PDF version

Online shopping is becoming much more widely accepted by consumers around the globe. At the same time, however, shoppers continue to worry that their payment card information could fall into the wrong hands when they buy merchandise over the Internet. Wanting to increase customer confidence and offer consumers an even more secure online shopping experience, merchants, payment card companies, and card issuers are addressing customer concerns head-on by implementing cardholder authentication services.

Cardholder authentication services mitigate consumers' worries about fraudulent charges by allowing cardholders to select a password or identifier for their credit and debit cards that is entered whenever the card is used online. This password is automatically verified by the card issuer at the time of each online purchase, helping to confirm the cardholder's identity and to promote the legitimate use of the card.

Leading payment organizations are implementing cardholder authentication services, including the Verified by Visa and MasterCard SecureCode[tm] programs. Both Visa and MasterCard offer programs that make use of the 3-D Secure protocol -- a protocol that was developed with support and input from one early adopter--security solution provider Arcot Systems, Inc., a company that has standardized authentication communications and simplified program implementations across the Internet.

Straightforward Security for Online Shopping

Unlike in brick-and-mortar shops, online merchants are unable to physically verify a cardholder's identity at the time of a payment. As a result, anyone can use a credit or debit card online simply by typing in an active account number and expiration date. Understandably, this generates considerable concern for consumers, merchants, and card issuers. Cardholder authentication services solve this problem by guaranteeing that each online transaction is approved by the cardholder.

Take, for example, the Verified by Visa program. When a consumer is ready to check out at participating merchants' Web sites, the shopper clicks the Buy button and a Verified by Visa screen appears. The consumer then enters the password associated with the given card and clicks the Submit button. The Verified by Visa program automatically routes the request to the appropriate credit card issuer to verify the password. Once verified, the purchase process proceeds without delay. Consumers rest assured that only they can use their credit cards, merchants gain evidence of the cardholder's purchasing approval, and card issuers can reduce fraudulent use of cards.

Cardholder authentication is a quick and non-intrusive process due to the 3-D Secure protocol, which standardizes communications among the three parties involved in credit card purchases, as shown in Figure 1:

	The issuer that provides a consumer with a credit card, such as banks
	The merchant that accepts credit cards as payment for online purchases
	The payment organizations, such as MasterCard and Visa (we are not promoting the domain concept because it is too technical and confusing)

Each party streamlines cardholder authentication by using software based on the 3-D Secure protocol, a specification that proved its strength during a two-year Verified by Visa pilot. The pilot program used Arcot™ TransFort™ 3-D Secure software implementations-the industry's first 3-D Secure solutions for each party-to authenticate cardholder identities for 23 banks and 50 online merchants worldwide. 3-D Secure and Arcot TransFort were also selected for use by MasterCard as part of their worldwide deployment of the SecureCode program.

3-D Secure's plug-and-play nature makes cardholder authentication services easy to deploy and manage. Participating merchants simply install a plug-in 3-D Secure software module, such as Arcot TransFort for Merchants, that works with their e-business systems to let cardholders enter their credit card password online. The plug-in then interacts with a central directory server, which also runs software based on the 3-D Secure protocol and is operated by a payment organization like Visa. The central directory server stores card number ranges and information about associated issuers, enabling it check in with a given issuer to see if the card is enrolled, for example, in the Verified by Visa program. If it is, the authentication service prompts the cardholder to enter their password, verifies the password using a 3-D Secure software solution for issuers, and provides a digitally signed receipt for the transaction.

Powerful Benefits for All Parties

Cardholder authentication services based on 3-D Secure technology offer a number of key benefits:

	The services reduce costly fraud by helping to prevent unauthorized use of payment cards.
	Consumers gain added confidence when they shop online, promoting increased purchasing over the Internet.
	Consumers can use the service from any PC at any participating merchant Web site without necessarily having to download any plug-ins.
	Merchants can easily implement a solution that integrates with their existing e-business systems.
	Merchants reduce their exposure to fraud and frivolous disputes, resulting in lower dispute resolution costs.
	A digitally signed receipt provides the merchant with evidence of the cardholder's approval of the transaction, just as a handwritten signature does at a physical point-of-sale.
	Issuers can offer cardholders value-added services, such as reviewing their online purchases.

In addition, no extra software is typically required for customers to use the authentication services. Cardholders simply need to register for available services with their card issuer and select a password. For online stores that are not yet participating in cardholder authentication programs, credit cards continue to work as usual.

Due to these considerable benefits, online merchants and merchant aggregators are joining cardholder authentication programs in significant numbers. Eventually, entering a password while using a payment card online will likely become as natural to cardholders as entering the card expiration date.

Shopping for Gold

Not all 3-D Secure technology solutions are the same, however. Before selecting a 3-D Secure software product, merchants, issuers, and payment organizations should confirm that the solution offers all of the following capabilities to reap the greatest rewards:

Scalability
With online traffic continuing to grow, 3-D Secure solutions need to be highly scalable. The question, however, is not only if the system can scale, but if it can scale efficiently. Companies need to select authentication software carefully to avoid having to purchase larger and more costly hardware systems later in order to scale adequately.

Reliable Performance
The reliable performance of each 3-D Secure solution has a direct impact on transaction completion and, consequently, on customer satisfaction. If, for example, the issuer system does not perform well, the risk of an unauthenticated transaction increases-with negative results for the merchant, issuer, and cardholder. 3-D Secure software vendors should be able to demonstrate highly reliable performance for their products in large-scale e-business environments.

Proven Solution
Consumers still remember past online shopping nightmares, when sites crashed, orders were lost, or presents didn't arrive in time for the holidays. As a result, companies need to select a cardholder authentication solution that has a proven history in maintaining high customer satisfaction.

Flexible Configurations
Card issuers need flexibility to implement custom programs for various cardholders, such as enrollment options, reporting capabilities, and password options. Flexible configurations also allow companies to experiment with different enrollment and authentication methods when piloting new programs. As a result, 3-D Secure solutions need to support easy system modifications without requiring programming and should accommodate a wide range of authentication technologies-such as passwords, smart cards, digital certificates, and two-factor software identification-to support future system extensions as new services and technologies emerge.

Device Independence
Consumers will want to be able to use cardholder authentication services from any device, including PCs, handheld devices, and cell phones. Strong 3-D Secure solutions will support both traditional devices and mobile options.

Easy Integration
3-D Secure products need to integrate seamlessly into companies' existing technology structures to promote widespread program adoption. Better yet, strong solutions will also allow issuers to share data between corporate systems to support value-added services such as allowing customers to use the same password for banking and authentication services or to access authentication profiles from home banking interfaces. Advanced 3-D Secure solutions will also support multiple cardholder authentication services-such as both the Verified by Visa and MasterCard SecureCode programs-to avoid redundant effort.

Straightforward Program Compliance and Solution Management

3-D Secure solutions should comply fully with the 3-D Secure protocol and should be easy to manage on an ongoing basis to maximize resource use and reduce costs. Solutions should also support the data segmentation based on branding, system behavior, portfolio segments, and administrative access to enhance service management. For example, an issuer may want to change branding and system operations for only a certain group of cards for a given period of time while maintaining a common administrative view of all cardholders.

At first glance, the problem of cardholder authentication seems quite complicated, requiring it real-time online coordination between multiple entities, including cardholders, merchants, payment organizations, and card issuers. The 3-D Secure, however, protecting credit cards with passwords becomes a straightforward, easy-to-use solution that offers significant benefits to all involved.