Introduc)on*to*3D-Secure*January'2014'

Introduc)on*to*3D-Secure*

2'

•  3D'Secure'is'an'online'service'designed'to'make'online'shopping'transac=ons'safer'by'authen=ca=ng'a'cardholder’s'iden=ty'at'the'=me'of'purchase'–  The'service'is'commonly'known'as'Verified'by'Visa'for'Visa'and'MasterCard'SecureCode'for'MasterCard'

•  The'authen=ca=on'is'based'on'a'threeFdomain'model'(hence'the'3FD'in'the'name).'The'three'domains'are:'–  Acquirer*Domain*(the'merchant,'the'payment'gateway,'and'the'acquiring'bank)'

–  Issuer*Domain*(the'bank'which'issued'the'card'being'used)'–  Interoperability*Domain*(the'Directory'Server'and'the'Authen=ca=on'History'server'provided'by'the'card'brand,'Visa'or'MasterCard,'to'support'the'3FD'Secure'protocol)'

How*does*it*work?*

3'

•  Step'1:'Buyer'conducts'transac=on'at'merchant'page,'and'merchant'requests'transac=on'to'be'processed'using'3DFSecure'

•  Step'2:'The'Payment'Gateway,'Veritrans,'asks'Visa/MC'whether'the'card'is'registered'with'3DS.''

•  Step'3:'If'it'is,'Visa/MC'will'redirect'card'holder'to'the'Issuer’s'authen=ca=on'page'–  User'redirected'from'merchant*website*(or'VTFWebsite'

depending'on'whether'they'are'using'VTFWeb'or'VTFDirect)'to'Issuer*website*(Figure(1)(

•  Step'4:''Buyer'is'redirected'to'the'issuer’s'authen=ca=on'page.''Buyer'then'receives'a'oneF=me'token'via'SMS(1)'from'the'Issuer'and'enters'the'token'in'the'Issuer'Authen=ca=on'website'(Figure(2).'An'interes=ng'note'is'that'the'Issuer'authen=ca=on'window'is'always''390'pixels'x'400'pixels'in'size'

•  Step'5:'Once'authen=ca=on'is'completed,'the'issuer'will'let'Veritrans'know.'Veritrans'will'proceed'to'process'the'transac=on'with'the'bank'

'

(1)(This(is(called(a(Dynamic(Token(because(the(token((changes(for(every(transac=ons.(Usage((of(an(SMS(token(is(popular(in(Indonesia,(but(banks(in(other(countries(might(have(a(different(method(of(authen=ca=ng(the(user(in(3DSecure.(

Fig'2:'Issuer(authen=ca=on(window(

Fig'1:'Veritrans(redirec=ng(buyer(page(

How*does*it*work?*(Video)*

4'

What*is*the*benefit*and*cost*of*3DS*

For(merchants:(•  Fraud'Protec=on'–'Fraud'risk'is'shi\ed'from'

the'merchant'to'the'issuing'bank'

'For(Shoppers:(•  Safer'transac=ons'–'Authen=ca=on'provides'

a'greater'sense'of'security'for'the'shoppers'

'Acquiring(and(Issuing(Banks:(•  Less'fraud'and'chargebacks'–'Every'

chargeback'or'fraud'creates'significant'amount'of'opera=onal'workload'for'the'bank.'By'reducing'fraud,'banks'can'lower'their'card'opera=on'costs'

Benefits*

For(merchants:(•  Loss'in'transac=on'volume'–'3DS'increases'the'

chances'of'a'transac=on'error'to'happen'(SMS'token'not'sent,'not'redirected'properly'to'Issuer'website,'issuer'authen=ca=on'error,'etc.).'This'reduces'the'number'of'successful'transac=ons.'In'Indonesia,'implemen=ng'3DS'can'lead'to'a'30%'reduc=on'in'transac=on'volume'

'

For(Shoppers:(•  Annoying'Authen=ca=on'process'–'Indonesians'are'

notorious'for'having'mul=ple'phone'numbers.'If'the'phone'number'they'use'to'register'their'3DS'card'is'different'from'their'current'number,'they'will'not'be'able'to'receive'the'SMS'token'and'complete'the'transac=on'

'

Acquiring(and(Issuing(Banks:(•  Loss'in'transac=on'volume'–'3DS'might'decrease'

their'online'transac=on'volume'

Cost*

5'

Fraud*Risk*under*3D-Secure*

6'

With'3DSecure,'the'liability'for'fraud'is'shi\ed'from'the'merchant'or'Acquiring'bank'to'the'issuing'bank'

Normal*Card**(Card*not*registered*to*

3DS)'

3DS*ready*card**(card*registered*to*3DS)*

Normal*Transac)on*(No*3DS)'

Merchant' Merchant'

Requests*transac)on*to*be*processed*with*3D-

Secure*

Issuing'Bank.'This'transac=on'is'classified'

as'an'AGempted'Authen=ca=on'

Issuing'Bank.'This'transac=on'is'classified'

as'a(Full'Authen=ca=on'

Issuing*Bank*

Who'bears'the'fraud'risk'for'an'online'transac=on?'

