What is cid on credit card

Security feature on payment cards

What is cid on credit card

The card security code is located on the back of Mastercard, Visa, Discover, Diners Club, and JCB credit or debit cards and is typically a separate group of three digits to the right of the signature strip

What is cid on credit card

On American Express cards, the card security code is a printed, not embossed, group of four digits on the front towards the right

A card security code (CSC; also known as CVC, CVV, or several other names) is a series of numbers that, in addition to the bank card number, is printed (not embossed) on a card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder (as they would during point-of-sale or card present transactions). It was instituted to reduce the incidence of credit card fraud.

These codes are in slightly different places for different card issuers. The CSC for Visa, Mastercard, and Discover credit cards is a three-digit number on the back of the card, to the right of the signature box. The CSC for American Express is a four-digit code on the front of the card above the account number. See the figures to the right for examples.

CSC was originally developed in the UK as an eleven-character alphanumeric code by Equifax employee Michael Stone in 1995. After testing with the Littlewoods Home Shopping group and NatWest bank, the concept was adopted by the UK Association for Payment Clearing Services (APACS) and streamlined to the three-digit code known today. Mastercard started issuing CVC2 numbers in 1997 and Visa in the United States issued them by 2001. American Express started to use the CSC in 1999, in response to growing Internet transactions and card member complaints of spending interruptions when the security of a card has been brought into question.

Contactless card and chip cards may electronically generate their own code, such as iCVV or a dynamic CVV.

Naming

The codes have different names:

  • "CSC" or "card security code": debit cards,[which?] American Express (three digits on back of card, also referred to as 3CSC)[1]
  • "CVC" or "card validation code": Mastercard
  • "CVV" or "card verification value": Visa
  • "CAV" or "card authentication value": JCB
  • "CID": "card ID", "card identification number", or "card identification code": Discover, American Express (four digits on front of card). American Express usually uses the four-digit code on the front of the card, referred to as the card identification code (CID), but also has a three-digit code on the back of the card, referred to as the card security code (CSC). American Express also sometimes refers to a "unique card code".[2]
  • "CVD" or "card verification data": Discover
  • "CVE" or "Elo verification code": Elo in Brazil
  • "CVN" or "card validation number": China UnionPay
  • "SPC" or "signature panel code"[3]

Types

There are several types of security codes and PVV (all generated from DES key in the bank in HSM modules using PAN, expiration date and service code):

  • The first code, 3 numbers, called CVC1 or CVV1, is encoded on track one and two of the magnetic stripe of the card and used for card present transactions, with signature (second track also contains pin verification value, PVV, but now it is usually all zeroed out and service code). The purpose of the code is to verify that a payment card is actually in the hand of the merchant (thus it should be different from CVV2). This code is automatically retrieved when the magnetic stripe of a card is read (swiped) on a point-of-sale (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid, even though you usually need to sign after that. (See credit card fraud § skimming.)
  • The second code, and the most cited, is CVV2 or CVC2. This code is often used by merchants for card not present transactions including online purchases. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person. Uses service code 000.
  • Contactless and/or chip EMV cards supply their own electronically generated codes, called iCVV. Uses service code 999. It is described in public standards from EMVCo.
  • Consumer Device Cardholder Verification Method (CDCVM for short) is a type of identity verification in which the user's mobile device (such as a smartphone) is used to verify the user's identity; for example, it can use the device's biometrics authentication features (e.g. Touch ID or Face ID), or the device's set passcode. It is supported by a number of payment systems, such as Apple Pay,[4] Google Pay[5] or Samsung Pay.[6]

Location

The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, however, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.

  • American Express cards have a four-digit code printed on the front side of the card above the number.
  • Diners Club, Discover, JCB, Mastercard, and Visa credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card.
  • New North American Mastercard and Visa cards feature the code in a separate panel to the right of the signature strip.[7] This has been done to prevent overwriting of the numbers by signing the card.

Generation

The CSC for each card (form 1 and 2) is generated by the card issuer when the card is issued. It is calculated by encrypting the bank card number and expiration date (two fields printed on the card) with encryption keys known only to the card issuer, and decimalising the result (in a similar manner to a hash function).[8][9][10]

Benefits and limitations

As a security measure, merchants who require the CVV2 for "card not present" transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized.[11] This way, if a database of transactions is compromised, the CVV2 is not present and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code; therefore, employees and customer service representatives with access to these web-based payment interfaces, who otherwise have access to complete card numbers, expiration dates, and other information, still lack the CVV2 code.

The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits card holder data.[12] Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as Sears and Staples, require the code. For American Express cards, this has been an invariable practice (for "card not present" transactions) in European Union (EU) countries like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion.

Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.

Limitations include:

  • The use of the CSC cannot protect against phishing scams, where the cardholder is tricked into entering the CSC among other card details via a fraudulent website. The growth in phishing has reduced the real-world effectiveness of the CSC as an anti-fraud device. There is now also a scam where a phisher has already obtained the card account number (perhaps by hacking a merchant database or from a poorly designed receipt) and gives this information to the victims (lulling them into a false sense of security) before asking for the CSC (which is all that the phisher needs and the purpose of the scam in the first place).[13]
  • Since the CSC may not be stored by the merchant for any length of time[11] (after the original transaction in which the CSC was quoted and then authorized), a merchant who needs to regularly bill a card for a regular subscription would not be able to provide the code after the initial transaction. Payment gateways, however, have responded by adding "periodic bill" features as part of the authorization process.
  • Some card issuers do not use the CSC. However, transactions without CSC are possibly subjected to higher card processing cost to the merchants,[citation needed] and fraudulent transactions without CSC are more likely to be resolved in favour of the cardholder.[citation needed]
  • It is not mandatory for a merchant to require the security code for making a transaction, so the card may still be prone to fraud even if only its number is known to phishers. For example, Amazon requires only a card number and expiration date to complete a transaction.
  • It is possible for a fraudster to guess the CSC by using a distributed attack.[14]

