3-D Secure

from Wikipedia, the free encyclopedia

3-D Secure is a process that aims to increase the security of online credit card payments. It was developed by the credit card organization VISA for the Verified by Visa service . Mastercard , JCB and American Express also offer such a service under the name Identity Check (SecureCode) , J / Secure or SafeKey . 3-D Secure aims to reduce the risk of fraud and the failure of payments due to credit card fraud . In addition, the shop operators who use 3-D Secure are guaranteed receipt of payment.

function

After the buyer enters his credit card number, a connection is established with the card issuer so that the buyer can confirm his identity with a code ( two-factor authentication ). After correct authentication, the credit card payment will be processed.

It is up to the card issuer whether the authentication is static or dynamic. With the static method, buyers enter a security code similar to a password . Mastercard initially used a static procedure with the Identity Check (SecureCode) . Since summer / autumn 2017, Sparkassen have switched to a dynamic process for Mastercard Identity Check (SecureCode) in order to meet current legal requirements. Credit institutions such as Postbank ask for personal characteristics of the cardholder instead of the password, which should only be known to him and no third party.

In the case of dynamic procedures, a code that can only be used once is generated, which the customer receives in a physically separate manner - when paying on the computer, for example, via a mobile device, via a mobile app or via SMS to the mobile phone ( mTAN ). The code is not stored or noted on the card. It is not the often asked three to four-digit check number ( Card Validation Code ) on the back of the credit card.

After customer registration, classic processing by specifying credit card number, expiry date and card validation code remains possible across the EU until the revised Payment Services Directive (PSD2) has been implemented in national law.

The decision as to whether 3-D Secure is used is not made by the customer. The web shop or the card issuer can stipulate that payment is only made via 3-D Secure.

In order for cardholders to be able to confirm online credit card payments as part of 3-D Secure with an additional security feature, the IT systems of web shops, acquirers , card-issuing credit institutions and other service providers must cooperate via interfaces. The regulatory standards as part of the revised Payment Services Directive (PSD2) should be implemented by September 14, 2019 , but the Bafin grants a transition period until the end of 2020.

Advantages for banks as well as dealers and liability

Mastercard advertises as an advantage for customers that the improper use of tapped card data in e-commerce is severely restricted, since the password is not written on the card and is therefore only known to the customer. With the classic method, unauthorized persons can shop at third-party costs simply by holding their credit card, as long as the card has not been blocked. With 3-D Secure, third parties also need secret information that is not recorded on the card.

The advantage for retailers is that they have proof of an authorized purchase by checking the password. This limits their liability for chargebacks by the customer. Without 3-D Secure, web shop operators are liable for improperly used credit cards. If a web shop offers the 3-D Secure process, the liability is reversed: the card-issuing bank is now liable for damage caused by cards being used improperly. This reversal of liability protects dealers from payment defaults.

In the early days of 3-D Secure, some banks passed the blame on to customers in the event of credit card fraud , if they could not prove that they were not at fault. Following criticism from consumer advocates , some banks have adjusted their conditions in such a way that customers are no worse off with 3-D Secure processes than with the classic process.

distribution

The first credit card-issuing institutes in German-speaking countries offered credit cards with 3-D Secure procedures from 2008, including Lufthansa with the Miles & More credit card . By implementing the revised Payment Services Directive (PSD2) in national law, banks are introducing 3-D Secure across the EU.

criticism

Critics complain that the customer has to memorize another secure password permanently in order to pay with the card on the Internet. (The password entry will be bypassed with the switch to the dynamic 3-D Secure 2.0 procedure. The members of the EMVCO industry association are behind the new standard, which is expected to be available at the end of 2019 [obsolete] .)

In the beginning, many card-issuing institutions made it possible for third parties to generate a new security code so that they could shop on the Internet. The proof that you were the rightful cardholder was often insufficient. Since then, other procedures have mostly been used so that the security code is not set directly online during the registration process. A verification code is now generated, which cardholders receive in a secure way - for example as a purpose for a bank transfer or by letter.

