What is 3D-SECURE

E-commerce permits a dematerialized financial transaction between a customer and a merchant (Schafer, Konstan, & Riedl, 2001). It uses a complex architecture involving many aspects in computer science (security, database management) and in electronics (smartcards, tokens) (Tang, Waichee, & Veijalai, 2004). E-commerce is in a constant growth (Herrmann & Herrmann, 2004). To be used by the majority of individuals, electronic transactions must be secured to increase the confidence in the e-commerce. Security is necessary in commercial relationships for many reasons. First, the customer must be sure that the goods he/she is buying will be the expected ones, and will be well delivered at his/her address. Second, the merchant must be sure to be paid. If the customer uses banknotes or electronic payment, two or more partners are involved in that transaction: the customer’s bank and the merchant’s one. The two banks must be sure of the customer’s identity and of the merchant’s one in order to avoid banking frauds. In the transaction process, many security systems are used to ensure the confidentiality, authentication, and integrity of exchanges. The security is guaranteed by using specific procedures and hardware. The objective of this chapter is to present how the classical security concepts are applied for an electronic payment and especially to limit the fraud. The background section first gives a general idea of the problem generated by the electronic commerce. Second, we present briefly the public key infrastructure approach that is generally used for authentication within this context. The main thrust introduces two protocols that have been developed: SSL (secure sockets layer) and TLS (transport layer security), to create a secure channel where all transactions are encrypted by using specific architectures and algorithms. For the payment part of the transaction process, banks have been considered that SSL and TLS are not sufficiently secure. The main reason is that the cardholder is not authenticated by the issuer bank and the responsibility stays on the merchant side. Banks have so tried to implement different architectures to meet these requirements. These different methods, use of token with SET (secure electronic transaction) or a smartcard such as C-SET developed in the last fifteen years, began to converge to the 3D-secure (three domains security) protocol. These methods to secure the distant payment was adopted together by the card scheme Visa© and MasterCard©. The last, but not the least problem, concerns the distant authentication of the client by its bank, which is described in the future trends.