3-D Secure

[1] Originally developed in the autumn of 1999 by Celo Communications AB (which was acquired by Gemplus Associates and integrated into Gemplus, Gemalto and now Thales Group) for Visa Inc. in a project named "p42" ("p" from Pole vault as the project was a big challenge and "42" as the answer from the book The Hitchhiker's Guide to the Galaxy).

[5] Analysis of the first version of the protocol by academia has shown it to have many security issues that affect the consumer, including a greater surface area for phishing and a shift of liability in the case of fraudulent payments.

Each issuer could use any kind of authentication method (the protocol does not cover this) but typically, a password tied to the card is entered when making online purchases.

The Verified by Visa protocol recommends the card issuer's verification page to load in an inline frame session.

[clarification needed] In the 3-D Secure protocol, the ACS (access control server) is on the card issuer side.

Perhaps the biggest disadvantage for merchants is that many users view the additional authentication step as a nuisance or obstacle, which results in a substantial increase in transaction abandonment and lost revenue.

These types of devices might provide a better user experience for customers as they free the purchaser from having to use a secure password.

As of 2022[update], web browsers do not provide a way to check the security certificate for the contents of an iframe.

Some commerce sites will devote the full browser page to the authentication rather than using a frame (not necessarily an iframe), which is a less secure object.

In this case, the lock icon in the browser should show the identity of either the card issuer or the operator of the verification site.

Mobile browsers present particular problems for 3-D Secure due to the common lack of certain features such as frames and pop-ups.

Legal conditions applied to the 3-D Secure service are sometimes worded in a way that makes it difficult for the cardholder to escape liability from fraudulent transactions.

Complaints to that effect have been received by Puerto Rico Department of Consumer Affairs "equal treatment" economic discrimination site.

[21] A proposal to make 3-D Secure mandatory in Australia was blocked by the Australian Competition & Consumer Commission (ACCC) after numerous objections and flaw-related submissions were received.

[22] Some countries like India made use of not only CVV2, but 3-D Secure mandatory, a SMS code sent from a card issuer and typed in the browser when you are redirected when you click "purchase" to the payment system or card issuer system site where you type that code and only then the operation is accepted.