ACS. This PAReq contains information regarding the purchase transaction. The URL of the ACS is sent to the merchant with the with VEReq returned in the Enrollment Check. The ACS responds with a signed PARes message containing the card issuer's authentication results for the cardholder's purchase. For Visa payment cards, the ACS returns Cardholder Authentication Verification Value (CAVV) and for MasterCard an Accountholder Authentication Value (AAV). The Wirecard system validates the signature on the PARes message in order to complete the 3-D Secure authentication process.
Step 2
Step 3
The Payer Authentication Response can be returned with the following status: Successful The Issuer has authenticated the cardholder by verifying the identity information or password. The ACS returns a CAVV and an ECI of 5 in the Authentication Response. The card is accepted for payment. The cardholder did not complete authentication and the card should not be accepted for payment. The authentication was not completed due to technical or another problem. A transmission error prevented authentication from completing. The card should be accepted for payment but no authentication data will be passed on to authorization processing and no liability shift will occur. A proof of authentication attempt was generated. The cardholder is not participating, but the attempt to authenticate was recorded. The card should be accepted for payment and authentication information passed to authorization processing. A system error prevented authentication from completing. This error is generated by the Wirecard system. The card should be accepted for payment but no authentication information will be passed to authorization processing and no liability shift will occur.
Failed or Cancelled Aborted
Attempted
System Error
Version 1.1.0
16 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
ECI Values
The Electronic Commerce Indicator (ECI) is set to a value corresponding to the authentication results and the characteristics of the merchant check out process. The merchant commerce server transmits the authorization request message, including the ECI to the Wirecard system. MasterCard currently defines two and Visa four ECI values. Possible ECI data values are: ECI 1 This value is set by the merchant in a MCSC authentication when the merchant attempted to authenticate the cardholder using 3-D Secure, but the issuer or cardholder is not participating. This value is set by the ACS in a MCSC Payer Authentication Response (PARes) message the cardholder successfully passed 3-D Secure payment authentication. This value is set by the ACS in a VbV Payer Authentication Response (PARes) message when the cardholder successfully passed 3-D Secure payment authentication. This value is set by the merchant in a VbV authentication when the merchant attempted to authenticate the cardholder using 3-D Secure, but the issuer or cardholder is not participating. This value is set by the merchant when the payment transaction was conducted over a secure channel (for example, SSL/TLS), but payment authentication was not performed, or when the issuer responded to the PAReq with an "Unable to Authenticate" code (for example, the ACS was unable to match the account ID from the PAReq to the corresponding VEReq, or payment authentication was attempted on an excluded channel or product). The merchant sets this value when the payment transaction was conducted over a non-secure channel.
ECI 2
ECI 5
ECI 6:
ECI 7:
ECI 8:
© 2007 Wirecard AG
17 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Authentication Example
When the cardholder has completed his online shopping cart and proceeds to checkout, he is directed to the card issuing bank for authentication. Pressing the checkout button (e.g. Finalize Order, Buy Now, etc.) the merchant redirects the cardholder to the URL of the issuer's Access Control Server (ACS).
If the card is already enrolled, the issuer displays the following authentication window. In the top right corner, the window typically displays the bank logo. The cardholder enters his personal password and clicks the 'Submit' button. The card details are sent to the Access Control Server where the password is verified. If it is correct the authentication window is closed, the payment authorization started and the 3-D Secure transaction is completed.
Upon completion the cardholder is typically presented a message confirming his order. The merchant is recommended to include a tracking number as shown below.
RECEIPT # 023F112 Thank you for your order. You will receive a confirm ation em ail once it has been shipped.
Version 1.1.0
18 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Purchase Transaction Flow
The following diagram illustrates the communication between all parties involved in the 3-D Secure transaction flow. This examples assumes that the cardholder is already enrolled (no ADS).
Is s u e r D o m a in In te ro p e ra b ility D o m a in A c q u ire r D o m a in
1 4 7 C A R D H O L D E R
IN T E R N E T
M E R C H A N T
1 0 2
6
5
3
8
9
A c ce ss C o n tro l S e rv e r
A u th en tic atio n H isto ryS erv er
V isa / M as terC ard G lo b al D irec to ry
W IR E C A R D G a tew a y /M P I
V is aN e t Is s u in gB a n k A c q u irin gB a n k
When a shopper submits an order at a participating online shop, the following process is triggered: Step 1 The cardholder shops at the merchant's website and when ready to complete the purchase, enters the appropriate payment details (including account number) and clicks a 'Pay Now' or a similar button. The merchant's system creates an XML-based payment request with a function field for an enrollment check and sends it to the Wirecard payment gateway. Wirecard verifies if the merchant is 3-D Secure enabled and if the cardholder/card is 3-D-enrolled. If the cardholder is not enrolled, the merchants system proceeds with the standard authorization request. If the cardholder is enrolled, Wirecard responds with an XML-based Payment Authentication Request (PAReq) containing two fields which are specific to the 3-D Secure process: <PAReq> and <AcsUrl>. The merchant sends an HTTP POST Payment Authentication Request (PAReq) to the cardholder, which invokes an inline window in the cardholder's browser. In this message the merchant includes a third field called <TermUrl>, which points back to the web address of the merchant site to where the issuer later sends the Payment Authentication Response (PARes) message. The cardholder's browser redirects the PAReq message to the issuer's Access Control Server (ACS) which authenticates the cardholder. This is done in two stages: First, the cardholder's browser sends an HTTPS request to the ACS. The server parses the data and invokes a login page in the cardholder's browser (popup or inline window). The cardholder now enters a password in the browser window and returns the data to the ACS.
Step 2
Step 3
Step 4
Step 5
© 2007 Wirecard AG
19 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Step 6
Having received the data, the ACS authenticates the cardholder's password, constructs the Issuer Authentication Value (IAV), and creates an SSL-encrypted and digitally signed Payer Authentication Response (PARes). Encryption and signature ensure that the cardholder cannot modify the content of the message on its way to the merchant. The Payment Authentication Response (PARes) is posted by the ACS to the merchant's web address (<TermUrl>) via the cardholder's browser. The merchant continues the payment process (either authorization, preauthorization, or transaction) with an additional XML request. This request must contain the PARes obtained in Step 7 and a reference Global unique Wirecard ID (GuWID) returned by the Wirecard system in the response message described in Step 3. Wirecard submits an authorization request to the acquirer and response to the merchant with an authorization response message. The merchant parses the XML response and sends the cardholder payment confirmation.
Step 7 Step 8
Step 9 Step 10
Version 1.1.0
20 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Chargebacks
While payment disputes rare in face-to-face purchases where the payment card is physically presented and the purchase confirmed with the shopper's signature on the transaction receipt, they occur much more often in e-commerce. Not dealing with them adequately can lead to chargebacks, which, in turn, can result in loss of business and revenue. Proving that a cardholder conducted and authorized a transaction in a nonface-to-face purchase is extremely difficult. To minimise losses from chargebacks, an indepth understanding of the merchant's rights and responsibilities in the chargeback process are paramount. Visa and MasterCard offer merchants guaranteed payment on all payment cards except B2B and prepaid gift cards, regardless of whether the cardholder is enrolled or not. According to Visa and MasterCard sources, online retailers participating in 3-D Secure authentication can reduce financial losses through online fraud by 60% - 70%. The payment guarantee determines who bears the cost for fraudulent card transactions passing the liability from the merchant to the card issuing bank. In the past, merchants were solely liable for fraudulent card transactions and had to bear the ensuing financial losses. With the introduction of VbV and MCSC, a merchant is protected against chargebacks and requests for information provided that the payer made the purchase using or attempting the use of 3-D Secure payment authentication. The details and figures contained below are intended only as a guide for merchants and not as a definitive set of chargeback rules.
