Talk:3-D Secure

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Edit request[edit]

Don't want to add this myself as I work for a company which has recently introduced 3d secure as a merchant, and therefore am not exactly NPOV, but maybe it's worth writing something for the Criticism section from merchants/web site integrators perspective: handing the user off to a foreign web site reduces reliability of the purchasing process (another point of failure), makes it difficult for the merchant to offer support (as they do not know what the customer will be seeing on his screen: that varies by bank), and can introduce undocumented browser dependencies (for example, on javascript). https://support.protx.com/forum/Topic4968-22-1.aspx?Highlight=3d+secure https://support.protx.com/forum/Topic5097-28-1.aspx?Highlight=3d+secure —Preceding unsigned comment added by 87.80.116.174 (talk) 16:56, 16 April 2008 (UTC) (87.80.116.174 in this occasion was me, not logged in Daniel Barlow (talk) 16:58, 16 April 2008 (UTC))

Looking back on the earlier edits regarding Arcot Systems and keeping in mind the non-commercial, neutral POV of Wikipedia, I would like to note that although not credited in any documentation as a "co-developer" of the protocol, Arcot Systems, Inc. was definitely a contractor working for Visa to assist (or lead) in the development of the protocol. There is a large difference between a contractor and a co-developer, and a contractor is usually not cited in the publication of any results of a development project. The person who paid is the "developer" in the sense of the owner of the resulting work product, although the contractor may justifiably assert that they have special expertise in the area. But there is no way to appropriately cite that within Wikipedia. Inetdog (talk) 00:43, 18 April 2008 (UTC)
Is there some reason that "3-D Secure" has a TM bug while "Verified by Visa", "Mastercard" and "SecureCode" do not? All of the others occur with a TM in documents published by Visa and Mastercard respectively. Inetdog (talk) 00:48, 18 April 2008 (UTC)

Browser[edit]

I have removed the following claim:

Another criticism is that for the time being (April 2009), the scheme makes registration possible only from a user using a limited collection of browsers running on only 2 operating systems, notably excluding Linux or the Opera browser.

...which cited this reference from the UK website of Barclays bank:

Verified by Visa requires the use of Windows Microsoft® Internet Explorer 5.5, 6.0 and 7.0, Windows Netscape® 7.1 and 7.2, Windows AOL ® 9, Windows Firefox® 1.0 and Macintosh Safari®. [1]

As far as I can see, that is just a rather badly worded FAQ. Apparently it requires Internet Explorer and Netscape and AOL and Firefox and Safari - that's a whole lot of browsers just for one card transaction, on 2 different OSes no less!

err ... wouldn't just changing 'and' to 'or' fix this difficulty? --Brian Josephson (talk) 20:56, 11 May 2012 (UTC)

If it is the case that this is an exhaustive list of supported browsers, it would likely only apply to Barclays implementation of 3-D Secure (banks like to make it sound like they invented Verified by Visa / MasterCard SecureCode; they didn't). And as any better-worded FAQ would say, absence of official support doesn't mean something won't work. What's more, the "accessibility" section of that FAQ confirms that it will even work without Javascript. - IMSoP (talk) 19:04, 19 April 2009 (UTC)

Another dubious generalisation[edit]

I've removed another dubiously general claim, this time claiming all banks in the UK have the same password reset procedure. Once again, I would like to remind anyone editting this article that 3-D Secure can be implemented differently by every bank. If anyone has specific references for which bank this is, and can think of a way of summarising it as an example (perhaps alongside the US SSN example - again, any proof that this is a country-wide policy?), feel free.

If the buyer has forgotten his or her password, he or she is allowed to create a new password and then continue with the transaction. In the UK, the information required to reset the password is: The card number, the three-digit card security code, the expiry date, the card holder's name, and the birth date of the card holder. Since the card holder's date of birth is the only additional piece of information required beyond that needed for a purchase without 3-D Secure, the buyer's password is, effectively, only as secret as his or her date of birth. Dates of birth in the UK are available to the general public from the Registry of Births, Marriages and Deaths and the UK's Identity and Passport Service is committed to making this registry available online as part of their Digitisation Project.[1]

-- IMSoP (talk) 22:43, 13 July 2009 (UTC)

It seems this text was restored, and even expanded, so I've instead opted to summarise that section with the issues that are actually being discussed first, and the specific (or not so specific) examples afterwards.
To clarify, my main problem with the original content was that it implied that all US banks used SSNs for account setup, and all UK banks allowed you to reset using date of birth. Since 3-D Secure is implemented independently by each bank, this seems unlikely, and my suspicion is that editors were generalising from their own experience.
I would still like to see some citations for both claims, which might help us elucidate exactly which banks are effected. - IMSoP (talk) 23:53, 17 September 2009 (UTC)

OTP (One time password)[edit]

For Security of your Account and for Authentication Some banks in India now use an OTP for enrolling and in Sri Lanka most banks transactions are via OTP (one time password) sent to mobile/ e-mail. So unless they lose mobile (or control over your email account) and card credentials, card holders are safer. Nothing is foul-proof but this is definitely a 3rd factor authentication.

