A Synopsis on Security of Online Payments

It can safely be assumed that there is a major payment card using population who are apprehensive to furnish card details while performing a card not present ( CNP ), in business terms, known as Ecommerce transactions. With the burgeoning online payment services in the emerging markets and tendency of the younger generation towards ecommerce marketing and services, it is high time for a card holder to understand the nitty-gritty of Ecommerce transaction from a security of card information stand point and have an unhesitant approach towards Ecommerce payments.

There are several credible solutions offered by many banks and service providers across the globe to make Ecommerce payments secure and reduce the fraudulent transactions ratio.

One prominent, well established and proven platform is already setup by payments schemes on processing the Ecommerce transaction, not only with the details available on the card but with some additional details which should be provided by a cardholder and is commonly termed in the payment card industry as “3D secure” processing with each scheme coining its own name such as Verified by Visa – VISA, Secure Code – MasterCard, Protect Buy – Diners/ Discover, Safe key – American Express etc.

The basis of 3D secure processing originates with merchant and acquirer in principle registering for 3D secure Acquiring. The three major components during the process are

  • Merchant / Acquirer component – Merchant Interface plug-in which captures purchase requests, sends authentication requests to Issuer, receives and validates authentication responses from Issuer and records cardholder transactions
  • Scheme component – Directory server which acts as a traffic cop for the service, stores participating card ranges by Issuer using approved 3-D secure system, stores Issuer URL to verify Passcode for participating card ranges
  • Issuer Component – Control server which provides infrastructure and critical processing components for Issuers, including cardholder enrolment & activation, Cardholder authentication, customer Service & administration and Chip authentication program options

Riding on the scheme guidelines, all major Indian Issuing banks have either a static password or a dynamic password (One time password sent through SMS or Email) solution which is a more secure way of performing online payment. The recent launch of a card product by a leading bank for dynamic one time password generation from the card is first of its kind in the Indian market. While performing an Ecommerce transaction at any website that supports 3D secure (e.g. Verified by Visa in this case) acquiring, the checkout page will be directed to the Verified by Visa (VbV) authentication page, like any other typical online transaction. The VbV authentication page will then prompt for a One-Time Passcode (OTP) / Dynamic Passcode which needs to be generated using the reverse side of the plastic with an additional pin validation on the card for the one time password generation.

Another fascinating way of processing Ecommerce transactions is through third party solutions offered by global acquirers and services providers such as PAYPAL, Google Checkout, Wirecard, Moneybookers etc where a login credential is required to create a customer account and multiple payment card information is stored with these third party service providers’ database who register with merchants independently. Customer can use any of the cards available in their account to perform the Ecommerce transaction. The additional security lies in the login credentials to access customer account with a service provider. Recurring Ecommerce transactions are best suited for this solution.

A third way of processing an Ecommerce transaction prone to less fraudulent activities is through creation of an instant virtual card on any existing account or credit /debit card with a customer defined credit limit which reduces the risk of exposing the entire credit or debit limit and the primary card or account information is also not communicated to the merchant and once the transaction is complete the virtual card is no longer valid for performing another transaction.

There are many more solutions and programs available in the market to process Ecommerce payments securely. Let’s hope that these solutions address customer apprehensions in performing Ecommerce payments in both emerging and established markets.