Wirecard
It is important for merchants to understand their rights and responsibilities with respect to Chargebacks. To qualify for chargeback protection, merchant payment processing must include enrollment check and authentication validation. Wirecard not only assists merchants in meeting VbV and MCSC requirements but also helps them monitor the chargebacks to ensure that they are handled correctly in line with the policies defined by Visa and MasterCard. Using the Account Management System (ACM), merchants can easily monitor the chargeback process and view status changes. However, as business practices vary between merchants and markets, merchants are recommended to consult with their acquirer for Visa and Master Card policies applicable in their country.
Visa
Merchants supporting VbV enjoy chargeback protection for a number of fully completed and attempted authentications. In the case of a chargeback dispute, the Visa issuer sends a Cardholder Authentication Verification Value (CAVV) to prove authentication or attempted authentication took place. Visa applies different chargeback reason codes for US and international payment cards. The chargeback reason codes applicable to both types of authentication are noted in the table below. These pertain to disputes in which cardholders claim not to have make the purchase, which represent over half of disputed transactions. Visa US Reason Codes 23 - Invalid Travel & Entertainment 61 - Fraudulent Mail Order/ Telephone Order/E-Commerce 75 - Cardholder does not recognize transactions Visa International Reason Codes 23 - Invalid Travel & Entertainment 75 - Cardholder does not recognize transaction (effective October 2004 internationally) 83 - Non-possession of card, fraudulent transaction
© 2007 Wirecard AG
21 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
As the following table illustrates, an average of 66 percent of disputes by acquirers and merchants and 60 percent of the chargeback dollars are eligible for protection by participation in Verified by Visa. Reason Code 23 61 75 83 Total Protection All Other Total Chargeback Total 1% 30 % 15 % 20 % 66 % 34 % 100 % Chargeback Dollars Total 2% 29 % 11 % 18 % 60 % 40 % 100 %
Source: VisaNet System, Total e-Commerce Chargebacks, U.S. Acquirers, January/February 2004
MasterCard
In the event of a chargeback dispute, the ACS of the MasterCard issuer sends an Accountholder Authentication Value (AAV) to prove authentication took place. According to MasterCard, approximately 70% of all chargebacks are result from the cardholder denying responsibility for the transaction and the acquirer lacking the evidence of the cardholder's authentication. MasterCard authentication of the cardholder allows merchants to shift the liability to the card issuer under the following conditions. Unlike VbV, chargeback protects for MasterCard and Maestro Cards applies only to full authentication:
MasterCard & Maestro Cards Reason Codes 4837 - Card Not Authorized 4863 - Cardholder not recognized
Version 1.1.0
22 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Best Practice
When implementing the 3-D Secure, merchants must create a checkout page which redirected the Payment Authentication Request initiated with the submission of the order to the card issuer's access control server (ACS). For instance, when a customer has closed the shopping cart and proceeds to checkout, he normally expects the next page to confirm the order. But with merchants deploying VbV or MCSC, the customer arrives at an authentication page. To avoid confusion, it is recommended to inform customers of the authentication step either before the page is displayed (prior to pressing the 'Submit' button) or on the authentication page itself. This section gives merchants some helpful tips on how to customize browser pages successfully and avoid inadvertent page closures by confused cardholders.
Browser Setup
Buoyed by research and merchant experience, Visa and MasterCard recommend a set of guidelines to ensure that the authentication process has minimal impact on the purchase flow. Generally, merchants can choose how they would like to configure their website and reference external browser pages. The two options are popup or inline windows. Pop-ups are a separate, smaller window which open on top of the merchant's checkout page, while an inline window uses the full browser window. The actual content of this window is controlled by the bank issuing the customer's payment card. The time it takes for a merchant to customize and implement an inline window is identical to a pop-up window. However, pop-ups have an annoying character. They are often mistaken for advertising or even phishing pages and are therefore often closed indiscriminately. In addition, popup blockers, which have become a standard browser feature, automatically suppress pop-up pages causing checkout and transactions to fail. A survey by Visa International has shown that 85 percent of consumers prefer inline windows which reduce authentication abandonment from around 30%, down to less than 1%. With the announcement of pop-up suppression capabilities in Microsoft's Internet Explorer (IE) browser, Visa in fact no longer allows the implementation of pop-up windows. MasterCard advocates the same approach. There are two types of inline authentication windows merchants can present to their customers: one with merchant information and one without. How these two differ in layout is described below. Inline Window The inline window takes up the entire page dimensions. It sends a clear message to the cardholder that he is communicating with his issuer. An inline windows displays in the URL field the Internet address of the card issuer (or of its VbV Service Provider) and the SSL connectivity to the access control server (ACS). These details instil cardholder confidence as it allows the shopper to verify the link to the card issuer. After all, this may be an important indicator to the cardholder who is entering sensitive data.
Full Inline Window - Source: Visa International
© 2007 Wirecard AG 23 of 26 Version 1.1.0
Introducing 3-D Secure
White Paper
Framed Inline Window In a framed inline window, only a part of the window is redirected to the issuer's ACS. By splitting the window into frames, merchants can reserve space to display a branded header or explanations that assist customers who are not VbV or MCSC experienced to complete authentication and checkout successfully. The text must be clear and concise and should assume that the customer has already enrolled his payment card.
Framed Inline Window - Source: Visa International
Alert Window Even with the best inline windows and information messages, some customers may still be confused. When uncertain of the procedure or whether they are doing things correctly, online customers will typically try to return to checkout page by clicking the Back button. To avoid disruption in the checkout process and payment transaction, merchants must ensure that the Back button functionality works and customers clicking the Back button are taken back to the checkout page. If this in not feasible, customers must be alerted by a message window. The alert should ideally do two things: (a) reassure the customer that the previous window was part of the purchase flow and (b) tell him that the attempt to return to the checkout page will disrupt the transaction.
Alert Window - Source : Visa International
Version 1.1.0
24 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
BENEFITS
Payment card fraud in e-commerce results not only in financial losses but also in widespread concern among consumers fearing that they may be the next to fall victim to identity theft. In addition to protecting consumers, the Wirecard 3-D Secure solution bears many substantial advantages for cardholders and merchants alike.
Merchant Benefits
No Installation
The Wirecard solution is a hosted processing engine. It is ideal for merchants who do not wish to install complex secure transaction software on their system and maintain additional hardware (dedicated application server).
No Certification
Wirecard is a PCI-compliant company, enjoying full Visa and MasterCard certification. Merchants who opt for the Wirecard hosted solution do not need to be certified to offer global payment authentication under the VbV and MCSC programme.
Simple Setup
The hosted 3-D Secure solution is simple to set up. Using standard XML the setup has minimal impact on merchant's interaction with the shoppers.
Quick Security Check
The merchant can immediately determine if a cardholder is registered with his card issuer for the security check. If not, the purchase transaction is processed in the normal way and the merchant is made aware that he is held liable for payment loss through fraud.
Guaranteed Payment
For merchants who are using 3-D Secure payment authentication on their sites, Visa and MasterCard offer guaranteed payment and chargeback protection on both fully authenticated transactions and attempted authentications.
Reduced Chargebacks
The first and foremost objective of the 3-D Secure is to reduce transaction disputes and associated financial losses. The technology standard is not just a payment authentication method, but also a model that protects the merchant against cardholders denying making the purchase (see Liability Shift.)
Higher Confidence
A less tangible but nonetheless significant benefit is the awareness and assurance of consumers. According to Visa and MasterCard market research, consumers indicate that they are more likely to shop at merchant sites that offer enhanced online security. To boost online sales, it is of paramount importance to develop consumer awareness and improve cardholders confidence in online shopping. This merchants can do quickly and easily with the Wirecard XML-based 3-D Secure solution.
© 2007 Wirecard AG
25 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Increased Sales
The payment authentication capabilities of 3-D Secure will help to convince ecommerce shoppers that it is safe to use their card online and by increasing cardholder confidence and merchant payment guarantees it will ultimately increase overall sales. The merchant is perceived as an innovative and responsible eCommerce business.
