Talk:3-D Secure

Edit request
Don't want to add this myself as I work for a company which has recently introduced 3d secure as a merchant, and therefore am not exactly NPOV, but maybe it's worth writing something for the Criticism section from merchants/web site integrators perspective: handing the user off to a foreign web site reduces reliability of the purchasing process (another point of failure), makes it difficult for the merchant to offer support (as they do not know what the customer will be seeing on his screen: that varies by bank), and can introduce undocumented browser dependencies (for example, on javascript). https://support.protx.com/forum/Topic4968-22-1.aspx?Highlight=3d+secure https://support.protx.com/forum/Topic5097-28-1.aspx?Highlight=3d+secure —Preceding unsigned comment added by 87.80.116.174 (talk) 16:56, 16 April 2008 (UTC) (87.80.116.174 in this occasion was me, not logged in Daniel Barlow (talk) 16:58, 16 April 2008 (UTC))


 * Looking back on the earlier edits regarding Arcot Systems and keeping in mind the non-commercial, neutral POV of Wikipedia, I would like to note that although not credited in any documentation as a "co-developer" of the protocol, Arcot Systems, Inc. was definitely a contractor working for Visa to assist (or lead) in the development of the protocol. There is a large difference between a contractor and a co-developer, and a contractor is usually not cited in the publication of any results of a development project. The person who paid is the "developer" in the sense of the owner of the resulting work product, although the contractor may justifiably assert that they have special expertise in the area. But there is no way to appropriately cite that within Wikipedia. Inetdog (talk) 00:43, 18 April 2008 (UTC)


 * Is there some reason that "3-D Secure" has a TM bug while "Verified by Visa", "Mastercard" and "SecureCode" do not? All of the others occur with a TM in documents published by Visa and Mastercard respectively. Inetdog (talk) 00:48, 18 April 2008 (UTC)

Browser
I have removed the following claim:
 * Another criticism is that for the time being (April 2009), the scheme makes registration possible only from a user using a limited collection of browsers running on only 2 operating systems, notably excluding Linux or the Opera browser.

...which cited this reference from the UK website of Barclays bank:
 * Verified by Visa requires the use of Windows Microsoft® Internet Explorer 5.5, 6.0 and 7.0, Windows Netscape® 7.1 and 7.2, Windows AOL ® 9, Windows Firefox® 1.0 and Macintosh Safari®.

As far as I can see, that is just a rather badly worded FAQ. Apparently it requires Internet Explorer and Netscape and AOL and Firefox and Safari - that's a whole lot of browsers just for one card transaction, on 2 different OSes no less!


 * err ... wouldn't just changing 'and' to 'or' fix this difficulty? --Brian Josephson (talk) 20:56, 11 May 2012 (UTC)

If it is the case that this is an exhaustive list of supported browsers, it would likely only apply to Barclays implementation of 3-D Secure (banks like to make it sound like they invented Verified by Visa / MasterCard SecureCode; they didn't). And as any better-worded FAQ would say, absence of official support doesn't mean something won't work. What's more, the "accessibility" section of that FAQ confirms that it will even work without Javascript. - IMSoP (talk) 19:04, 19 April 2009 (UTC)

Another dubious generalisation
I've removed another dubiously general claim, this time claiming all banks in the UK have the same password reset procedure. Once again, I would like to remind anyone editting this article that 3-D Secure can be implemented differently by every bank. If anyone has specific references for which bank this is, and can think of a way of summarising it as an example (perhaps alongside the US SSN example - again, any proof that this is a country-wide policy?), feel free. -- IMSoP (talk) 22:43, 13 July 2009 (UTC)
 * If the buyer has forgotten his or her password, he or she is allowed to create a new password and then continue with the transaction. In the UK, the information required to reset the password is: The card number, the three-digit card security code, the expiry date, the card holder's name, and the birth date of the card holder. Since the card holder's date of birth is the only additional piece of information required beyond that needed for a purchase without 3-D Secure, the buyer's password is, effectively, only as secret as his or her date of birth. Dates of birth in the UK are available to the general public from the Registry of Births, Marriages and Deaths and the UK's Identity and Passport Service is committed to making this registry available online as part of their Digitisation Project. 


 * It seems this text was restored, and even expanded, so I've instead opted to summarise that section with the issues that are actually being discussed first, and the specific (or not so specific) examples afterwards.
 * To clarify, my main problem with the original content was that it implied that all US banks used SSNs for account setup, and all UK banks allowed you to reset using date of birth. Since 3-D Secure is implemented independently by each bank, this seems unlikely, and my suspicion is that editors were generalising from their own experience.
 * I would still like to see some citations for both claims, which might help us elucidate exactly which banks are effected. - IMSoP (talk) 23:53, 17 September 2009 (UTC)

OTP (One time password)
For Security of your Account and for Authentication Some banks in India now use an OTP for enrolling and in Sri Lanka most banks transactions are via OTP (one time password) sent to mobile/ e-mail. So unless they lose mobile (or control over your email account) and card credentials, card holders are safer. Nothing is foul-proof but this is definitely a 3rd factor authentication.

