About The Blog

Debate at the intersection of business, technology and culture in the world of digital money, both commercial and government, a blog born from the Digital Money Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Is mesopayment a useful word? | Main | It was 20 years ago today, again »

2.5D Secure

By Dave Birch posted Nov 10 2008 at 9:16 PM

[Dave Birch] The 3D Secure (3DS) schemes -- Visa's Verified by Visa and MasterCard's SecureCode -- have come in for a lot of criticism (from, eg, me) and it's been getting worse recently. Card-not-present (CNP) fraud continues to climb

According to the latest statistics from banking association APACS late last month, more than 25 million UK-issued credit and debit cards are registered with either Verified by Visa or MasterCard SecureCode,

[From Merchants and punters cry foul over Verified by Visa • The Register]

I have to say that, personally, I've never bothered to register either of my credit cards, but plenty of people have. Here's the issue, from my perspective as a rational consumer. I'm protected from fraud by my credit card issuer, so I have no incentive to use 3DS of any kind. Any 3DS means more hassle for me for no return. The people who do benefit from 3DS -- merchants, since merchants are protected against fraud by offering me 3DS even if I don't use it -- don't insist on it and, crucially in my opinion, don't incentivise me to use it. If I got air miles for using 3DS, I'd use it.

MasterCard have put forward an interesting interim solution which responds to the dynamics of real-world card use and fraud. Basically, the idea is that if you use your debit card at a merchant and use SecureCode to authenticate yourself, then the next time you use it you don't have to do the authentication again.

The Maestro Advance Registration Program™ enables select online merchants to accept Maestro cards for e-commerce transactions by using SecureCode™ to enroll the customer during the first transaction. Subsequent purchases the same customer makes at the merchant web site using the same Maestro account can now be processed without MasterCard SecureCode authentication, making repeat buying both convenient and fast.

[From MasterCard Unlocks Maestro Debit Card Acceptance on the Internet with Maestro Advance Registration Program | MasterCard®]

This seems like a sensible compromise between nothing and insisting on authentication for every transactions and will help to protect cardholders and merchants, but it won't by itself make much of a dent in the CNP figures. As long as it's not compulsory, then the fraudsters will continue to use stolen card details online with impunity. And once it does become compulsory, then the criminals will phish for the 3D secure passwords, and the problem will continue to get worse. We have to get hardware into the loop...

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]


Increasingly, you have to register a 3DS password with the issuer whether you like it or not. Many issuers will ask you to register each time you try to pay. If you skip registration three times, then you can't use the card for CNP! Sensible? No - I just bin the card and start using the next credit card in my wallet. But then I have a few.

Well, I'm not a refusnik, just lazy. Both Visa and MasterCard are working to make 3DS a better experience and both are making progress. As for the Visa PIN card, I will blog that today.

In fact are you a kind of "Verify by Visa refusenik", as english newspapers call them ? http://www.theregister.co.uk/2008/08/07/verified_by_visa_compulsion/

The question is , if you put hardware in the loop what will be the best one : the banking card it self (like Visa pin code card)? mobile phone ? fingerprint reader ? etc

See http://www.visaeurope.com/pressandmedia/newsreleases/press379_pressreleases.jsp for the Visa response.
A key feature is that the consumer does not leave the merchant site during the identity checking process; instead the Verified by Visa authentication window appears as an overlay on top of the merchant page. A step forward?

The comments to this entry are closed.