Lower Interchange Rates
To motivate merchants to participate in a 3-D Secure authentication program, card associations lower their interchange rates by five basis points which is USD 0.05 for every USD100 processed, a small sum that adds up and helps offset initial costs for setup and familiarization.
Higher Transaction Amounts
Studies have shown that compared with overall e-commerce transactions consumers place substantially larger online orders at participating merchants.
Cardholder Benefits
The payment authentication with 3-D Secure boasts the following benefits for cardholders.
No Software Installation
The cardholder does not need to install any application software on his computer. From the cardholder perspective, purchases can be made as before using any supported Internet browser. The activated payment card is automatically recognized at checkout.
One-Time Registration
Consumers need to activate (enrol) a payment card only once. The activated payment card is automatically recognized by every participating merchant at checkout.
Digital Signature
Authorizing a purchase by providing an authentication password is like signing a sales receipt in a face-to-face purchase.
Easy Use
The protocol is quick and easy to use. When a cardholder submits an order at the participating online shop, an application is invoked on the merchant's web server displaying an intuitive pop-up or inline window to activate the payment card (enrollment) and if already activated, request card authentication.
Confidence
The use of an additional security level increases consumer confidence in e-commerce by mitigating fear and uncertainty associated with disclosing card details over the Internet. Cardholders enjoy peace of mind knowing that no one has access to their 3-D Secure password.
Fraud Protection
The protocol helps to prevent unauthorized use of payment cards and avert fraud before it can happen. Cardholders maintain control over their card and its use for online purchases. Once a card is activated for 3-D Secure potential fraudsters fail at the point of authentication and the fraudulent purchase is rejected.
Version 1.1.0
26 of 26
© 2007 Wirecard AG
White Paper
Version 1.1.0
Introducing 3-D Secure
White Paper
This White Paper has been created by the Wirecard AG. Its content may be changed without prior notice. External web links are provided for information only. Wirecard does not claim liability for access to and correctness of the referenced content.
COPYRIGHT
Copyright © 2007 Wirecard AG All rights reserved. Printed in Germany / European Union Version 1.1.0 Last Updated: July 2007
TRADEMARKS
The Wirecard logo is a registered trademark of Wirecard AG. Other trademarks and service marks in this document are the sole property of the Wirecard AG or their respective owners.
The information contained in this document is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact Wirecard AG and delete the material from any computer.
CONTACT INFORMATION
For questions relating to this document please contact: Wirecard Technologies AG Bretonischer Ring 4 D-85630 Grasbrunn Germany phone: +49 89 4424 0400 e-mail: [email protected]
Version 1.1.0
2 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Contents
EXECUTIVE SUMMARY ................................................................................ 5 OVERVIEW .................................................................................................... 6
Internet Shopping and Fraud .......................................................................................... 6 3-D Fundamentals ........................................................................................................... 6 Available Programmes.................................................................................................. 7 Verified by Visa ............................................................................................................. 7 MasterCard SecureCode .............................................................................................. 7 Ultimate Protection .......................................................................................................... 7
HOW 3-D SECURE™ WORKS ...................................................................... 8
Participants ...................................................................................................................... 8 Cardholder.................................................................................................................... 8 Issuer ............................................................................................................................ 8 Merchant ...................................................................................................................... 8 Wirecard ....................................................................................................................... 8 Acquirer ........................................................................................................................ 8 Global Directory ............................................................................................................ 8 Network Architecture .................................................................................................... 9 Issuer Domain ............................................................................................................... 9 Interoperability Domain ................................................................................................ 9 Acquirer Domain ........................................................................................................... 9 Cardholder Enrollment ................................................................................................ 10 Standard Enrollment ................................................................................................... 10 Activation During Shopping ........................................................................................ 11 Activation Anytime ...................................................................................................... 12 Failed Enrollment ........................................................................................................ 12 Enrollment Example.................................................................................................... 13 Enrollment Check ....................................................................................................... 14 VEReq and VERes Messages ..................................................................................... 14 Payment Authentication ................................................................................................ 15 Attempted Authentication ........................................................................................... 15 Full Authentication ...................................................................................................... 15 Authentication Check .................................................................................................... 16 PAReq and PARes Messages..................................................................................... 16 ECI Values .................................................................................................................. 17 Authentication Example .............................................................................................. 18 Purchase Transaction Flow ........................................................................................ 19 Chargebacks .............................................................................................................. 21 Wirecard ..................................................................................................................... 21 Visa ............................................................................................................................. 21 MasterCard ................................................................................................................. 22 Best Practice .............................................................................................................. 23 Browser Setup ............................................................................................................ 23
© 2007 Wirecard AG 3 of 26 Version 1.1.0
Introducing 3-D Secure
White Paper
BENEFITS .................................................................................................... 25
Merchant Benefits .......................................................................................................... 25 No Installation ............................................................................................................. 25 No Certification .......................................................................................................... 25 Simple Setup .............................................................................................................. 25 Quick Security Check ................................................................................................. 25 Guaranteed Payment ................................................................................................. 25 Reduced Chargebacks ............................................................................................... 25 Higher Confidence ..................................................................................................... 25 Increased Sales .......................................................................................................... 26 Lower Interchange Rates ........................................................................................... 26 Higher Transaction Amounts ...................................................................................... 26 Cardholder Benefits........................................................................................................ 26 No Software Installation ............................................................................................. 26 One-Time Registration ............................................................................................... 26 Digital Signature ......................................................................................................... 26 Easy Use .................................................................................................................... 26 Confidence ................................................................................................................. 26 Fraud Protection ......................................................................................................... 26
Version 1.1.0
4 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
EXECUTIVE SUMMARY
Background Electronic commerce and online purchases are a growing trend. From the comfort of
their living room, shoppers enjoy the ease and convenience of the Internet. But the popularity of e-commerce and the anonymity of the Internet come at a price for online retailer. They have no way of telling if the shopper entering the payment card data is in fact the authorized holder of the card. Gaining the trust of Internet shoppers is key to the success of online merchants. In response to the globally increasing e-commerce fraud and payment disputes, a technology had to be found that reliably authenticates the cardholder's identity. The 3-D Secure protocol addresses this formidable challenge.
What is 3-D 3-D Secure takes e-commerce security to a new level. It is a new security standard developed by Visa and MasterCard to safeguard card payment transactions over the Secure
Internet and to alleviate online fraud. The principle of 3-D Secure is notably simple. It allows cardholders to authenticate themselves to their card-issuing bank during online purchase. In the event of chargebacks, merchants deploying this technology can, under certain conditions, shift the responsibility for fraudulent transactions to the issuer. As to the consumer, the technical implementation of the 3-D Secure will not change much. Online purchases will continue to work in the same way as before, with the exception of an additional security check: The cardholder is prompted to enter a password to confirm his identity, a process that is similar to the PIN at a bank machine. This new standard is offered by MasterCard SecureCode (MCSC) and Verified by Visa (VbV).
The This is how it works: For the 3-D Secure to function, the cardholder must have signed Technology up for this service with his bank. When a cardholder visits the online shop of a
participating merchant and pays with his card, 3-D Secure sends his purchase request to the merchant system which redirects it to the Wirecard platform for authentication handling and subsequent transaction processing. If the cardholder is not enrolled, the merchant can decide to stop the transaction, or alternatively continue with an unauthenticated purchase transaction, known as a "card-not-present transaction". If the cardholder is enrolled, the Wirecard will post a payment authentication request message, which the merchant passes on via the cardholder's web browser to the and card issuing bank. The bank, in turn, invokes an authentication window in the cardholder's browser, in which the cardholder enters his password. Having completed authentication, the cardholder redirected to the merchant who makes a second call to the Wirecard platform with the payment authentication response from the issuer. The Wirecard platform validates the digitally signed issuer response and posts the transaction the acquiring bank.
