What does that represent?
3D Secure is called "Verified by Visa" with Visa, and "Secure Code" with Master Card.
This new system was created to avoid the CNP (Card No. Present) type of fraud, which means fraudulent payments by bank card without the actual presence of the card (stolen card numbers, for example).
The goal is:
- to reduce fraud for merchants/shopkeepers.
- to secure the payments from clients.
Why the visual cryptogram does not suffice
A credit card payment on the Internet generally requires:
- The card number
- The expiry date
- The visual cryptogram
The visual cryptogram: these are the 3 numbers on the rear of your card which the Internet generally requires of you to be entered during a purchase.
Yet this information can be read visually on the card and copied out again, therefore allowing the payment without the presence of the card and thus fraud.
With 3D Secure, supplementary information shall be asked of you to validate the payment.
Someone who might copy out the information of your card again or who could even steal it from you could not perform purchases at the merchant/shopkeeper using 3D Secure, since the former does not know this supplementary information.
3D Secure or not
So that a payment is in 3D Secure mode, it is necessary for your card to be 3D Secure and for the shopkeeper to accept 3D Secure (which is the case of STN Distriweb).
- Most of the newly manufactured bank cards are from now on 3D Secure.
- According to banks, the switch over of 3D Secure of the old cards shall be automatic, or they shall require you to sign an additional clause to your contract. In all cases, this does not require any change of card or modification of your existing card.
- The transition to 3D Secure costs you nothing.
If your card is not 3D Secure, you shall be able or not to make purchases with the merchants/shopkeepers that are 3D Secure (The 3D Secure shopkeepers are free or not to choose to continue accepting payments with non-3D Secure cards)
In practice
In practice, you make your purchases as usual on the Internet.
You shall always enter your card number, expiry and cryptogram, but after having entered this information, you shall be directed back towards the site of your bank which will ask you for this supplementary information.
Once the information is provided, you shall come back on the merchant's site which shall confirm the payment for you.
In this scenario, the server of your bank is going to confirm that you are definitely the owner of the card to the merchant.
Of what does authentication consist?
During a 3D Secure payment, when you are be on the site of your bank, this latter shall ask you for information which you alone are supposed to know, proving that you are definitely the owner of the card.
Each bank is free to choose its method of authentication.
Among those latter, are:
- a classic password (that it is possible to change)
- a key card system (sheet of paper) which your bank has sent you (battleship style: enter the number in column 5, line 3).
- your date of birth
- and even many other ones, etc.
- an electronic key system (you enter a code displayed by • an electronic key system
Please note that it is particularly appalling that some banks are content with just your date of birth, since this information is seldom actually private and sometimes easy to find. If your bank is proceeds like this case, I suggest that you protest strongly with your bank so that it may adopt a sounder authentication system.
(For information only, players of "World Of Warcraft" can secure access to their game with a device which costs them € 5. It would be a pity for banks not to do the same.
Legally speaking
During any normal Internet purchase (Non- 3D Secure), your identity is not proven at any time (PIN code or signature). That means that it suffices to question a payment so that your bank may reimburse you.
The liability is on the side of the bank of the merchant/shopkeeper, to which your bank shall claim the sum.
During a purchase in 3D Secure mode, if the authentication is a success, there is a transfer of liability towards your bank. (Since the bank claimed that it was you who were in the midst of paying, it cannot protest any more and must transfer the money to the bank of the merchant/shopkeeper.)
And of course, your bank shall transfer this liability towards you: You shall no longer be able to question a 3D Secure payment and be reimbursed.
For that reason it is crucial that your bank adopts a sound authentication method.
Please note that if the authentication is a failure and if the bank of the merchant/shopkeeper demands the recovery of a sum, your bank is supposed to refuse. If it accepts this nonetheless, you shall be able to question this debit and be reimbursed (since nothing shall have proved that it is you who made the payment).
3D Secure, good or bad?
It is good! As proof:
- That reduces fraud at the merchant/shopkeeper
- That reduces fraud for the Internet users
- The growing adoption of 3DSecure with on line merchant/shopkeeper shall render on line fraud more and more difficult.
- The adopting 3D Secure e-commerce sites shall be able to avoid using firms as FIA-NET (particularly a nuisance for the clients.)
- At any time is the merchant/shopkeeper in possession of this supplementary information, and therefore cannot have them pirated. You only enter this information from your bank's site.