I could be wrong on this, but I believe that "3D Secure" is the name of the protocol and "Verified by Visa" is the customer brand. They may have changed the name when they started verifying Mastercard also.
Some banks did mandate use of the VbV program in the past, but I'm not sure if that's the case anymore. You may have better information on this than I. Well, I look at it this way... Right now, there's really no credit card security whatsoever. Sure, there's AVS, but anyone with your credit card information can usually find out enough about you to add an additional address at your issuing bank. Other stores will let you send out purchases to other addresses as "gifts". There's also CVV, but if a store or a customer's machine is hacked, the CVV code can be compromised. Then there's the merchants who retain the CVV code even though they shouldn't. (I haven't seen that myself, but I'm sure it's out there.) In theory, 3DS should be more secure as it would require the issuer to be hacked or the customer's computer to be compromised. That said, there are some scary scenarios that could be brought up. However, that's not to say that repudiation isn't also a big issue. It is. And as ofbiz primarily caters to mail order businesses, they have ZERO protection from credit card fraud and repudiation. Basically, if someone makes a purchase and decides they don't want to pay, they just call up their issuer, say it was fraud, and the money comes out of the merchant's account. The merchant has very little recourse. In summary: 1) 3DS should reduce fraud, at least for participants, and at least until new methods are invented/implemented to capture cardholder's PINs. 2) 3DS should reduce repudiation, by making it harder for those who wish to raise the specter of fraud to get out of paying for a product or service. 3) 3DS will give some security (and a better rate) to mail order merchants who currently have none. 4) 3DS does break new legal ground, and I'm sure in time the courts or legislature will have to sort it out. Some jurisdictions already have, I think JLR mentioned a pro-consumer law in France. There's good and bad in there, but ultimately, the consumer decides if they want to participate. I haven't been forced to participate in VbV on any of my cards, and I hold cards (through aquisition/mergers, etc) with the biggest issuers in the US. If I were forced to participate, I'd go elsewhere, whether it's another issuer or another brand (discover, amex, etc). There's nothing wrong with that. It sounds like you have someone who wants to implement a feature in such a way that it can be disabled, where's the harm? Refusing to allow it to be put in only raises the barriers to adopting ofbiz. Those who wish to implement 3DS will implement it in ofbiz, or will choose a product that does so OOTB. Chris Lombardi > From: [EMAIL PROTECTED] > To: dev@ofbiz.apache.org > Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card > with ofbiz.] > Date: Mon, 20 Oct 2008 01:19:27 -0600 > > > Interesting, it's like Verified by Visa but more crafty. With VbV you > could keep your cards more secure to you by not signing up for an > account. In other words if you don't have a VbV account then no one > can somehow get your username and password and make charges on your > card that you can't do anything about, ie charges you're stuck with > because the normal credit card protections don't apply. > > With 3D Secure, if they use the same username/password that you use > for online banking and you can't opt out of 3D Secure, then you get to > move to a bank that doesn't do 3D Secure, or deal with the fact that > if anyone gets your online account's username/password then you're in > big trouble and you'll get no help. > > The scary thing is that many people won't be aware of this additional > risk, and that the protection is NOT for the consumer, it is for the > credit card company, payment processor company, and merchant bank, and > also the merchant/vendor. I'm guessing they won't advertise that fact, > at least until a law comes along that requires it. > > Oh well, wonderful world we live in. I may be outvoted in this, but > just like Verified by Visa this is the sort of feature I'd like to see > never make it into OFBiz. > > -David > > > On Oct 20, 2008, at 12:04 AM, Raj Saini wrote: > > > David, > > > > AFAIK, 3D secure is similar to "Verified by Visa" in addition to > > that it also supports Mastercard. In 3D secure customer authenticate > > with their banker (issuer bank) and not the Visa or MasterCard site > > and yes they waives the right to repudiation as they use their bank > > userid/password to authenticate. > > > > I know some of the merchant banks in UK made it mandatory to use 3D > > secure for CC processing. I am not sure how useful it could be for > > end customers but vendor have little choice when their merchant bank > > makes it mandatory to use 3D secure as part of CC processing. Only > > alternative is to switch to the other merchant bank which may not be > > feasible sometime. > > > > Thanks, > > > > Raj > > > > David E Jones wrote: > >> > >> On a side note, is 3D Secure like the old "Verified by Visa" thingy > >> that was supposed to make things more secure for "customers" but by > >> using it customers actually waived the right to repudiation. In > >> other words, if someone