This is the
talk page for discussing improvements to the
3-D Secure article. This is not a forum for general discussion of the article's subject. |
Article policies
|
Find sources: Google ( books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL |
This article is rated Start-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||
|
Don't want to add this myself as I work for a company which has recently introduced 3d secure as a merchant, and therefore am not exactly NPOV, but maybe it's worth writing something for the Criticism section from merchants/web site integrators perspective: handing the user off to a foreign web site reduces reliability of the purchasing process (another point of failure), makes it difficult for the merchant to offer support (as they do not know what the customer will be seeing on his screen: that varies by bank), and can introduce undocumented browser dependencies (for example, on javascript). https://support.protx.com/forum/Topic4968-22-1.aspx?Highlight=3d+secure https://support.protx.com/forum/Topic5097-28-1.aspx?Highlight=3d+secure —Preceding unsigned comment added by 87.80.116.174 ( talk) 16:56, 16 April 2008 (UTC) (87.80.116.174 in this occasion was me, not logged in Daniel Barlow ( talk) 16:58, 16 April 2008 (UTC))
I have removed the following claim:
...which cited this reference from the UK website of Barclays bank:
As far as I can see, that is just a rather badly worded FAQ. Apparently it requires Internet Explorer and Netscape and AOL and Firefox and Safari - that's a whole lot of browsers just for one card transaction, on 2 different OSes no less!
If it is the case that this is an exhaustive list of supported browsers, it would likely only apply to Barclays implementation of 3-D Secure (banks like to make it sound like they invented Verified by Visa / MasterCard SecureCode; they didn't). And as any better-worded FAQ would say, absence of official support doesn't mean something won't work. What's more, the "accessibility" section of that FAQ confirms that it will even work without Javascript. - IMSoP ( talk) 19:04, 19 April 2009 (UTC)
I've removed another dubiously general claim, this time claiming all banks in the UK have the same password reset procedure. Once again, I would like to remind anyone editting this article that 3-D Secure can be implemented differently by every bank. If anyone has specific references for which bank this is, and can think of a way of summarising it as an example (perhaps alongside the US SSN example - again, any proof that this is a country-wide policy?), feel free.
-- IMSoP ( talk) 22:43, 13 July 2009 (UTC)
References
For Security of your Account and for Authentication Some banks in India now use an OTP for enrolling and in Sri Lanka most banks transactions are via OTP (one time password) sent to mobile/ e-mail. So unless they lose mobile (or control over your email account) and card credentials, card holders are safer. Nothing is foul-proof but this is definitely a 3rd factor authentication.
For card not present/IVR tx in India the RBI has mandated OTPs. IVR is Interactive voice response / like over the phone talking to a sales rep or a mobile app.
tx is transaction. RBI is the banking authority that mandates how banks should work.
Also most ACSes in India do not open the screen in a pop up and all well known browsers do not allow you to hide the certificate icon so a user can always see whose site they are on.
Axis Bank is one example where the bank has invested in a sub domain so even though they have an external ACS the URL is https://secure.axisbank.com/ACSWeb/EnrollWeb/AxisBank/main/index.jsp (similar to https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/KotakBank/main/reg0.jsp but on their own domain, same ACS provider but different domains, one being the banks)
Tgkprog ( talk) 00:42, 25 June 2011 (UTC)
I'm concerned that the flag "This article is outdated" is not correct. As far as I can see all these criticisms are currently valid. Can we remove that banner, please, or at least can someone responsible outline which information is outdated? Crgn ( talk) 21:40, 21 August 2011 (UTC)
I do think it's outdated. For example, when enrolling in Verified-By-Visa (at least as of yesterday when I enrolled a card in the program) I was prompted to also enter in a recognizable key word. That way, when a Verified-by-Visa popup occurs during a transaction, if the pop-up shows my keyword I set up- I know it's Visa's and not a phishing scam. — Preceding unsigned comment added by 70.184.31.2 ( talk) 16:48, 6 October 2016 (UTC)
Not sure why the term credit card is used as the protocol is for any card. Can be issued by the bank as a debit card (linked to a savings account), a credit card, a prepaid or gift card. Tgkprog ( talk) 17:36, 15 March 2012 (UTC)
At some point I joined this system for my Visa and Mastercards (both UK), thinking it would add security. I soon realised that if my card were stolen the thief could simply use it for an internet transaction involving a site that did not use this protection, and I concluded that this was more to protect merchants who did use the system than for my own benefit, and I regretted having signed up. Also I noticed that after a certain point in time of the order of a year ago the verification window appeared but I was no longer asked for my password and wondered why (had the banks decided the password mechanism was useless maybe?).