The Wirecard Solution
At Wirecard we take extensive precautions to secure the transmission and storage of payment card information using a high level of encryption over SSL and a robust firewall infrastructure. Wire Card's premium 3-D Secure solution offers merchants reliable and robust XML-based payment security, enabling real-time enrollment check, cardholder authentication and transaction processing. Compared to its sizable benefits, cardholder and merchant requirements are minimal. The APS approach requires no cumbersome installation of additional hardware such as a Merchant Plug-In (MPI), nor the deployment of a web interface. Instead of the conventional MPI, Wirecard conveniently hosts the 3D processing interface on its platform. Existing merchants can continue to use WireCard's XML processing interface. All they need to do is integrate a few additional security parameters. For technical details, see to the merchant interface specification 3-D Secure™ Card Processing.
© 2007 Wirecard AG
5 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
OVERVIEW
Consumers have increasingly become sensitive to protecting personal information. They want to be sure that they are dealing with a trusted business and that their personal identity and card details are in safe hands. Consequently, they are looking for technologies proving that their data is properly secured. 3-D Secure is the only technology providing reliable data protection and cardholder identification. This White Paper introduces the technology, presents the network interaction between participating parties and explains the underlying processes.
Internet Shopping and Fraud
Electronic retail is growing at a phenomenal rate posing new opportunities but also great challenges for online merchants. According to Visa and MasterCard market research, the number of online purchases increases annually by 35-40 percent. Admittedly, the market potential of online retail is formidable - but so is online fraud. Media coverage and consumer watchdogs pointing to security concerns with e-commerce have lead to many consumers holding back online shopping. Due to the very nature of online business, it is practically impossible to obtain and validate the signature of a cardholder, nor to record the security data by reading the card's magnetic stripe. Proving that the cardholder actually affected and authorized a purchase transaction is extremely difficult. With no signed sales receipt, there is no easy way for merchants and issuers to prove that a purchase was made by or with the consent of the legal owner of the card. As a result, chargeback rates have soared. The majority of Chargebacks<$elemtext are either directly fraud-related or caused by cardholders claiming non-participation in the executed transaction. To reduce the number of disputed purchases, a software had to be developed which verifies that the person making the online purchase is indeed the authorized cardholder.
3-D Fundamentals
In a nutshell, 3-D Secure is card authentication anti-fraud protocol developed by Visa and MasterCard to verify a shopper's identity during online shopping. Alongside CVV, the Card Verification Value, a three-digit code printed on the signature panel on the back of a payment card, 3-D Secure offers an extra level of protection in any CNP (Card Not Present) transaction. As the name suggests the protocol interacts between Three Domains (3-D) providing secure communication between all participating parties (see the payment flow graphic in section Purchase Transaction Flow). Based on this new standard, Visa and MasterCard have rolled out their authentication programmes Verified by Visa (VbV) and MasterCard SecureCode (MCSC). Technically, both are very similar in nature. They validate the cardholder's authenticity in real time and ensure the cardholder is in control over his card. The programmes are designed to support the existing broad range of magnetic stripe and smart cards. 3-D Secure uses Secure Socket Layer (SSL) encryption and the concept of a Merchant Server Plug-in (MPI) to transfer data and authenticate cardholders during an online purchase. A merchant plug-in is typically a device or an application residing on the merchant's system which interoperates with the VbV or MCSC infrastructure. It controls the exchange of 3-D Secure messages between the participating parties across the three network domains (issuer domain, interoperability domain, acquirer domain).
Version 1.1.0
6 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Available Programmes
In response to challenges of online fraud, Visa and MasterCard each introduced their own 3-D-based security programme. Apart from some smaller differences in terminology and the succession of popup or inline windows for enrollment and authentication, Visa and MasterCard offer the same online security. As both programmes operate in the same way, the Wirecard 3-D Secure solution supports MasterCard SecureCode (including Maestro card) and Verified by Visa interchangeably.
Verified by Visa
Verified by Visa (VbV) is a global easy-to-use password-protected online payment authentication service by Visa International. Similar to using bank machine services, the cardholder must sign up for a personal password with his card issuer. VbV means that merchants will no longer be liable for chargebacks relating to authentication disputes with reason codes 83 (no possession of card) and 75 (cardholder does not recognize transaction). Shifting the liability from merchant to issuer under certain conditions is especially important since e-commerce transactions are 15-20 times more likely to be disputed and charged back than transactions undertaken face to face. By displaying the VbV logo on their websites, merchants raise awareness, leverage the consumers' desire for more security and instil confidence in the consumer.
MasterCard SecureCode
Similar to the VbV brand name, the MasterCard SecureCode (MCSC) programme supports all payment cards currently offered by MasterCard. The only difference to VbV lies in technical implementation. Compared to VbV, MCSC uses different transaction status flags and ECI values (electronic commerce indicator) in the payment authentication request and response messages (PARes and PAReq) and has different chargeback reason codes. For a description of status flags and message types, see the Wirecard interface specification 3-D Secure™ Card Processing. Merchants displaying the MCSC logo on their website must do so in English and only in the authorized artwork. Translations into other languages and alphabets are not permitted.
Ultimate Protection
VbV and MCSC take over where common authentication by Card Verification Value (CVV) or MasterCard's Card Verification Code (CVC) leave off. The 3-D Secure protocol adds another level of protection to card-not-present transactions checking security data which is not stored on the plastic itself (embossed, printed or digitally encoded). While traditional authentication and authorization technologies only capture data that is directly stored on the card, 3-D Secure requires cardholders to provide a password (similar to the PIN used for ATM cash withdrawals) that verifies their identity. Only after the shopper is authenticated, the card issuer authorizes the online purchase, which means that the issuer confirms that the referenced bank account exists and that the cardholder has sufficient funds in the account to cover the purchase. This means that when a thief steals a credit card or copies the card data (name, card number, expiration date, CVV/CVC) with a scanning device (card reader) or by hand, the possession of the card or card data alone will not suffice to make a purchase with a participating online retailer.
© 2007 Wirecard AG
7 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
HOW 3-D SECURE™ WORKS
The Wirecard 3-D Secure solution is remarkably easy to integrate. It is a two-tiered process consisting of cardholder enrollment and authentication. Using this technology does not require the installation of any proprietary software on the cardholder's computer, nor the deployment of a merchant application. This chapter discusses the key components involved in the 3-D Secure enrollment and authentication flow. Starting with an introduction of the inseparably linked participants, this chapter presents a comprehensive understanding of the network connectivity and data transfer.
Participants
Designed to work across a wide network, the Wirecard hosted 3-D Secure authentication solution is made up of the following players:
Cardholder
It all starts with the cardholder. Joe, as we call him, makes an online purchase. To him, the 3-D Secure transaction is almost transparent and not very different from an ordinary e-commerce transaction. Joe shops in the usual way. Only at checkout, when he enters his payment card data and clicks 'Order', the software verifies if he is registered and if so starts authentication.
Issuer
The issuer is Joe's bank, which issued his payment card. The issuer defines the range of card numbers which are eligible for the 3-D Secure programme. It conducts the online dialogue with Joe over a web browser, helps Joe enrol his card and authenticates it during a 3-D Secure purchase transaction.
Merchant
MERCHANT
To be able to make 3-D Secure authentication request calls and handle authorized payment transactions, the online merchant must have implemented Wire Card's 3-D Secure card processing interface. In addition to the standard transaction process types, the XML-based interface handles all enrollment checks and payment authentication.
Wirecard
The Wirecard gateway is a processing engine. It offers a set of features which normally reside as a plug-in on the merchant side. To facilitate the merchant's authentication request and response call handling, Wirecard hosts the merchant plug-in (MPI) in its core system, thereby minimizing technical prerequisites and operational overhead.
Acquirer
The acquirer is the bank of the merchant. It is in the acquirer's interest that all ecommerce transactions between cardholder and merchant are 3-D secured. The acquirer is responsible for encouraging the merchants to offer the 3-D Secure service and assigns and manages merchant IDs, passwords, or certificates needed to authenticate the merchants in the system.