was able to get your CC information and > >> Verified by Visa username/password then they could commit fraud and > >> Visa wouldn't help you out with it at all. > >> > >> In other words, for your extra pain of signing up and using the > >> problem, the customer was rewarded by not being able to repudiate > >> fraudulent charges. > >> > >> If the same is true for 3D Secure then chances are it won't be on > >> the radar for very long... when was the last time anyone here was > >> asked to implement for Verified by Visa? > >> > >> -David > >> > >> > >> On Oct 19, 2008, at 11:05 PM, Christopher L wrote: > >> > >>> Yes, it's a complete rethink on how to ensure non-repudiation. > >>> > >>> It's also less of a "call to a gateway" as it is a redirection to > >>> the card issuer. The goal is to keep the PIN from the merchants > >>> and card processors. > >>> > >>> Here's the flow, IIRC. > >>> > >>> 1. User enters in a CC number into a storefront. > >>> 2. Storefront queries the CC number to determine participation in > >>> 3dsecure. > >>> 3. Response and issuer authentication url is returned. > >>> 4. Storefront redirects the user to the card issuer, with an > >>> encrypted payload. This could be in a pop-up. > >>> 5. User authenticates with card issuer. > >>> 6. Card issuer redirects the user back to the storefront with a > >>> code in an xml doc signed by the issuer. > >>> 7. Storefront adds the code to the authorization that is sent to > >>> the credit card processor. > >>> > >>> In my experience, merchants get very worried (and rightly so) > >>> about the redirection/pop-up because you lose control of the > >>> user. It's essential to make it a smooth experience. If it's > >>> not, you lose sales because the customers don't come back from the > >>> redirect. > >>> > >>> Chris Lombardi > >>> > >>>> Date: Sun, 19 Oct 2008 13:27:43 -0700 > >>>> From: [EMAIL PROTECTED] > >>>> To: dev@ofbiz.apache.org > >>>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure > >>>> Credit Card with ofbiz.] > >>>> > >>>> I did not catch that, thanks, Chris. > >>>> This would be a independent service that the different CC > >>>> services could > >>>> call it while building thier call to the gateway they are using. > >>>> it would still be in the third party service. > >>>> 3DsecureService.java > >>>> > >>>> > >>>> Christopher L sent the following on 10/19/2008 1:02 PM: > >>>>> 3D Secure isn't a payment processor. It's a supplemental > >>>>> authentication service that authenticates the cardholder to the > >>>>> *card issuing bank*. > >>>>> > >>>>> The output of 3D Secure is an encrypted hash (not a payment > >>>>> auth) that is then sent via your normal payment authorization > >>>>> service. > >>>>> > >>>>> So, you really can't implement ccAuth, ccCapture, etc. > >>>>> > >>>>> Sarvesh is trying to find out where in the checkout process this > >>>>> additional authentication step could go to then be utilized by > >>>>> all the payment authorization services. I'm familiar with 3D > >>>>> Secure, but unfortunately not familiar with the ofbiz ecommerce > >>>>> module, or I'd suggest something myself. > >>>>> > >>>>> Chris Lombardi > >>>>> > >>>>>> Date: Sun, 19 Oct 2008 12:41:03 -0700 > >>>>>> From: [EMAIL PROTECTED] > >>>>>> To: dev@ofbiz.apache.org > >>>>>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure > >>>>>> Credit Card with ofbiz.] > >>>>>> > >>>>>> I read > >>>>>> http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz > >>>>>> and see no difference than using the CC service called by > >>>>>> PaymentGatewayServices > >>>>>> all the services now, had web interfaces at one time. > >>>>>> > >>>>>> > >>>>>> > >>>>>> Raj Saini sent the following on 10/19/2008 8:43 AM: > >>>>>>> BJ, > >>>>>>> > >>>>>>> 3D secure is not same as normal CC authorization. 3D secure > >>>>>>> has a issuer > >>>>>>> bank authentication and it happens in 2 phases. And that is > >>>>>>> the reason > >>>>>>> this proposal is to make 3D secure generic enough to integrate > >>>>>>> with > >>>>>>> OFBiz so that it can easily hooked up in other payment > >>>>>>> processors. > >>>>>>> > >>>>>>> Thanks, > >>>>>>> > >>>>>>> Raj > >>>>>>> > >>>>>>> BJ Freeman wrote: > >>>>>>>> look at the third party code under the financial folder. > >>>>>>>> applications\accounting\src\org\ofbiz\accounting\thirdparty > >>>>>>>> provide > >>>>>>>> ccAuth > >>>>>>>> ccCapture > >>>>>>>> at a minimum > >>>>>>>> and > >>>>>>>> ccRefund > >>>>>>>> ccRelease > >>>>>>>> ccCredit > >>>>>>>> ccAuthCapture > >>>>>>>> if the provider supports them. > >>>>>>>> > >>>>>>>> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application > >>>>>>>> > >>>>>>>> see part 1 > >>>>>>>> > >>>>>>>> Sarvesh sent the following on 10/17/2008 7:26 AM: > >>>>>>>> > >>>>>>>>> Hi, > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> I want to discuss integration 3D Secure Credit Card with > >>>>>>>>> ofbiz. I > >>>>>>>>> have got > >>>>>>>>> it working(using protx simulator) by changing some of ofbiz > >>>>>>>>> files but > >>>>>>>>> still > >>>>>>>>> it is not generic so I want to discuss it with the user > >>>>>>>>> community to > >>>>>>>>> make it > >>>>>>>>> generic for general usage. > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Thanks > >>>>>>>>> Sarvesh. > >>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>> > >> > >> > > >