Merchant*or*

Acquiring*Bank*

Note:(Fraud(is(defined(as(Chargebacks(under(Reason(code(75(and/or(83(for(Visa,(and(Reason(code(37(and(63(for(MasterCard.(

Fraud*Risk*under*3D-Secure*

7'

Full'Authen=ca=on.''This'occurs'when'the'card'issuer,'cardholder,'merchant'and'acquirer'all'correctly'process'an'authen=ca=on'transac=on.'The'cardholder'will'successfully'authen=cate'himself'or'herself'with'their'card'issuer'(with'the'issuer'website).'This'is'o\en'known'as'“Full'Authen=ca=on”'for'Visa'and'“Full'UCAF”'for'MasterCard.'Fraud'risk'borne'by'the'Issuing'Bank'

AGempted'Authen=ca=on.''This'occurs'when'the'cardholder'is'not'registered'for'authen=ca=on,'but'the'merchant'is'submigng'an'authen=ca=on'request.'Fraud'risk'borne'by'the'Issuing'Bank'

Authen=ca=on'is'unsuccessful'or'not'aGempted.''This'is'when'the'authen=ca=on'fails'or'is'not'ahempted.'This'ECI'classifica=on'also'applies'to'normal'eCommerce'transac=ons'that'u=lize'just'the'CVV'for'authen=ca=on.'Fraud'risk'borne'by'the'merchant'

ECI*5*(Visa)*or''

ECI*2*(MC)*

ECI*6*(Visa)**or''

ECI*1*(MC)*

ECI*7*(Visa)*or''

ECI*0*(MC)*

Ecommerce'Indicator'(ECI)'

FULL*AUTHENTICATION*Transac)ons*

How'does'it'work?'(Detailed)'

How*does*it*work?*

9'

Issuer* Acquirer*or*

Step'1:'Buyer'conducts'transac=on'at'merchant'page,'and'merchant'requests'transac=on'to'be'processed'using'3DFSecure'

Visa/MC*Directory*

Issuer*Access*Control*Server*

Acquiring'Bank'

Hey*VT,*3DFSecure'please!'

1

ECI*5*or*2*

How*does*it*work?*

10'

Issuer* Acquirer*or*

Step'2'and'3:'The'Payment'Gateway,'Veritrans,'asks'Visa/MC'whether'the'card'is'registered'with'3DS.'If'it'is,'Visa/MC'will'redirect'card'holder'to'the'Issuer’s'authen=ca=on'page'

Visa/MC*Directory*

Issuer*Access*Control*Server*

(Issuing*Bank)*

Hey*Visa/MC,*Is'this'card'3DS'ready?'

Acquiring'Bank'

Hey*VT,*Yup.'We’ve'confirmed'with'the'Issuer.'Let'me'redirect'buyer'to'the'issuer'site'

2

3

ECI*5*or*2*

How*does*it*work?*

11'

Issuer* Acquirer*or*

Step'4'&'5:'Buyer'is'redirected'to'the'issuer’s'authen=ca=on'page'and'enters'the'security'token'sent'to'the'Buyer.'If'authen=ca=on'is'successful,'the'issuer'will'let'Veritrans'know.'

Visa/MC*Directory*

Issuer*Access*Control*Server*

(Issuing*Bank)*

Thanks*team,*Awesome!'This'is'a'Full*Authen)ca)on**

Acquiring'Bank'

Hey*VT,*Yup.'Buyer'is'Fully'Authen=cated!'

4

5

ECI*5*or*2*

How*does*it*work?*

12'

Issuer* Acquirer*or*

Step'6:'Veritrans'sends'transac=on'details'with'the'authen=ca=on'results'to'the'acquiring'bank'for'processing.'This'is'classified'as'an'ECI'5'(Visa)'or'ECI'2'(MC)'transac=on'

Visa/MC*Directory*

Issuer*Access*Control*Server*

(Issuing*Bank)*

Acquiring'Bank'

Hey*bank,*Please'process'this'as'an'ECI*5*or*2*transac=on'

6

ECI*5*or*2*

ATTEMPTED*AUTHENTICATION*Transac)ons*

How'does'it'work?'(Detailed)'

How*does*it*work?*

14'

Issuer* Acquirer*or*

Step'1:'Buyer'conducts'transac=on'at'merchant'page,'and'merchant'requests'transac=on'to'be'processed'using'3DFSecure'

Visa/MC*Directory*

Issuer*Access*Control*Server*

Acquiring'Bank'

Hey*VT,*3DFSecure'please!'

1

ECI*6*or*1*

How*does*it*work?*

15'

Issuer* Acquirer*or*

Step'2'and'3:'The'Payment'Gateway,'Veritrans,'asks'Visa/MC'whether'the'card'is'registered'with'3DS.'Visa/MC'tells'Veritrans'that'the'card'is'not'registered'to'3DS.'

Visa/MC*Directory*

Issuer*Access*Control*Server*

(Issuing*Bank)*

Hey*Visa/MC,*Is'this'card'3DS'ready?'

Acquiring'Bank'

Hey*VT,*Sorry.'Card'is'not'registered'for'3DS.'Please'proceed'without'authen=ca=on'

2

3

ECI*6*or*1*

How*does*it*work?*

16'

Issuer* Acquirer*or*

Step'4:'Buyer'is'redirected'to'the'issuer’s'authen=ca=on'page'and'enters'the'security'token'sent'to'the'Buyer.'If'authen=ca=on'is'successful,'the'issuer'will'let'Veritrans'know.'

Visa/MC*Directory*

Issuer*Access*Control*Server*

(Issuing*Bank)*

Got*it,*at'least'we'tried…'This'is'an'A]empted*Authen)ca)on**

Acquiring'Bank'

4

ECI*6*or*1*

How*does*it*work?*

17'

Issuer* Acquirer*or*

Step'5:'Veritrans'sends'transac=on'details'with'the'authen=ca=on'results'to'the'acquiring'bank'for'processing.'This'is'classified'as'an'ECI'6'(Visa)'or'ECI'1'(MC)'transac=on.'

Visa/MC*Directory*

Issuer*Access*Control*Server*

(Issuing*Bank)*

Acquiring'Bank'

Hey*bank,*Please'process'this'as'an'ECI*6*or*1*transac=on'

5

ECI*6*or*1*

www.veritrans.co.id