3D Secure

In today’s rapidly digitizing world, online shopping habits have undergone a major transformation. With the widespread adoption of e-commerce, the use of credit and debit cards has increased significantly, bringing with it serious security challenges. The interception of card details by third parties during online transactions has become a major threat to both users and businesses. It is precisely at this point that the 3D Secure (Three Domain Secure) protocol, developed by Visa and later adopted by other major payment institutions such as Mastercard, was introduced to enhance security in online transactions.

This article will examine in detail the structure, working principle, history, technical specifications, challenges faced, and particularly the integration with one-time transaction numbers in the 3D Secure system. Furthermore, its impact on the electronic payments market, user experience, and relationship with regulations will be evaluated through academic sources to provide a comprehensive perspective.

3D Secure (generated by artificial intelligence)

Definition and Primary Objective of 3D Secure

3D Secure is a authentication protocol designed to prevent fraud by adding an identity verification step to online credit and debit card transactions. The protocol derives its name from its three core components (domains):

1. Issuer Domain
2. Acquirer / Merchant Domain
3. Interoperability Domain

The primary goal of this system is to verify that the cardholder is indeed the person initiating the transaction and to enhance transaction security. This authentication can be achieved through various methods such as passwords, SMS codes, or biometric confirmation. Thus, even if card details are stolen, the thief cannot complete the transaction without passing the authentication step, effectively preventing fraud.

How the 3D Secure System Works

Three-Domain Structure

The 3D Secure system operates through the collaboration of the following three domains:

• Issuer Domain: The cardholder’s bank resides in this domain. This institution verifies whether the user is enrolled in the 3D Secure system and performs the authentication.
• Acquirer Domain: The merchant and the bank serving the merchant are located in this domain. It receives the transaction request and verifies the validity of the card details.
• Interoperability Domain: This layer, managed by intermediary institutions such as Visa or Mastercard, enables communication between the other two domains.

Transaction Flow

An online shopping process functions as follows:

1. The cardholder visits a website and enters their card details on the payment screen.
2. The merchant sends a VEReq (Verify Enrollment Request) message to check whether the card is enrolled in the 3D Secure system.
3. The issuing bank responds with a VERes (Verify Enrollment Response) message.
4. If the card is enrolled, the authentication process is initiated via a PAReq (Payer Authentication Request).
5. The cardholder authenticates their identity via SMS verification, password, or a mobile application.
6. If authentication is successful, the transaction is approved through a PARes (Payer Authentication Response) and payment is completed.

Technological Evolution and Versions of 3D Secure

The first generation of the 3D Secure protocol was introduced by Visa in 2001 under the name “Verified by Visa”. Mastercard similarly implemented its own system called “Mastercard SecureCode”. Early versions were widely criticized for their poor user experience. Issues such as forgotten passwords and users perceiving authentication screens as untrustworthy led to negative evaluations of the system.

In response to these criticisms, the system was significantly redesigned with 3D Secure 2.0, introducing the following features:

• Automatic evaluation of device and location data
• Support for biometric authentication
• Mobility compatibility
• Frictionless Flow: Bypassing the authentication step for transactions deemed low-risk

These improvements aimed to enhance user experience without compromising security.

Security Vulnerabilities and Alternative Models

Issue of Stored Card Data

In the current 3D Secure infrastructure, card details are temporarily stored on the merchant’s side during transactions. This creates security vulnerabilities, particularly in the servers of small and medium-sized businesses, leaving them exposed to cyberattacks.

PCI DSS Compliance

To address this issue, the Payment Card Industry Data Security Standard (PCI DSS) was developed in 2006. However, due to the high cost of implementation and frequent misunderstandings, many businesses fail to achieve full compliance.

Enhancing Security with One-Time Transaction Numbers

In an academic study by Farid Javani and Shahriar Mohammadi, it was proposed to integrate one-time transaction numbers into the 3D Secure system. Under this model:

• A temporary transaction code is used instead of the actual credit card number.
• This code is generated by applying a hash function to parameters such as transaction amount, merchant ID, and card expiration date.
• The generated transaction code is valid for only one transaction.
• Thus, even if the data stored on the merchant’s side is compromised, the attacker cannot retrieve the real card details.

This model is fully compatible with the existing 3D Secure infrastructure and provides high security without additional costs. The cardholder enters their information only once during the transaction; the system internally encrypts these details and converts them into a temporary transaction code.

Impact on the Electronic Payments Market

As a structure that increases online shopping volume and strengthens consumer confidence, 3D Secure plays a significant role in the payments market. The following impacts are particularly evident:

• Reduction in fraud cases: Thanks to the authentication process, unauthorized use of card details has decreased significantly.
• Reduction in legal liabilities: Merchants that implement 3D Secure authentication are partially exempt from chargeback risks.
• Consumer confidence: End users’ trust in the system is increasing, contributing to the broader adoption of online shopping.

In addition, standards imposed by governments and regulatory bodies on online payment systems, such as PSD2 (the European Union’s Payment Services Directive), further enhance the importance of this system.

Criticisms and Future Projections

Although 3D Secure systems have evolved over time to become more user-friendly and secure, some criticisms remain valid:

• The additional step can negatively affect user experience.
• Inadequate technological infrastructure at some banks can lead to inconsistent system performance.
• Poor integration of the system in mobile payment applications can frustrate users.

However, it is anticipated that with advanced device authentication techniques, AI-based risk analysis, and cryptographic solutions, the system will continue to evolve in the coming years and maintain its position as the foundational standard for payment security.

3D Secure is a robust authentication protocol developed in response to security needs arising from the proliferation of e-commerce and refined over time. Designed to enhance user security, prevent fraud, and make online payment systems more reliable, it has become an indispensable component of the modern payments landscape.

In particular, the integration of one-time transaction codes into the 3D Secure infrastructure allows for a significant increase in data security without compromising user experience. These advancements offer promising solutions for the future of payment systems and contribute to building a more transparent and secure digital economy.