Perhaps some knowledgable person could include clarification in regard to these issues in the article? -- Brian Josephson ( talk) 20:51, 11 May 2012 (UTC)
Do anybody know exact dates when each card issuing vendor started usage of 3-D Secure protocol. I would just like to see those history facts inside the article. Saša~shwiki ( talk) 21:15, 5 August 2015 (UTC)
Also Diners recently adopted his 3D secure. http://www.dinersclubprotect-buy.net/Public/MerchantOverview.aspx 86.163.213.144 ( talk) 14:42, 20 November 2015 (UTC)
I'm confused by the assertion in the first paragraph that 3DS is an XML-based protocol (with no reference source).
The EMV® 3-D Secure SDK Specification v2.0.0 makes no mention of XML at all. It does talk about JSON;
"UI text, such as label names, questions, and help text, is sent in a JSON array. "
Netscr1be ( talk) 13:18, 19 May 2017 (UTC)
At https://security.stackexchange.com/a/168750/105684 it is suggested that this scheme does not exist to protect cardholders but to benefit merchants. Perhaps this criticism, if justified, can be referenced and included in the section on criticism. PJTraill ( talk) 22:11, 4 September 2017 (UTC)
Hello there — Preceding unsigned comment added by NavneetMafia ( talk • contribs) 05:53, 2 December 2018 (UTC)
The link redirects you to a phishing site that informs you that you've just won something from Google 14. "Is securesuite.co.uk a phishing scam?". Ambrand.com. Retrieved 2010-08-11.
Are 3-D Secure and EMV 3-D Secure the same thing? The intro talks about them being developed by two different companies. But then the rest of the article talks about it as if it's one protocol. If not, what's the difference? -- Beland ( talk) 22:32, 5 August 2019 (UTC)
3-D_Secure#3-D_Secure_as_Strong_Customer_Authentication mentioned a deadline of Feb 2015, but Strong customer authentication mentions a deadline in Sep 2019. Was this delayed or are these different things? -- Beland ( talk) 22:49, 5 August 2019 (UTC)
As we all know, Amazon USA does not even require CVC or ZIP or whatever besides the card PAN and expiration date. There are some others in America. https://www.quora.com/What-online-shopping-stores-dont-require-CVV-code?top_ans=75776888 That is obviously unacceptable (only protection is debit cards (without overdraft) with enough money only for one transaction or Mir or another local card system that will not work with Amazon), I added info about India BUT I STILL DO NOT know whether Amazon USA will accept payment without 3D-Sec. or CVC from Indian card VISA or mastercard! Please help me answer that. I have some private VISA docs, looks like it is possible! 109.252.171.205 ( talk) 02:24, 6 July 2020 (UTC)
In the VISA Inc Project the ‘p42’ the first version of 3-d secure concept was developed. It was a project to develop new secure ways to pay over the Internet using the new VISA chip-cards. The VISA Inc person in charge of the project was mr Philippe Levy. There was a number of companies involved in the project Celo Communication AB, Gemplus, DST, Xcert International Inc etc
There has been a number of new versions made over the years but the edit on 26 of feb 2015 should be reversed or changed to something like “Arcot has contributed to the concept”.
— Preceding unsigned comment added by Parahren ( talk • contribs) 23:54, 5 February 2022 (UTC)
The first phrase of the third paragraph seems to have lost some context in revision https://en.wikipedia.org/?title=3-D_Secure&diff=1066865765&oldid=1065009598:
From
It was originally developed by
subject
with the intention of improving ..., and offered...
To
In 2001
subject
with the intention of improving ..., and offered...
For additional context, hopefully useful, it seems from https://www.digitalcommerce360.com/2002/09/30/arcot-s-transfort-solution-selected-by-mastercard-internati/ that Arcot's TransFort product was the first solution to be fully compliant with the 3-D Secure protocol and was the "foundation" for Visas's Verified by Visa (later Visa Secure) and Mastercard's SecureCode. Jsmpereira ( talk) 22:06, 22 June 2023 (UTC)