For card not present/IVR tx in India the RBI has mandated OTPs. IVR is Interactive voice response / like over the phone talking to a sales rep or a mobile app.

tx is transaction. RBI is the banking authority that mandates how banks should work.

On the criticism[edit]

Also most ACSes in India do not open the screen in a pop up and all well known browsers do not allow you to hide the certificate icon so a user can always see whose site they are on.

Axis Bank is one example where the bank has invested in a sub domain so even though they have an external ACS the URL is https://secure.axisbank.com/ACSWeb/EnrollWeb/AxisBank/main/index.jsp (similar to https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/KotakBank/main/reg0.jsp but on their own domain, same ACS provider but different domains, one being the banks)

Tgkprog (talk) 00:42, 25 June 2011 (UTC)

Outdated?[edit]

I'm concerned that the flag "This article is outdated" is not correct. As far as I can see all these criticisms are currently valid. Can we remove that banner, please, or at least can someone responsible outline which information is outdated? Crgn (talk) 21:40, 21 August 2011 (UTC)

I do think it's outdated. For example, when enrolling in Verified-By-Visa (at least as of yesterday when I enrolled a card in the program) I was prompted to also enter in a recognizable key word. That way, when a Verified-by-Visa popup occurs during a transaction, if the pop-up shows my keyword I set up- I know it's Visa's and not a phishing scam. — Preceding unsigned comment added by 70.184.31.2 (talk) 16:48, 6 October 2016 (UTC)

Types of card[edit]

Not sure why the term credit card is used as the protocol is for any card. Can be issued by the bank as a debit card (linked to a savings account), a credit card, a prepaid or gift card. Tgkprog (talk) 17:36, 15 March 2012 (UTC)

Password requirement abandoned?[edit]

At some point I joined this system for my Visa and Mastercards (both UK), thinking it would add security. I soon realised that if my card were stolen the thief could simply use it for an internet transaction involving a site that did not use this protection, and I concluded that this was more to protect merchants who did use the system than for my own benefit, and I regretted having signed up. Also I noticed that after a certain point in time of the order of a year ago the verification window appeared but I was no longer asked for my password and wondered why (had the banks decided the password mechanism was useless maybe?).

Perhaps some knowledgable person could include clarification in regard to these issues in the article? --Brian Josephson (talk) 20:51, 11 May 2012 (UTC)

you seem to have a very valid point, perhaps you should write up a polite mail outlining your concerns and send it to your bank? (I personally experienced email was the quickest method of communication) — Preceding unsigned comment added by 83.134.177.199 (talk) 02:59, 12 August 2012 (UTC)
I think the shift of liability is the main motivation for merchants to check 3-D Secure in the first place. That mans if they check it than customer cannot claim he didn't do it. If they do not check it, than customer could hold merchant liable. It could be a struggle, but if merchant didn't use 3-D Secure, he should return the money if the card which was used for paying had been stolen Saša~shwiki (talk) 21:04, 5 August 2015 (UTC)

Histrory facts[edit]

Do anybody know exact dates when each card issuing vendor started usage of 3-D Secure protocol. I would just like to see those history facts inside the article.Saša~shwiki (talk) 21:15, 5 August 2015 (UTC)

Diners 3D secure[edit]

Also Diners recently adopted his 3D secure. http://www.dinersclubprotect-buy.net/Public/MerchantOverview.aspx 86.163.213.144 (talk) 14:42, 20 November 2015 (UTC)

XML Protocol??[edit]

I'm confused by the assertion in the first paragraph that 3DS is an XML-based protocol (with no reference source).

The EMV® 3-D Secure SDK Specification v2.0.0 makes no mention of XML at all. It does talk about JSON;

"UI text, such as label names, questions, and help text, is sent in a JSON array. "

Netscr1be (talk) 13:18, 19 May 2017 (UTC)

Critiscism: for benefit of merchants rather than cardholders?[edit]

At https://security.stackexchange.com/a/168750/105684 it is suggested that this scheme does not exist to protect cardholders but to benefit merchants. Perhaps this criticism, if justified, can be referenced and included in the section on criticism. PJTraill (talk) 22:11, 4 September 2017 (UTC)

  1. ^ "About Us: Looking ahead: Digitisation Project". General Register Office. 2009-03-29. Retrieved 2009-07-13.