Global Directory
The global directory belongs to the card association (e.g. Visa, MasterCard). It provides central decision-making capabilities to participating merchants through the Wirecard gateway and connects to the card issuer to determine if the cardholder is enrolled in the program.
Version 1.1.0
8 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Network Architecture
Because of the collaboration of some network components (cardholder with card issuing bank and card acquiring bank with Wirecard and merchant) the network architecture can be divided into three domains (see also the payment flow graphic in section Purchase Transaction Flow).
Issuer Domain
CARDHOLDER CARDHOLDER
This domain consists of the card Issuing Bank and the Cardholder. It handles all interactions between the two over the cardholder's web browser. It is the browser from where the cardholder starts the enrollment and authentication process. To enrol and/or activate a payment card, the cardholder connects from his browser to the issuer's Web Server. From here he connects to the Enrollment Server. The purpose of the Enrollment Server is to facilitate the sign-up of the cardholder and to perform enrollment checks to verify if a cardholder is registered and thereby legible to authentication. The cornerstone of the security model is the Access Control Server (ACS), which helps the card issuing bank authenticate the cardholder. This is done by contacting the Enrollment Database to check for registration data provided by the cardholder at the time of enrollment. The issuer later queries the Access Control Server (ACS) for cardholder details, validates the retrieved information, signs it electronically and returns a response message to the merchant. In the case of VbV, the issuer also sends a copy of the message to Authentication History Server (see interoperability domain), a database which provides transaction reporting to issuers and acquirers for dispute resolution.
Enrollment Server
Web Server
Enrollment Database
Access Control Server Bank
Issuing
Issuing Bank
Interoperability Domain
Internet Internet
This domain facilitates the XML request-response exchange between the issuer domain and the acquirer domain using a common protocol and shared services supported by the Global Directory and VisaNet Network. The Global Directory Server is an Internet-based directory system provided by both Visa or MasterCard. It connects to the ACS of participating card issuers to determine if the shopper is enrolled with the issuing bank and if he is an authorized user of the payment card. Merchants communicate with the Global Directory through the Wirecard gateway. Card authorization is verified using the VisaNet communication channel between issuers and acquirers. The Authentication History Server (AHS) is contacted to verify an authentication in the case of a transaction dispute by the cardholder.
Authentication History Server Visa Directory Global Visa/MasterCard Directory
Visa Net Visa Net
Acquirer Domain
MERCHANT MERCHANT
WIRE CARD CARD WIRE payment payment gateway gateway
Acquring Acquring Bank Bank
The acquirer domain includes the Merchant, the Wirecard payment gateway and the acquiring financial institute (acquirer). The Acquirer is responsible for defining the procedures to ensure that online merchants are operating under a merchant agreement with the acquirer. Its second responsibility lies in providing the transaction processing for authenticated transactions. This is similar to a typical SSL environment. Signature validation is performed by Wire Card. It ensures that the encrypted digital signature sent with the purchase request has been successfully authenticated by the issuer. As part of its services, Wirecard is responsible for conducting the communication between the merchant system, the Global Directory and the acquirer. When a shopper makes a transaction, the Wirecard gateway contacts the global directory in the interoperability domain to determine the web link (URL) to the bank which issued the card used to make the purchase.
© 2007 Wirecard AG
9 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Cardholder Enrollment
Enrollment is the process whereby authorized cardholders contact their issuer to register and activate their payment cards for VbV or MCSC. Provided the issuer is a participating 3-D Secure partner, the cardholder can enrol and activate his card in three ways (self-enrollment): Standard Enrollment Activation During Shopping (ADS) Activation Anytime (AA) In all of the above cases the cardholder must be online to connect to his bank's enrollment server. Please note that the process of enrollment takes place between the cardholder and the card issuing bank and neither involves merchant nor payment card association (Visa or MasterCard) directly. As a fourth option some issuers may pre-enrol their cardholders. To date, this option is however not very common.
Standard Enrollment
The standard enrollment describes the sign-up of a cardholder prior to the purchase. The graphic below illustrates the standard sign-up flow.
CARDHOLDER 1 3
INTERNET
2
ISSUING BANK
3 W eb Server Enrollm ent Server 4
5 Enrollm ent Database Access Control Server
Scenario 1: Standard Enrollment
The Standard Enrollment process can be summarized as follows: Step 1 Step 2 Step 3 The cardholder connects to the website of the card issuing bank. The bank's web server invokes an inline 3-D Secure enrollment window on the cardholder's browser. The cardholder is asked to enter the enrollment data (payment card number etc.) to prove his identity to the bank and sends it to the bank's Enrollment Server.
Version 1.1.0
10 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Step 4
The issuer or a third party validates the submitted information to verify that the cardholder is entitled to use the payment card. In the case of a Visa smart card, the verification process also establishes that the cardholder has physical possession of the card at the time of enrollment. The enrollment data is stored for later validation during authentication processing. Once enrolled, the cardholder is ready to shop at any participating retailer.
Step 5
Activation During Shopping
Wire Card's card processing interface has been designed to check if a cardholder making an online purchase at the participating merchant's site is enrolled for 3-D Secure payment authentication. Unlike the standard enrollment, the cardholder can choose to activate his card during the purchase before checkout. This alternative is called Activation During Shopping (ADS). It is a simple and quick auto-enrollment process which has proven successful with merchants and very popular with consumers. It is an ideal way for the merchant to develop awareness and instil trust.
1
INTERNET
CARDHOLDER 3 2 MERCHANT
ISSUING BANK
3 Web Server Enrollment Server 4
5 Enrollment Database Access Control Server
Scenario 2: Activation During Shopping (ADS)
The ADS process can be summarized as follows: Step 1 Step 2 The shopper visits the online shop of a participating merchant, adds an item to his shopping cart and proceeds to the checkout. When the shopper clicks the order button, the merchant site invokes an inline window displaying the enrollment page of the issuing bank in the cardholder's browser. The cardholder is asked to enter the enrollment data (payment card number etc.) to prove his identity to the bank and sends it to the bank's Enrollment Server.
Step 3
© 2007 Wirecard AG
11 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Step 4
The issuer or a third party validates the submitted information to verify that the cardholder is entitled to use the payment card being enrolled. In the case of a Visa smart card, the verification process also establishes that the cardholder has physical possession of the card at the time of enrollment. The enrollment data is stored for later validation during authentication processing. Once enrolled, the cardholder is ready to shop at any participating online merchant.
Step 5
Activation Anytime
This third option is currently investigated by Visa and MasterCard. It involves placing the VbV or MasterCard SecureCode logo on popular web portals with a one-click link to the enrollment site of the dedicated issuing banks. This allows Internet users to activate their payment cards from any website displaying the VbV or MasterCard SecureCode logo.
Failed Enrollment
When a cardholder tries to enrol but fails because the issuer is not participating in the program, the enrollment fails. If the enrollment is attempted during shopping (ADS), the request is simply aborted and the payment transaction submitted without subsequent payment authentication. In this case, the merchant system receives an attempted authentication response message and passes the transaction on to the Wirecard platform to be proceeded with a standard authorization request. The attempted authentication transaction response is transmitted and stored in the Authentication History Server (AHS) to be used as reference should the cardholder dispute the transaction in the future (see Attempted Authentication and Chargebacks).
Version 1.1.0
12 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Enrollment Example
Enrolling in 3-D Secure is easy. The example below shows how a cardholder enrols in the Verified by Visa programme. Cardholders who wish to enrol several payment cards must do so for each card separately. The cardholder's issuer will typically display an enrollment page similar to the one below:
The cardholder is asked to create a "personal assurance message". This is the message that will appear on the VbV popup window when the cardholder is shopping online. All the cardholder needs to do is to enter password and reconfirm it in the input field below. Some enrollment pages may ask the cardholder to enter a hint to help him remember the password.
