|
3-D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions. It was originally developed by Arcot Systems, Inc and first deployed〔(【引用サイトリンク】title=Visa USA tightens security with Arcot )〕 by Visa with the intention of improving the security of Internet payments and is offered to customers under the name Verified by Visa. Services based on the protocol have also been adopted by MasterCard as MasterCard SecureCode, and by JCB International as J/Secure. American Express added 3-D Secure on November 8, 2010, as American Express SafeKey, in select markets and continues to launch additional markets. Analysis of the protocol by academia has shown it to have many security issues that affect the consumer, including greater surface area for phishing and a shift of liability in the case of fraudulent payments. 3-D Secure adds an authentication step for online payments. == Description and basic aspects == The basic concept of the protocol is to tie the financial authorization process with an online authentication. This authentication is based on a three-domain model (hence the 3-D in the name). The three domains are: * Acquirer Domain (the merchant and the bank to which money is being paid). * Issuer Domain (the bank which issued the card being used). * Interoperability Domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other type of finance card, to support the 3-D Secure protocol). Interoperability Domain includes the Internet, MPI, ACS and other software providers The protocol uses XML messages sent over SSL connections with client authentication (this ensures the authenticity of both peers, the server and the client, using digital certificates). A transaction using Verified-by-Visa or SecureCode will initiate a redirection to the website of the card issuing bank to authorize the transaction. Each issuer could use any kind of authentication method (the protocol does not cover this) but typically, a password-based method is used, so to effectively buy on the Internet means using a password tied to the card. The Verified-by-Visa protocol recommends the bank's verification page to load in an inline frame session. In this way, the bank's systems can be held responsible for most security breaches. Today, with the ease of sending white-listed text messages from registered bank senders, it is easy to send a one-time password as part of an SMS text message to users' mobile phones and emails for authentication, at least during enrollment and for forgotten passwords. The main difference between Visa and MasterCard implementations lies in the method to generate the UCAF (Universal Cardholder Authentication Field): MasterCard uses AAV (Accountholder Authentication Value) and Visa uses CAVV (Cardholder Authentication Verification Value). 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「3-D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions. It was originally developed by Arcot Systems, Inc and first deployed(【引用サイトリンク】title=Visa USA tightens security with Arcot ) by Visa with the intention of improving the security of Internet payments and is offered to customers under the name Verified by Visa. Services based on the protocol have also been adopted by MasterCard as MasterCard SecureCode, and by JCB International as J/Secure. American Express added 3-D Secure on November 8, 2010, as American Express SafeKey, in select markets and continues to launch additional markets. Analysis of the protocol by academia has shown it to have many security issues that affect the consumer, including greater surface area for phishing and a shift of liability in the case of fraudulent payments.3-D Secure adds an authentication step for online payments.== Description and basic aspects ==The basic concept of the protocol is to tie the financial authorization process with an online authentication. This authentication is based on a three-domain model (hence the 3-D in the name). The three domains are:* Acquirer Domain (the merchant and the bank to which money is being paid).* Issuer Domain (the bank which issued the card being used).* Interoperability Domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other type of finance card, to support the 3-D Secure protocol). Interoperability Domain includes the Internet, MPI, ACS and other software providersThe protocol uses XML messages sent over SSL connections with client authentication (this ensures the authenticity of both peers, the server and the client, using digital certificates).A transaction using Verified-by-Visa or SecureCode will initiate a redirection to the website of the card issuing bank to authorize the transaction. Each issuer could use any kind of authentication method (the protocol does not cover this) but typically, a password-based method is used, so to effectively buy on the Internet means using a password tied to the card. The Verified-by-Visa protocol recommends the bank's verification page to load in an inline frame session. In this way, the bank's systems can be held responsible for most security breaches. Today, with the ease of sending white-listed text messages from registered bank senders, it is easy to send a one-time password as part of an SMS text message to users' mobile phones and emails for authentication, at least during enrollment and for forgotten passwords.The main difference between Visa and MasterCard implementations lies in the method to generate the UCAF (Universal Cardholder Authentication Field): MasterCard uses AAV (Accountholder Authentication Value) and Visa uses CAVV (Cardholder Authentication Verification Value).」の詳細全文を読む スポンサード リンク
|