For card not present/IVR tx in India the RBI has mandated OTPs. IVR is Interactive voice response / like over the phone talking to a sales rep or a mobile app.

tx is transaction. RBI is the banking authority that mandates how banks should work.

On the criticism
Also most ACSes in India do not open the screen in a pop up and all well known browsers do not allow you to hide the certificate icon so a user can always see whose site they are on.

Axis Bank is one example where the bank has invested in a sub domain so even though they have an external ACS the URL is https://secure.axisbank.com/ACSWeb/EnrollWeb/AxisBank/main/index.jsp (similar to https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/KotakBank/main/reg0.jsp but on their own domain, same ACS provider but different domains, one being the banks)

Tgkprog (talk) 00:42, 25 June 2011 (UTC)

Outdated?
I'm concerned that the flag "This article is outdated" is not correct. As far as I can see all these criticisms are currently valid. Can we remove that banner, please, or at least can someone responsible outline which information is outdated? Crgn (talk) 21:40, 21 August 2011 (UTC)

I do think it's outdated. For example, when enrolling in Verified-By-Visa (at least as of yesterday when I enrolled a card in the program) I was prompted to also enter in a recognizable key word. That way, when a Verified-by-Visa popup occurs during a transaction, if the pop-up shows my keyword I set up- I know it's Visa's and not a phishing scam. — Preceding unsigned comment added by 70.184.31.2 (talk) 16:48, 6 October 2016 (UTC)

Types of card
Not sure why the term credit card is used as the protocol is for any card. Can be issued by the bank as a debit card (linked to a savings account), a credit card, a prepaid or gift card. Tgkprog (talk) 17:36, 15 March 2012 (UTC)

Password requirement abandoned?
At some point I joined this system for my Visa and Mastercards (both UK), thinking it would add security. I soon realised that if my card were stolen the thief could simply use it for an internet transaction involving a site that did not use this protection, and I concluded that this was more to protect merchants who did use the system than for my own benefit, and I regretted having signed up. Also I noticed that after a certain point in time of the order of a year ago the verification window appeared but I was no longer asked for my password and wondered why (had the banks decided the password mechanism was useless maybe?).

Perhaps some knowledgable person could include clarification in regard to these issues in the article? --Brian Josephson (talk) 20:51, 11 May 2012 (UTC)


 * you seem to have a very valid point, perhaps you should write up a polite mail outlining your concerns and send it to your bank? (I personally experienced email was the quickest method of communication) — Preceding unsigned comment added by 83.134.177.199 (talk) 02:59, 12 August 2012 (UTC)


 * I think the shift of liability is the main motivation for merchants to check 3-D Secure in the first place. That mans if they check it than customer cannot claim he didn't do it. If they do not check it, than customer could hold merchant liable. It could be a struggle, but if merchant didn't use 3-D Secure, he should return the money if the card which was used for paying had been stolen Saša~shwiki (talk) 21:04, 5 August 2015 (UTC)
 * I will just point out that Amazon does not even require CVV2 code. Crazy, is not it. What is interesting will that work for Indian cards? 2A00:1FA0:442B:577C:14E5:A263:E1A1:1976 (talk) 20:43, 18 June 2020 (UTC)

Histrory facts
Do anybody know exact dates when each card issuing vendor started usage of 3-D Secure protocol. I would just like to see those history facts inside the article.Saša~shwiki (talk) 21:15, 5 August 2015 (UTC)

Diners 3D secure
Also Diners recently adopted his 3D secure. http://www.dinersclubprotect-buy.net/Public/MerchantOverview.aspx 86.163.213.144 (talk) 14:42, 20 November 2015 (UTC)

XML Protocol??
I'm confused by the assertion in the first paragraph that 3DS is an XML-based protocol (with no reference source).

