There is no fool proof standard for merchants to authenticate the customer in an online credit card transaction. Although credit cards seem to work beautifully in the online world, they were never designed to. Credit cards were designed to function in the physical world, where identification can be verified absolutely. It is extremely difficult to do this in the virtual world.
Without an effective method of authentication, problems arise for both merchants and customers. Merchants risk higher transaction costs and in turn, a loss of revenue. Customers suffer as well, experiencing higher costs due to risk incurred by the merchant.
The world’s largest credit card companies, Visa, MasterCard and American Express created an industry standard called the Secure Electronic Transaction. The effort proved to costly to be implemented full scale and was summarily scrapped. As the internet grew in size, so did the number of fraudulent transactions over the web. As a matter of fact, some estimate the amount of fraudulent transactions made online is 12 times higher than those made in the physical world.
Visa and MasterCard have implemented technically different but functionally similar authentication methods. Visa introduced 3-D Secure followed by MasterCard with Secure Payment Application or SPA. Both methods require the customer to accompany his or her credit card information with a digital pin number. Without the pin, the credit card number itself is rendered useless.
Visa: Three Domain Secure (3D Secure)
Visa’s 3-D or Three Domain Secure model attempts to verify the legitimacy of three echelons involved in the transaction. They are:
- Issuer Domain (Cardholders and Issuing Banks)
- Acquirer Domain (Merchants and their Banks)
- Interoperability Domain (Link between Issuer and Acquirer)
The Cardholder simply needs an internet connection and a browser to use the system. Every effort was made to ensure that the responsibility to the card holder was minimal. The card issuer must maintain cardholder information using hardware and software integrated with their backend card systems. Acquirers are required to install payment gateway and 3D Secure Merchant Plug-ins. These changes require all acquiring echelon participants to make code-level changes to their shopping cart system.
MasterCard: Secure Payment Application (SPA)
MasterCard’s system similarly involves three levels of participation consisting of:
- The Merchant
- The Issuer
- The Cardholder
Merchants are required to jump through some additional hoops with the MasterCard system. They must modify existing payment gateways to be able to accept and pass on “security tokens” to MasterCard’s Banknet. In this case the merchant is similarly required to implement code changes to shopping cart systems and allow hidden fields to be read by special SPA applets.
As with the Visa system, Issuers are required to install hardware and software compatible with backend card systems. They have an additional responsibility to issue SPA applets that generate the “security tokens” that are passed from the Issuer to the Merchant to the Acquirer and back to the Issuer for verification.
SPA applets are distributed to the cardholder via the internet, email or CD-ROM. These applets are designed to “wake up” once a cardholder attempts to make a purchase. There is an advantage to using these applets as cardholder information can be automatically entered into required fields, making the transaction quick and easy for the cardholder. This reduces abandoned transactions and increases sales for the Acquirer.
Comparison:
Visa’s system requires little participation from the customer initially. But their lack of user end software applets actually increases the difficulty of transactions and contributes to shopping cart abandonment. In the words of the largest online retailer, Amazon.com “From our standpoint, the amount of friction that 3D Secure introduces for the customer outweighs the benefit from reducing fraud. It would turn one-click ordering into four-point, three-click ordering.”
Visa’s view was that the end user SPA applets implemented by MasterCard lengthen the registration process and may encounter compatibility issues with older browsers and operating systems. The folly to this logic is that most internet users with older hardware and software do not heavily participate in online purchases.
Internet users are much more informed and proficient on the web than they were just a few years ago. Downloading the applets happens almost instantaneously on broadband connections and shortens the transaction by automatically filling required fields from previous purchases. The advantages far outweigh the possible disadvantages. In the end, the MasterCard system is not only more secure, but it’s faster and more efficient.
Works Cited
Clara Centeno: Building Security and Consumer Trust in Internet Payments: The Potential of Soft Measures, April 2002
http://ecommerce.ncsu.edu/ISEC/papers/05_peters_emerging.pdf
Mark E. Peters: Emerging e-Commerce, Debit and Credit Card Protocols, March 2002
http://ecommerce.ncsu.edu/ISEC/papers/05_peters_emerging.pdf
Gpayments: Visa 3D Secure Vs. MasterCard Secure Payment Application: A Comparison of Online Authentication Standards, March 2002
http://www.gpayments.com/pdfs/GPayments_3-D_vs_SPA_Whitepaper.pdf