• Home.
  • About.
  • Services.
  • Portfolio.
  • Blog.
  • Contact.
Silkmoth web design
Blog 2009 | December 2009 | Why I Hate 3D Secure

Blog Posts

  • December 2009  (5)
  • November 2009  (3)
  • October 2009  (4)
  • September 2009  (1)
  • August 2009  (2)
  • July 2009  (1)
  • June 2009  (2)
  • April 2009  (3)
  • March 2009  (3)
  • February 2009  (6)

Blog Archive

  • Current Blog
  • 2011 Archive
  • 2010 Archive
  • 2009 Archive
  • 2008 Archive
  • 2007 Archive
  • 2006 Archive
  • 2005 Archive
  • 2004 Archive
 Subscribe

Why I Hate 3D Secure

By now everybody will have come across 3D-Secure, or to give it its trade names; "Verified by Visa" or "MasterCard SecureCode".

This is the system where as you click the Buy button on a website, you are magically transferred to your bank or card issuer.  There you have to enter another password, your mother's maiden name or your shoe size.  In theory it all seems straightforward enough but...

  1. Each card issuer/bank has their own strength of password rules which means you end up creating a new, unique password that is instantly forgettable. Let's face it we all like to use the same password wherever we go. This way we end up writing it on a yellow sticky stuck to the side of our computers. Which is more secure?
  2. When you jump to your bank you're not actually jumping to your bank. You're jumping to a third party service, like SecureSuite, where you enter your account and pin/password. I'm sure you'll all remember that our banks tell us frequently not to enter these details on any website other than theirs.
  3. Sometimes the 3D-Secure service is embedded within a frame on the retailer's website. This prevents you from checking out their secure certificate (click the padlock) and ensuring they are who they say they are.

So, we're asked to give up our pins and passwords to a third party service we can't check out. Sounds more like a phishing scam than enhanced security!

You might be asking why this has happened? Well, when a card is used fraudulently it's the retailer who loses out. If a crook buys a new flat screen TV using your card, they get the TV and you get your money back. The retailer is a TV short with nothing to show for it.

If the payment went through 3D-Secure then the liability is shifted to the card issuer/your bank. This is why retailers, apparently, are in favour. However, we know from experience with Silkmoth's web retailers, there's anything from a 9% to 21% reduction in 3D-Secure sales because customers don't complete their sales. It's just too complicated/scary for them!

So the retailers still lose out and that's why I hate 3D-Secure.  It's bad for everyone.

Posted: 10/12/2009 by Carl Dean (Technical Director) | with 5 comments
Filed under: 3d-secure
Comments
Carl Dean (Technical Director)
Hi James,

I agree that PaymentSeal is a simpler process requiring fewer customer interactions and works without the need for yet another password.

However, I don't see how it overcomes card fraud? The extra password required by the issuing bank in 3D Secure tries to overcome the issues of stolen card details. As such the fraud liability is shifted from merchant back to issuing bank.

Does PaymentSeal shift liability from merchant to bank? Why would any merchant using hosted payment pages switch to PaymentSeal?

If PaymentSeal was in place on a website would 3D secure still kick in if the card is registered? I'm guessing it would in which case it could get very frustrating for a customer.

Carl
09/04/2010 09:54:14
Report abuse
James Lin
Hi Carl,

PaymentSeal is the name of the method. My other choice was "End-to-End Payment Data Encryption for Online Transactions".

There is no additional entities involved such as Visa's lookup directory nor the issuing bank's verification that poses as possible points of failure in a transaction (I've read postings about some bank's registration or verification page crapping out). PaymentSeal involves no more layer than current implementation: the shopper, the merchant, and the payment service provider.

In actual implementation, the shopper would see a well branded payment service provider like WorldPay or Authoriza.net. I think if we call attention to the shopper that this trivial step (2 extra clicks) provides additional security at no cost, it would be an easy call to make.
08/04/2010 19:25:15
Report abuse
James Lin
Hi,
This a proposal for payment service providers to implement. PaymentSeal is the name of the implementation (like 3D Secure). We do not participate in the transaction.
In actual implementation, the pop-up would show the logo of a well-known payment service provider and the url also reflects that fact.
You are not providing your card data to us, you are providing it to the payment gateway of the merchant who gets this data with current implementation anyways.
So, essentially, you are reducing the number of people who sees your credit card in a transaction. Also, keep in mind that a payment gateway logically is better qualified to handle your credit card data than an average merchant.
07/04/2010 19:14:26
Report abuse
Carl Dean (Technical Director)
Hi James,

PaymentSeal doesn't address any of the issues I have with 3D secure. In many ways it compounds them by adding another layer and another external website that the customer has to deal with.

I appreciate that many people are reluctant to enter their card details into a website, but how many of those will be compelled to enter their card details into your site instead?
07/04/2010 10:50:36
Report abuse
james lin
Please take a look at this proposal:

www.paymentseal.com

It provides more protection for card holders without requiring registration and passwords. At the same time making the merchant PCI-Compliant.

Your feedback on this method is greatly appreciated.
06/04/2010 21:03:40
Report abuse
Leave comment



 Security code

Latest Blog

09.05.2012

Development Roundup

Find out more about Silkmoth's latest developments.

Popular Tags

advertising astra zeneca automotive b2b b2c brochure charity churchill china cms construction content management creditsafe ecommerce engineering foreign language google google adwords health integrated dental kentico linder myers manufacturing medical medinews michael turner multi-language netsite partners pay per click photography property railway children really worried recruitment seminar silkmoth silkmoth day solicitor solicitors spinal foundation tjl solicitors tyre shopper tyres website wirenet
become a partner
Twitter Feed

Silkmoth on Twitter

    Client Area | Events | Jobs | Sitemap | Privacy Policy | Terms & Conditions | © Silkmoth

    Head Office
    Silkmoth Ltd
    Charter House
    1-3 Charter Way
    Macclesfield
    Cheshire
    SK10 2NG

    Tel. 0800 074 0343
    Manchester Sales Office
    Silkmoth Ltd
    49 Piccadilly
    Manchester
    M1 2AP



    Tel. 0808 131 0344
    Birmingham Sales Office
    Silkmoth Ltd
    45 Newhall Street
    Birmingham
    B3 3QR



    Tel. 0808 131 0345
    Silkmoth are members of the eBay developer programme Silkmoth are a Kentico Partner
    Add to twitter RSS