The EMV® 3-D Secure SDK Specification v2.0.0 makes no mention of XML at all. It does talk about JSON;

"UI text, such as label names, questions, and help text, is sent in a JSON array. "

Netscr1be (talk) 13:18, 19 May 2017 (UTC)


 * It looks like you're right, at least the v2.0.0 protocol (downloadable from EMVCo) is JSON-based. I can't find any details of the actual 1.0 protocol, but 2001 would have been very early for Visa to be adopting JSON, so I wouldn't be surprised if that was XML. I've removed it from the intro for now, because it doesn't seem that important, and we may be able to find a citation that clarifies the situation. - IMSoP (talk) 13:55, 7 September 2020 (UTC)

Critiscism: for benefit of merchants rather than cardholders?
At https://security.stackexchange.com/a/168750/105684 it is suggested that this scheme does not exist to protect cardholders but to benefit merchants. Perhaps this criticism, if justified, can be referenced and included in the section on criticism. PJTraill (talk) 22:11, 4 September 2017 (UTC)

Hello there — Preceding unsigned comment added by NavneetMafia (talk • contribs) 05:53, 2 December 2018 (UTC)

Problem with the reference n.14
The link redirects you to a phishing site that informs you that you've just won something from Google 14. "Is securesuite.co.uk a phishing scam?". Ambrand.com. Retrieved 2010-08-11.

Two names for the same thing?
Are 3-D Secure and EMV 3-D Secure the same thing? The intro talks about them being developed by two different companies. But then the rest of the article talks about it as if it's one protocol. If not, what's the difference? -- Beland (talk) 22:32, 5 August 2019 (UTC)


 * EMVCo is just the standards body that Visa handed control of the protocol to, and "EMVCo 3-D Secure" refers to any version of the standard they've published. I've tidied up the article so that it doesn't introduce the two names as though they're separate protocols. - IMSoP (talk) 13:36, 7 September 2020 (UTC)

SCA date contradiction
3-D_Secure mentioned a deadline of Feb 2015, but Strong customer authentication mentions a deadline in Sep 2019. Was this delayed or are these different things? -- Beland (talk) 22:49, 5 August 2019 (UTC)


 * On the one hand, yes, it was delayed (many times). On the other hand, that detail really didn't belong in this article to begin with, so I've made that section much shorter. - IMSoP (talk) 13:28, 7 July 2020 (UTC)

Asking for verification INDIA AND AMAZON 3-D Security
As we all know, Amazon USA does not even require CVC or ZIP or whatever besides the card PAN and expiration date. There are some others in America. https://www.quora.com/What-online-shopping-stores-dont-require-CVV-code?top_ans=75776888 That is obviously unacceptable (only protection is debit cards (without overdraft) with enough money only for one transaction or Mir or another local card system that will not work with Amazon), I added info about India BUT I STILL DO NOT know whether Amazon USA will accept payment without 3D-Sec. or CVC from Indian card VISA or mastercard! Please help me answer that. I have some private VISA docs, looks like it is possible! 109.252.171.205 (talk) 02:24, 6 July 2020 (UTC)


 * The key phrase to remember is "liability shift" - most jurisdictions and card issuers don't require particular forms of authentication, they just make the retailer liable if the transaction is challenged as fraudulent. Your protection as a cardholder comes from your right to challenge a transaction, and in many cases have it reversed automatically unless the retailer can provide evidence that you authorised it. Amazon are simply large enough to take on that liability as a cost of business.
 * Rather than concentrating on the details of particular retailers, the article should probably make clearer that retailers can make this tradeoff. - IMSoP (talk) 13:36, 7 July 2020 (UTC)
 * "your right to challenge a transaction" Even internationaly? I know this is the case, yeah, even internationaly, but you will still need to go to Bank or maybe even to police. This is a problem and in the case of credit cards (almost nobody uses credit cards in my country) it may be rather problematic. Anyway, my question is about India. 109.252.90.66 (talk) 18:15, 25 March 2021 (UTC)

First 3-D Secure version in late 1999
In the VISA Inc Project the ‘p42’ the first version of 3-d secure concept was developed. It was a project to develop new secure ways to pay over the Internet using the new VISA chip-cards. The VISA Inc person in charge of the project was mr Philippe Levy. There was a number of companies involved in the project Celo Communication AB, Gemplus, DST, Xcert International Inc etc

There has been a number of new versions made over the years but the edit on 26 of feb 2015 should be reversed or changed to something like “Arcot has contributed to the concept”.

— Preceding unsigned comment added by Parahren (talk • contribs) 23:54, 5 February 2022 (UTC)

Irregular phrase structure at start of third paragraph
The first phrase of the third paragraph seems to have lost some context in revision https://en.wikipedia.org/w/index.php?title=3-D_Secure&diff=1066865765&oldid=1065009598:

From "It was originally developed by with the intention of improving ..., and offered..."

To "In 2001 with the intention of improving ..., and offered..."

For additional context, hopefully useful, it seems from https://www.digitalcommerce360.com/2002/09/30/arcot-s-transfort-solution-selected-by-mastercard-internati/ that Arcot's TransFort product was the first solution to be fully compliant with the 3-D Secure protocol and was the "foundation" for Visas's Verified by Visa (later Visa Secure) and Mastercard's SecureCode. Jsmpereira (talk) 22:06, 22 June 2023 (UTC)