In its broadcast on February 21, 2011, the consumer magazine wiso explained a case of abuse in which the damaged credit card holder suffered a loss of almost 3,000 euros, which the bank does not want to replace. Annabel Oelmann from the consumer center in Düsseldorf explained:

“We cannot see any signs that security for the customer is being increased. On the contrary: the customer also takes on the risk that he will have to be held liable in the event of abuse. In other words, there is no obvious advantage for the customer here. "

The ARD-Ratgeber also reported on February 26, 2011 about a German holidaymaker in Spain who had given the payee his credit card and identity card when paying an invoice. With this, the payee apparently secretly made a 3-D Secure registration and debited the credit card account with further withdrawals.

In May 2011, the German banking industry assured Stiftung Warentest that the 3-D Secure procedure should not put German bank customers at a disadvantage. For credit cards from other providers, 3-D Secure registration is only advisable "if the company guarantees that it will not be in a worse position in the event of misuse than with conventional card payments."

In 2019 there are still constellations in which the question of liability turns out to be to the detriment of the customer and the registration for 3-D Secure can be risky for the customer compared to other payment methods: In addition to many other banks, the DKB also switched from the static security code to a dynamic code via app or mTAN. In its special conditions for 3-D Secure, the DKB lays down an exclusion of liability if “the mobile device is lost, stolen or passed on and third parties may gain access to SMS and use it without authorization”. If the credit card and mobile device are lost at the same time, the finder can initiate and verify any payments to the detriment of the owner if he has gained access to the mobile device (for example by means of a simple key lock). Customers are fully liable for these improper payments until the card is blocked. When paying without 3-D Secure, however, customers are only liable up to a maximum of € 50. In the event of loss, neither the data printed on the card nor the 3-D Secure process represent a hurdle for simple misuse, only the PIN or comparable security mechanisms of the mobile device. The risk for customers is higher than without registering for the 3-D Secure procedure, regardless of whether you are using 3-D Secure at all. At least for the DKB major customer Lufthansa Miles & More Credit Card, liability for non-grossly negligent or willful loss of the mobile phone with the TAN is limited to € 150.00.

See also

Individual evidence

  1. Mastercard Identity Check | Advantages & registration. Accessed April 2, 2018 (German).
  2. Mastercard SecureCode | Advantages & registration. Mastercard , accessed April 19, 2017 .
  3. Mastercard SecureCode / Verified by Visa. Retrieved December 7, 2017 .
  4. Questions and answers: Can I set up a secure code for the Visa Card? (No longer available online.) Postbank , archived from the original on December 8, 2017 ; Retrieved April 19, 2017 .
  5. Carsten Muerl: Biometric authentication as an answer to regulation. In: der-bank-blog.de. December 13, 2018, accessed December 28, 2018 .
  6. INTERNET WORLD Business: transition period for online card payments until the end of 2020. Accessed on December 6, 2019 (German).
  7. Manuel Kayl, Josefine Lietzau: Password for the credit card for online purchases . In: Finanztip . November 14, 2016 ( finanztip.de ).
  8. Researchers criticize 3-D Secure credit card technology. In: heise.de. heise online, accessed on April 19, 2017 .
  9. Steven J. Murdoch, Ross Anderson: Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication . In: Radu Sion (Ed.): Financial Cryptography and Data Security. 14th International Conference, FC 2010, Tenerife, Canary Islands, January 25-28, 2010 . Springer, Berlin / Heidelberg 2010, ISBN 978-3-642-14577-3 , p. 336–342 (English, cam.ac.uk [PDF; 163 kB ; accessed on August 24, 2019]).
  10. Jorgos Brouzos: Finally the annoying credit card code disappears. In: tagesanzeiger.ch . September 28, 2018. Retrieved September 28, 2018 .
  11. Verified by Visa - pay securely online. Deutsche Kreditbank AG , accessed on April 11, 2017 .
  12. The buck lies with the customer. In: zdf.de. WISO - The program for service and business on ZDF, accessed on April 19, 2017 .
  13. Review: Credit card damage. How fraudsters withdraw money ( Memento from August 28, 2011 on the Internet Archive )
  14. Credit cards with "Mastercard SecureCode" and "Verified by Visa" - more security. In: test.de. Stiftung Warentest , accessed on April 19, 2017 .
  15. General Terms and Conditions for the Lufthansa Miles & More Credit Card (credit card). Retrieved April 26, 2019 .