After a few moments, the card issuing bank will display a screen to confirm that the cardholder's enrollment is complete. In some cases, the card issuer may also send an email confirmation to the cardholder. Now the cardholder is ready to shop online sites supporting VbV.
Once enrolled the cardholder can shop at the website of the participating merchant as before. Only when he proceeds to checkout he will be reminded that the purchase he is about to make is safeguarded by 3-D Secure. When he submits his order, the merchant system invokes a popup or inline window asking him to enter his authentication password.
© 2007 Wirecard AG
13 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Enrollment Check
There are three reasons why a cardholder may not be enrolled: he simply does not want to be, he is unaware of the option or his card is not eligible for cardholder authentication since the card issuing bank does not support the additional security.
VEReq and VERes Messages
Before the 3-D Secure software tries to authenticate a cardholder, it checks if the cardholder is enrolled. This process is known as Enrollment Check and is based on a sequence of interconnected verification requests and responses, called Verify Enrollment Request (VEReq) and Verify Enrollment Response (VERes). It is through the exchange of these messages that the merchant is informed if the payment card of the shopper buying at his online store is 3-D Secure enabled. Step 1 When the cardholder has completed the checkout process, Wirecard sends a VEReq message to the Global Directory Server to determine whether authentication is available for the specific card number. The Directory Server searches for a card range that includes the cardholder PAN received in the VEReq message. If the PAN is identified in a participating card range, the Visa Directory Server forwards the VEReq message to the URL of the ACS associated with that card range. The ACS receives the VEReq message and checks the participation of the card number and returns a VERes message that contains the URL of the ACS for either authentication processing (full or attempted authentication). The Directory Server forwards the VERes message to the Wirecard system. If the Visa Directory Server cannot identify a card range that includes the PAN received in the VEReq message, the Visa Directory Server returns a VERes message to Wirecard with the status flag 'N' for Cardholder not Enrolled.
Step 2
Step 3
With each VERes message, the Directory Server returns a letter which clearly indicates the enrollment status of the cardholder. The following table presents the status codes and their meaning: Cardholder enrolled Cardholder not enrolled Y Enrollment successful: The card is enrolled in the 3-D Secure program and the payer is eligible for authentication processing. Enrollment attempt accepted: The checked card is eligible for the 3-D Secure (it is within the card associations range of accepted cards) but the card issuing bank does not participate in the VbV or MCSC program. If the cardholder later disputes the purchase, the issuer may not submit a chargeback to the merchant. Enrollment failed: The card associations were unable to verify if the cardholder is registered. As the card is ineligible for 3-D Secure, merchants can choose to accept the card nonetheless and proceed the purchase as non-authenticated and submits authorization with ECI 7. The Acquirer/Merchant retains liability if the cardholder later disputes making the purchase. Enrollment failed: The Wirecard system encountered an error. This card is flagged as 3-D ineligible. The card can be accepted for payment, yet the merchant may not claim a liability shift on this transaction in case of a dispute with the cardholder.
N
Unable to verify enrolment
U
System Error
E
Version 1.1.0
14 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Payment Authentication
When the cardholder is enrolled, he is automatically legible for authentication through any standard SSL-encrypted browser connection. To recap, only those cardholders are successfully authenticated who are enrolled in either VbV or MCSC and have entered the correct password requested by the issuer. Shown below is a sequence of inline windows cardholders may see at checkout at a participating retailer's site. When the cardholder selects the 'Submit' button, a window is invoked by the issuer's Access Control Server prompting the cardholder to enter the card number. If the card is enrolled, a second window appears asking the cardholder to enter a unique private code which he received from his bank during enrollment. By submitting the code that binds the cardholder to the transaction (much like a signature on a sales receipt), the cardholder is authenticated and the purchase completed. Step 1 Step 2 Step 3
Payment authentication occurs after checking out the items in a shopping cart but prior to authorization of the credit card. If a cardholder cannot be authenticated, the merchant can decide to accept the credit card as is and proceed with the standard transaction process, or reject the payment request and decline the purchase. As most merchants prefer to accept an unauthenticated card rather than losing the business, the card associations allow both fully and attempted authentications to qualify for chargeback protection (see Chargebacks).
Attempted Authentication
An attempted authentication is the intention of a cardholder to be authenticated. Imagine the following scenario. The shopper who is a VISA cardholder notices the VbV logo at checkout and decides it's a good idea to pay using additional security. He tries to enrol his card directly (by ADS) but fails because his card issuer is not participating. The enrollment process is aborted (see Failed Enrollment) and the payment transaction is submitted without payer verification. In this case, the merchant receives an attempted authentication response message with a CAVV and ECI 5 and passes the transaction on to the Wirecard platform to be proceeded with a standard authorization request. The attempted authentication request is stored on the card association's Authentication History Server (AHS) where it is called upon in the event the shopper later disputes the transaction. For the merchant the attempted authentication means that he is protected against certain chargebacks (see Chargebacks).
Full Authentication
In a full authentication, all parties concerned (cardholder, issuer, merchant and acquirer) are participating in the authentication program. Following a successful enrollment, the cardholder and the merchant enjoy the full benefits of the VbV or MCSC programme (see Merchant Benefits). When the cardholder makes a purchase at a participating online shop, the issuer verifies the cardholder by a password or other identity information. In the case of VbV, the merchant receives an Authentication Response with a CAVV and ECI 6.
© 2007 Wirecard AG 15 of 26 Version 1.1.0
Introducing 3-D Secure
White Paper
Authentication Check
The authentication check is based on a message exchange routine very similar to the enrollment check. Upon receipt of the Verification Enrollment Response (VERes) with the value "Y", the merchant system must start the authentication check with a Payer Authentication Request (PAReq).
PAReq and PARes Messages
Payer Authentication Request (PAReq) and Payer Authentication Response (PARes) Messages correlate in the following manner: Step 1 The merchant sends a PAReq message through the hosted Wirecard authentication system to the URL of issuer's ACS. This PAReq contains information regarding the purchase transaction. The URL of the ACS is sent to the merchant with the with VEReq returned in the Enrollment Check. The ACS responds with a signed PARes message containing the card issuer's authentication results for the cardholder's purchase. For Visa payment cards, the ACS returns Cardholder Authentication Verification Value (CAVV) and for MasterCard an Accountholder Authentication Value (AAV). The Wirecard system validates the signature on the PARes message in order to complete the 3-D Secure authentication process.
Step 2
Step 3
The Payer Authentication Response can be returned with the following status: Successful The Issuer has authenticated the cardholder by verifying the identity information or password. The ACS returns a CAVV and an ECI of 5 in the Authentication Response. The card is accepted for payment. The cardholder did not complete authentication and the card should not be accepted for payment. The authentication was not completed due to technical or another problem. A transmission error prevented authentication from completing. The card should be accepted for payment but no authentication data will be passed on to authorization processing and no liability shift will occur. A proof of authentication attempt was generated. The cardholder is not participating, but the attempt to authenticate was recorded. The card should be accepted for payment and authentication information passed to authorization processing. A system error prevented authentication from completing. This error is generated by the Wirecard system. The card should be accepted for payment but no authentication information will be passed to authorization processing and no liability shift will occur.
