How Secure Are Online Card Payments with 3D Secure?

On the subject of 3D Secure and recent events where two different people reported sums being arbitrarily deducted from their bank accounts - with the bank recognising the transactions as legal - it made me think about how secure 3D Secure actually is.

Since October 2011 Swedbank customers can make card payments online only if 3D Secure is activated. This undoubtedly gives a sense of security to a large proportion of cardholders, as in addition to the card number and CVV code, a password is requested that only the cardholder knows and which is not found on the card (the CVV number is found on the reverse of the card).

However, recent events, where a sum was arbitrarily deducted from an account, made me think about how secure 3D Secure actually is. Since 3D Secure was introduced, I have witnessed two unrelated incidents where sums were deducted from different individuals' accounts without the cardholder's knowledge or participation. In the first case it was vimeo.com, where the paid service (for additional storage space and faster video processing) turned out to be not a one-time payment but a monthly subscription. In the second case it was the image service shutterstock.com, where images are not purchased outright (i.e., the rights to use them) but rather the image acquisition service is subscribed to. This in turn means that a certain sum is deducted every month - naturally, without the customer's participation.

Of course, one can wisely argue and sneer that you should have read more carefully before paying, and that everyone (!) has known this for ages, blah blah blah. Bearing in mind that before this, a countless number of online purchases had been made where there were no such "surprises" and it didn't even cross one's mind that something like that was even technically possible.

The crux of the matter is actually this: the well-known transaction types available to Latvian merchants are payment by card and payment reversal (i.e., a refund of the payment amount). But technically possible - and widely practised across the vast expanses of the internet - is yet another type of transaction: the subscription charge. This means that by making a single payment (filling in the card details and entering the 3D Secure password), the merchant can, on the basis of the authorised transaction, make a countless number of deductions without the cardholder's participation. The justification for this is a distance contract, by which the merchant and buyer - via a single checkbox - have agreed to the legality of such an action.

To obtain more information and learn how to protect oneself from unexpected "subscription" charges, I contacted Swedbank and Citadele customer service centres by email. Swedbank kindly explained that such a "subscription" transaction is legal (though for some reason it is not offered to Latvian merchants), and that to avoid unexpected purchases, Swedbank offers the option of disabling 3D Secure in internet banking, thereby disabling the ability to pay by card online (and enabling it again when making a payment). Citadele also acknowledged that this type of automatic transaction is legal and recommended carefully studying the merchant's terms before making a payment; meanwhile if "the damage is done and the meter is already running," the only solution they offered was to block the card and request its replacement (which is apparently a paid procedure).

During this correspondence I also learned that the 3D Secure password will not always be requested - only in cases where the merchant's payment platform supports it. If it does not, and the merchant has not specified this, the payment will be processed by entering the card details and CVV.

A few years ago, when building a payment system, I encountered a similar need - namely, to create a payment system where payments could be made repeatedly without re-entering card details. Moreover, such payment systems had been seen online. One scenario is for card details to be stored, but this would be in direct contradiction with VISA/Mastercard regulations. Neither FirstData nor DNB Nord Bank offered any other alternative.

In light of the described events, I contacted FirstData to see whether anything had changed in the meantime. To which I received a reply that in the near future such a "subscription" payment system would also be offered to Latvian merchants. Good news for merchants (I can already see in my mind's eye the broad smile of the draugiem.lv financial director), bad news for buyers - because one unnoticed or unchecked checkbox will mean an unexpected deduction and the headaches associated with recovering the money. This is no western liberal economy where one call to support and the money is refunded without question. Most likely what will follow is wrangling over the concluded agreement, lengthy correspondence, court proceedings and ultimately the realisation that you were the one to blame for it.

About 3D Secure

The classic card payment method online works as follows: the buyer selects a product or service, "carefully" reads the terms and is redirected to the payment processing website (for example, the bank's) to complete the payment. By entering the card details and confirming the transaction, the payment amount is reserved in the buyer's account, and the buyer is redirected back to the merchant's page with the payment already accepted. In principle, such a transaction can also be carried out by someone who is not the true cardholder, as to pay one only needs to know the card number, the cardholder's name, the expiry date and the CVV.

Payments with 3D Secure introduce one more step. Namely, at the moment when the buyer is redirected to the merchant's bank page to enter card details, after accepting they are redirected once more to the buyer's bank page to enter the 3D Secure password, and only then redirected back to the merchant's page with the payment already accepted.

Image from: reseaux-telecoms.net

Share:
Rate: 2 (6)
Views: 0

comments



What are others reading?