PCI 3D Secure
Credit and debit card fraud remain among the greatest scourges of the retail industry and there are particular characteristics which make online retailing uniquely susceptible. In theory, it can be remarkably easy for a determined criminal to find vulnerabilities in the card-not-present (CNP) method of making purchases and the threat is omnipresent for consumers and merchants alike. On the face of it, the most pronounced danger faces the customer who stands to lose personal funds through the fraud, but increasingly liability is laid at the door of the merchant or the payment processing provider, whose security systems may have been responsible for facilitating the crime.
The annual level of CNP fraud is estimated to be over $14 billion. To put it in perspective, that is equivalent to President Biden’s entire environmental protection budget for 2020. Such levels of fraud are breath-taking and although the Payment Card Industry (PCI), which keeps its security regime under constant review, introduced its original PCI 3D Secure protocol way back in 1999, it found it necessary to develop PCI 3DS 2 in 2016 to challenge the increasing resourcefulness of cyber criminals. Along with a variety of biometric algorithms and machine learning, this protocol is designed to meet the PCI’s revised standards.
Key considerations of the PCI 3D Secure protocol
Working with PCI 3D Secure
What does PCI 3DS mean? If you have ever been asked to give additional authentication of your identity when making an online purchase, you have encountered 3DS. 3D stands for ‘three domains’ and these are the Merchant/Acquirer domain which includes banks and merchants, the Issuer Domain where the card issuer operates its authentication procedures, and the Interoperability Domain in which the data flow is validated and conducted via secure transmission. The PCI standards behind this protocol are supported by three separate documents which, among other things, specify security measures, categorise types of data, and prescribe the compliance requirements for all mobile applications.
The obligations of PCI 3DS compliance apply to all organisations that provide certain core services or functions in the domains listed above. However, it is extremely important to note that responsibility is not always limited to these entities. The provisions can also catch third-party providers whose activities have an impact on any of these areas, in particular security issues. While some of the PCI’s security arrangements carry a kind of in-built exemption for organisations which use PCI accredited procedures, the PCI 3D Secure protocol is more complex. For that reason, it is highly advisable to seek the kind of expert advice which Gradeon is eminently qualified to provide. We work routinely with clients on all aspects of PCI compliance and we are able to give you expert guidance regarding your potential responsibilities and how to meet them. If it is possible to reconfigure your processes to remove you from the remit of PCI 3DS then we can work with you to achieve this. Either way, we will be your ideal partner in the fight to improve security and defeat cybercrime.