Failed or Cancelled Aborted
Attempted
System Error
Version 1.1.0
16 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
ECI Values
The Electronic Commerce Indicator (ECI) is set to a value corresponding to the authentication results and the characteristics of the merchant check out process. The merchant commerce server transmits the authorization request message, including the ECI to the Wirecard system. MasterCard currently defines two and Visa four ECI values. Possible ECI data values are: ECI 1 This value is set by the merchant in a MCSC authentication when the merchant attempted to authenticate the cardholder using 3-D Secure, but the issuer or cardholder is not participating. This value is set by the ACS in a MCSC Payer Authentication Response (PARes) message the cardholder successfully passed 3-D Secure payment authentication. This value is set by the ACS in a VbV Payer Authentication Response (PARes) message when the cardholder successfully passed 3-D Secure payment authentication. This value is set by the merchant in a VbV authentication when the merchant attempted to authenticate the cardholder using 3-D Secure, but the issuer or cardholder is not participating. This value is set by the merchant when the payment transaction was conducted over a secure channel (for example, SSL/TLS), but payment authentication was not performed, or when the issuer responded to the PAReq with an "Unable to Authenticate" code (for example, the ACS was unable to match the account ID from the PAReq to the corresponding VEReq, or payment authentication was attempted on an excluded channel or product). The merchant sets this value when the payment transaction was conducted over a non-secure channel.
ECI 2
ECI 5
ECI 6:
ECI 7:
ECI 8:
© 2007 Wirecard AG
17 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Authentication Example
When the cardholder has completed his online shopping cart and proceeds to checkout, he is directed to the card issuing bank for authentication. Pressing the checkout button (e.g. Finalize Order, Buy Now, etc.) the merchant redirects the cardholder to the URL of the issuer's Access Control Server (ACS).
If the card is already enrolled, the issuer displays the following authentication window. In the top right corner, the window typically displays the bank logo. The cardholder enters his personal password and clicks the 'Submit' button. The card details are sent to the Access Control Server where the password is verified. If it is correct the authentication window is closed, the payment authorization started and the 3-D Secure transaction is completed.
Upon completion the cardholder is typically presented a message confirming his order. The merchant is recommended to include a tracking number as shown below.
RECEIPT # 023F112 Thank you for your order. You will receive a confirm ation em ail once it has been shipped.
Version 1.1.0
18 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Purchase Transaction Flow
The following diagram illustrates the communication between all parties involved in the 3-D Secure transaction flow. This examples assumes that the cardholder is already enrolled (no ADS).
Is s u e r D o m a in In te ro p e ra b ility D o m a in A c q u ire r D o m a in
1 4 7 C A R D H O L D E R
IN T E R N E T
M E R C H A N T
1 0 2
6
5
3
8
9
A c ce ss C o n tro l S e rv e r
A u th en tic atio n H isto ryS erv er
V isa / M as terC ard G lo b al D irec to ry
W IR E C A R D G a tew a y /M P I
V is aN e t Is s u in gB a n k A c q u irin gB a n k
When a shopper submits an order at a participating online shop, the following process is triggered: Step 1 The cardholder shops at the merchant's website and when ready to complete the purchase, enters the appropriate payment details (including account number) and clicks a 'Pay Now' or a similar button. The merchant's system creates an XML-based payment request with a function field for an enrollment check and sends it to the Wirecard payment gateway. Wirecard verifies if the merchant is 3-D Secure enabled and if the cardholder/card is 3-D-enrolled. If the cardholder is not enrolled, the merchants system proceeds with the standard authorization request. If the cardholder is enrolled, Wirecard responds with an XML-based Payment Authentication Request (PAReq) containing two fields which are specific to the 3-D Secure process: <PAReq> and <AcsUrl>. The merchant sends an HTTP POST Payment Authentication Request (PAReq) to the cardholder, which invokes an inline window in the cardholder's browser. In this message the merchant includes a third field called <TermUrl>, which points back to the web address of the merchant site to where the issuer later sends the Payment Authentication Response (PARes) message. The cardholder's browser redirects the PAReq message to the issuer's Access Control Server (ACS) which authenticates the cardholder. This is done in two stages: First, the cardholder's browser sends an HTTPS request to the ACS. The server parses the data and invokes a login page in the cardholder's browser (popup or inline window). The cardholder now enters a password in the browser window and returns the data to the ACS.
Step 2
Step 3
Step 4
Step 5
© 2007 Wirecard AG
19 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Step 6
Having received the data, the ACS authenticates the cardholder's password, constructs the Issuer Authentication Value (IAV), and creates an SSL-encrypted and digitally signed Payer Authentication Response (PARes). Encryption and signature ensure that the cardholder cannot modify the content of the message on its way to the merchant. The Payment Authentication Response (PARes) is posted by the ACS to the merchant's web address (<TermUrl>) via the cardholder's browser. The merchant continues the payment process (either authorization, preauthorization, or transaction) with an additional XML request. This request must contain the PARes obtained in Step 7 and a reference Global unique Wirecard ID (GuWID) returned by the Wirecard system in the response message described in Step 3. Wirecard submits an authorization request to the acquirer and response to the merchant with an authorization response message. The merchant parses the XML response and sends the cardholder payment confirmation.
Step 7 Step 8
Step 9 Step 10
Version 1.1.0
20 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Chargebacks
While payment disputes rare in face-to-face purchases where the payment card is physically presented and the purchase confirmed with the shopper's signature on the transaction receipt, they occur much more often in e-commerce. Not dealing with them adequately can lead to chargebacks, which, in turn, can result in loss of business and revenue. Proving that a cardholder conducted and authorized a transaction in a nonface-to-face purchase is extremely difficult. To minimise losses from chargebacks, an indepth understanding of the merchant's rights and responsibilities in the chargeback process are paramount. Visa and MasterCard offer merchants guaranteed payment on all payment cards except B2B and prepaid gift cards, regardless of whether the cardholder is enrolled or not. According to Visa and MasterCard sources, online retailers participating in 3-D Secure authentication can reduce financial losses through online fraud by 60% - 70%. The payment guarantee determines who bears the cost for fraudulent card transactions passing the liability from the merchant to the card issuing bank. In the past, merchants were solely liable for fraudulent card transactions and had to bear the ensuing financial losses. With the introduction of VbV and MCSC, a merchant is protected against chargebacks and requests for information provided that the payer made the purchase using or attempting the use of 3-D Secure payment authentication. The details and figures contained below are intended only as a guide for merchants and not as a definitive set of chargeback rules.
Wirecard
It is important for merchants to understand their rights and responsibilities with respect to Chargebacks. To qualify for chargeback protection, merchant payment processing must include enrollment check and authentication validation. Wirecard not only assists merchants in meeting VbV and MCSC requirements but also helps them monitor the chargebacks to ensure that they are handled correctly in line with the policies defined by Visa and MasterCard. Using the Account Management System (ACM), merchants can easily monitor the chargeback process and view status changes. However, as business practices vary between merchants and markets, merchants are recommended to consult with their acquirer for Visa and Master Card policies applicable in their country.
Visa
Merchants supporting VbV enjoy chargeback protection for a number of fully completed and attempted authentications. In the case of a chargeback dispute, the Visa issuer sends a Cardholder Authentication Verification Value (CAVV) to prove authentication or attempted authentication took place. Visa applies different chargeback reason codes for US and international payment cards. The chargeback reason codes applicable to both types of authentication are noted in the table below. These pertain to disputes in which cardholders claim not to have make the purchase, which represent over half of disputed transactions. Visa US Reason Codes 23 - Invalid Travel & Entertainment 61 - Fraudulent Mail Order/ Telephone Order/E-Commerce 75 - Cardholder does not recognize transactions Visa International Reason Codes 23 - Invalid Travel & Entertainment 75 - Cardholder does not recognize transaction (effective October 2004 internationally) 83 - Non-possession of card, fraudulent transaction
© 2007 Wirecard AG
21 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
As the following table illustrates, an average of 66 percent of disputes by acquirers and merchants and 60 percent of the chargeback dollars are eligible for protection by participation in Verified by Visa. Reason Code 23 61 75 83 Total Protection All Other Total Chargeback Total 1% 30 % 15 % 20 % 66 % 34 % 100 % Chargeback Dollars Total 2% 29 % 11 % 18 % 60 % 40 % 100 %
Source: VisaNet System, Total e-Commerce Chargebacks, U.S. Acquirers, January/February 2004
MasterCard
In the event of a chargeback dispute, the ACS of the MasterCard issuer sends an Accountholder Authentication Value (AAV) to prove authentication took place. According to MasterCard, approximately 70% of all chargebacks are result from the cardholder denying responsibility for the transaction and the acquirer lacking the evidence of the cardholder's authentication. MasterCard authentication of the cardholder allows merchants to shift the liability to the card issuer under the following conditions. Unlike VbV, chargeback protects for MasterCard and Maestro Cards applies only to full authentication:
MasterCard & Maestro Cards Reason Codes 4837 - Card Not Authorized 4863 - Cardholder not recognized
Version 1.1.0
22 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
Best Practice
When implementing the 3-D Secure, merchants must create a checkout page which redirected the Payment Authentication Request initiated with the submission of the order to the card issuer's access control server (ACS). For instance, when a customer has closed the shopping cart and proceeds to checkout, he normally expects the next page to confirm the order. But with merchants deploying VbV or MCSC, the customer arrives at an authentication page. To avoid confusion, it is recommended to inform customers of the authentication step either before the page is displayed (prior to pressing the 'Submit' button) or on the authentication page itself. This section gives merchants some helpful tips on how to customize browser pages successfully and avoid inadvertent page closures by confused cardholders.
