The 3-D Secure™ protocol was developed and implemented by leading card networks Visa and MasterCard, who branded their service “Verified by Visa” and “MasterCard SecureCode” respectively.

The motivation for implementing this new level of transaction security was the desire to lessen the risk experienced by all parties (Merchant, User and Issuer/Acquirer) of card-not-present transactions. As the name implies, these transactions, usually completed online, are completed without the added security benefit of the card’s physical presence at the point of sale, and additionally lack the cardholder’s signature authorizing the transaction. This relative dearth of security measures facilitated fraudulent activity and exposed online Merchants to a higher risk of chargebacks and Users to the danger of unauthorized transactions.

The 3-D Secure™ protocol (named for the Three Domains of online card transactions: Issuer, Acquirer and Interoperability/Internet/Settlement Network) addresses this issue by ensuring that participating cards may only be used in a card-not-present environment if a correct password or other identity verifying information is provided for that card upon authorization – an identifier selected by the registered owner of the card upon registration with the service.

Below is a visual representation of the three domains of 3-D Secure™ as provided by Visa:

Note that the task of authenticating a User is undertaken by the Issuer, that of processing and executing the request is performed by the Merchant and Acquirer, while communication takes place across the Internet and is supervised by the payment network (in this case, Visa).

Finally, all information transferred between parties during the process of authentication and authorization takes place using Secure Sockets Layer (SSL) encryption in order to ensure maximum protection of sensitive card data.