Visa sets specifications for online authentication

Visa International Inc. this week announced the worldwide rollout of technical specifications designed to support payment authentication services for online credit card transactions while leaving retailers free to use their own mechanisms for processing payments.

The move puts a global spin on payment authentication capabilities that Visa’s U.S. operations detailed last month. The San Francisco-based company’s international unit said it has been working with a group of more than 60 technology vendors and consulting firms, including IBM, Microsoft Corp., Oracle Corp. and Sun Microsystems Inc., to develop and test the new 3-D Secure 1.0 specifications.

Some of the vendors have also signed up to develop products and services that are needed to support deployment and use of the specifications by retailers and credit card issuers, Visa International said. The technical guidelines are part of a Visa Authenticated Payments program that’s now being implemented in the United States, Europe, Asia and other parts of the world, the company added.

Philip Yen, executive vice-president of the e-Visa International e-commerce group, said the specifications are aimed at ensuring that shoppers using Visa cards “have the same confidence on the Internet as [they do] in the real world.” During a testing period, installation of software and hardware devices that support 3-D Secure 1.0 has taken about two weeks at Visa member banks, according to Yen, who added that the required technology “is not a heavy investment.”

The new specifications are being offered as a potential alternative to Visa’s more comprehensive 3-D Secure Electronic Transaction (SET) standards, which were first developed five years ago. The 3-D SET approach secures electronic transactions from Visa cardholders to retailers and then on to the banks and other companies that issue the credit cards. By contrast, 3-D Secure focuses on authenticating the identity of shoppers and providing that information to retailers.

Tom Manessis, vice-president of e-commerce at e-Visa International, said the new approach works by creating a conduit between a retailer, a credit card issuer and an individual cardholder who’s trying to make a purchase online or via a cell phone. The credit card number is collected by the retailer and then sent by software to the appropriate card issuer in real time, Manessis said.

The card issuer can then verify the account number and trigger a query window on the shopper’s PC, requiring him or her to enter a personal identification number or public-key infrastructure information. If the information is correct, Manessis said, the card issuer validates the sale for the retailer, which can then use its existing method of processing the actual payment.

Online transactions currently represent about two per cent to three per cent of the US$1.9 trillion in annual sales processed on Visa cards, and the company said less than one-tenth of a percent of that money is lost to credit card fraud. But making online shoppers more comfortable is a key goal for Visa: “We’ve done quite a bit of consumer research,” Manessis said. “Security is still one of their top concerns.”

The vendors that Visa International is working with include developers of payment and customer relationship management software, as well as companies that make security and fraud-detection tools. The technical specifications support authentication from point-of-sale devices and via PCs and mobile phones, and Yen said future plans call for the addition of capabilities for personal digital assistants and interactive TV sets.