Browser Setup
Buoyed by research and merchant experience, Visa and MasterCard recommend a set of guidelines to ensure that the authentication process has minimal impact on the purchase flow. Generally, merchants can choose how they would like to configure their website and reference external browser pages. The two options are popup or inline windows. Pop-ups are a separate, smaller window which open on top of the merchant's checkout page, while an inline window uses the full browser window. The actual content of this window is controlled by the bank issuing the customer's payment card. The time it takes for a merchant to customize and implement an inline window is identical to a pop-up window. However, pop-ups have an annoying character. They are often mistaken for advertising or even phishing pages and are therefore often closed indiscriminately. In addition, popup blockers, which have become a standard browser feature, automatically suppress pop-up pages causing checkout and transactions to fail. A survey by Visa International has shown that 85 percent of consumers prefer inline windows which reduce authentication abandonment from around 30%, down to less than 1%. With the announcement of pop-up suppression capabilities in Microsoft's Internet Explorer (IE) browser, Visa in fact no longer allows the implementation of pop-up windows. MasterCard advocates the same approach. There are two types of inline authentication windows merchants can present to their customers: one with merchant information and one without. How these two differ in layout is described below. Inline Window The inline window takes up the entire page dimensions. It sends a clear message to the cardholder that he is communicating with his issuer. An inline windows displays in the URL field the Internet address of the card issuer (or of its VbV Service Provider) and the SSL connectivity to the access control server (ACS). These details instil cardholder confidence as it allows the shopper to verify the link to the card issuer. After all, this may be an important indicator to the cardholder who is entering sensitive data.
Full Inline Window - Source: Visa International
© 2007 Wirecard AG 23 of 26 Version 1.1.0
Introducing 3-D Secure
White Paper
Framed Inline Window In a framed inline window, only a part of the window is redirected to the issuer's ACS. By splitting the window into frames, merchants can reserve space to display a branded header or explanations that assist customers who are not VbV or MCSC experienced to complete authentication and checkout successfully. The text must be clear and concise and should assume that the customer has already enrolled his payment card.
Framed Inline Window - Source: Visa International
Alert Window Even with the best inline windows and information messages, some customers may still be confused. When uncertain of the procedure or whether they are doing things correctly, online customers will typically try to return to checkout page by clicking the Back button. To avoid disruption in the checkout process and payment transaction, merchants must ensure that the Back button functionality works and customers clicking the Back button are taken back to the checkout page. If this in not feasible, customers must be alerted by a message window. The alert should ideally do two things: (a) reassure the customer that the previous window was part of the purchase flow and (b) tell him that the attempt to return to the checkout page will disrupt the transaction.
Alert Window - Source : Visa International
Version 1.1.0
24 of 26
© 2007 Wirecard AG
White Paper
Introducing 3-D Secure
BENEFITS
Payment card fraud in e-commerce results not only in financial losses but also in widespread concern among consumers fearing that they may be the next to fall victim to identity theft. In addition to protecting consumers, the Wirecard 3-D Secure solution bears many substantial advantages for cardholders and merchants alike.
Merchant Benefits
No Installation
The Wirecard solution is a hosted processing engine. It is ideal for merchants who do not wish to install complex secure transaction software on their system and maintain additional hardware (dedicated application server).
No Certification
Wirecard is a PCI-compliant company, enjoying full Visa and MasterCard certification. Merchants who opt for the Wirecard hosted solution do not need to be certified to offer global payment authentication under the VbV and MCSC programme.
Simple Setup
The hosted 3-D Secure solution is simple to set up. Using standard XML the setup has minimal impact on merchant's interaction with the shoppers.
Quick Security Check
The merchant can immediately determine if a cardholder is registered with his card issuer for the security check. If not, the purchase transaction is processed in the normal way and the merchant is made aware that he is held liable for payment loss through fraud.
Guaranteed Payment
For merchants who are using 3-D Secure payment authentication on their sites, Visa and MasterCard offer guaranteed payment and chargeback protection on both fully authenticated transactions and attempted authentications.
Reduced Chargebacks
The first and foremost objective of the 3-D Secure is to reduce transaction disputes and associated financial losses. The technology standard is not just a payment authentication method, but also a model that protects the merchant against cardholders denying making the purchase (see Liability Shift.)
Higher Confidence
A less tangible but nonetheless significant benefit is the awareness and assurance of consumers. According to Visa and MasterCard market research, consumers indicate that they are more likely to shop at merchant sites that offer enhanced online security. To boost online sales, it is of paramount importance to develop consumer awareness and improve cardholders confidence in online shopping. This merchants can do quickly and easily with the Wirecard XML-based 3-D Secure solution.
© 2007 Wirecard AG
25 of 26
Version 1.1.0
Introducing 3-D Secure
White Paper
Increased Sales
The payment authentication capabilities of 3-D Secure will help to convince ecommerce shoppers that it is safe to use their card online and by increasing cardholder confidence and merchant payment guarantees it will ultimately increase overall sales. The merchant is perceived as an innovative and responsible eCommerce business.
Lower Interchange Rates
To motivate merchants to participate in a 3-D Secure authentication program, card associations lower their interchange rates by five basis points which is USD 0.05 for every USD100 processed, a small sum that adds up and helps offset initial costs for setup and familiarization.
Higher Transaction Amounts
Studies have shown that compared with overall e-commerce transactions consumers place substantially larger online orders at participating merchants.
Cardholder Benefits
The payment authentication with 3-D Secure boasts the following benefits for cardholders.
No Software Installation
The cardholder does not need to install any application software on his computer. From the cardholder perspective, purchases can be made as before using any supported Internet browser. The activated payment card is automatically recognized at checkout.
One-Time Registration
Consumers need to activate (enrol) a payment card only once. The activated payment card is automatically recognized by every participating merchant at checkout.
Digital Signature
Authorizing a purchase by providing an authentication password is like signing a sales receipt in a face-to-face purchase.
Easy Use
The protocol is quick and easy to use. When a cardholder submits an order at the participating online shop, an application is invoked on the merchant's web server displaying an intuitive pop-up or inline window to activate the payment card (enrollment) and if already activated, request card authentication.
Confidence
The use of an additional security level increases consumer confidence in e-commerce by mitigating fear and uncertainty associated with disclosing card details over the Internet. Cardholders enjoy peace of mind knowing that no one has access to their 3-D Secure password.
Fraud Protection
The protocol helps to prevent unauthorized use of payment cards and avert fraud before it can happen. Cardholders maintain control over their card and its use for online purchases. Once a card is activated for 3-D Secure potential fraudsters fail at the point of authentication and the fraudulent purchase is rejected.
Version 1.1.0
26 of 26
© 2007 Wirecard AG