See also

  • 3-D Secure
  • Credit card fraud
  • ISO 8583

References

  1. ^ "SafeKey Frequently Asked Questions | American Express Canada". www.americanexpress.com. Retrieved 4 May 2021.
  2. ^ "American Express® Card security features" (PDF). www.americanexpress.com. Retrieved 4 May 2021.
  3. ^ "CIBC MasterCard - MasterCard SecureCode". Archived from the original on 24 April 2014. Retrieved 12 July 2012.
  4. ^ "Apple Pay £20 limit in the UK will 'change over time'". Wired UK. 24 June 2015. Retrieved 24 June 2022.
  5. ^ "Breakthrough for mobile payments? Google Pay launched in Germany". Avira. 17 July 2018. Retrieved 24 June 2022.
  6. ^ "Samsung Pay now allows Australian users to make high-value purchases without PIN". SamMobile. 22 September 2020. Retrieved 24 June 2022.
  7. ^ "Card Security Features" (PDF). Visa. Archived from the original (PDF) on 16 February 2012.
  8. ^ "VISA PIN Algorithms". www.ibm.com. 18 September 2012. Retrieved 18 June 2021.
  9. ^ "z/OS Integrated Cryptographic Service Facility Application Programmer's Guide". IBM. March 2002. p. 209.[dead link]
  10. ^ "z/OS Integrated Cryptographic Service Facility Application Programmer's Guide". IBM. March 2002. p. 258.[dead link]
  11. ^ a b "Rules for Visa Merchants". p. 1. Archived from the original (doc) on 24 February 2014. Retrieved 26 February 2013.
  12. ^ "Official Source of PCI DSS Data Security Standards Documents and Payment Card Compliance Guidelines". Pcisecuritystandards.org. Retrieved 25 December 2011.
  13. ^ "Urban Legends Reference Pages: Visa Fraud Investigation Scam". Snopes.com. Retrieved 25 December 2011.
  14. ^ Ducklin, Paul (5 December 2016). "How to guess credit card security codes". naked security by SOPHOS. Retrieved 8 December 2016.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Card_security_code&oldid=1112434585"


Page 2

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.[1]

Originally developed in the autumn of 1999 by Celo Communications AB (later Gemplus, Gemalto and now Thales Group) for Visa Inc. in a project named "p42" ("p" from Pole vault as the project was a big challenge and "42" as the answer from the book The Hitchhiker's Guide to the Galaxy). A new updated version was developed by Gemplus between 2000-2001.

In 2001 Arcot Systems (now CA Technologies) and Visa Inc.[2] with the intention of improving the security of Internet payments, and offered to customers under the Verified by Visa brand (later rebranded as Visa Secure). Services based on the protocol have also been adopted by Mastercard as SecureCode, by Discover as ProtectBuy,[3] by JCB International as J/Secure, and by American Express as American Express SafeKey.[4] Later revisions of the protocol have been produced by EMVCo under the name EMV 3-D Secure. Version 2 of the protocol was published in 2016 with the aim of complying with new EU authentication requirements and resolving some of the short-comings of the original protocol.[5]

Analysis of the first version of the protocol by academia has shown it to have many security issues that affect the consumer, including a greater surface area for phishing and a shift of liability in the case of fraudulent payments.[6]

Description and basic aspects

The basic concept of the protocol is to tie the financial authorization process with online authentication. This additional security authentication is based on a three-domain model (hence the "3-D" in the name). The three domains are:

  • Acquirer domain (the bank and the merchant to which the money is being paid),
  • Issuer domain (the card issuer),
  • Interoperability Domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other types of a payment card, to support the 3-D Secure protocol). It includes the Internet, merchant plug-in, access control server, and other software providers.

The protocol uses XML messages sent over SSL connections with client authentication[7] (this ensures the authenticity of both peers, the server and the client, using digital certificates).

A transaction using Verified-by-Visa or SecureCode will initiate a redirection to the website of the card issuer to authorize the transaction. Each issuer could use any kind of authentication method (the protocol does not cover this) but typically, a password tied to the card is entered when making online purchases. The Verified-by-Visa protocol recommends the card issuer's verification page to load in an inline frame session. In this way, the card issuer's systems can be held responsible for most security breaches. Today it is easy to send a one-time password as part of an SMS text message to users' mobile phones and emails for authentication, at least during enrollment and for forgotten passwords.

The main difference between Visa and Mastercard implementations lies in the method to generate the UCAF (Universal Cardholder Authentication Field): Mastercard uses AAV (Accountholder Authentication Value) and Visa uses CAVV (Cardholder Authentication Verification Value).[clarification needed]

What is cid on credit card

3-D Secure Flow

ACS providers

In the 3-D Secure protocol, the ACS (access control server) is on the card issuer side. Currently, most card issuers outsource ACS to a third party. Commonly, the buyer's web browser shows the domain name of the ACS provider, rather than the card issuer's domain name; however, this is not required by the protocol. Dependent on the ACS provider, it is possible to specify a card issuer-owned domain name for use by the ACS.

MPI providers

Each 3-D Secure version 1 transaction involves two Internet request/response pairs: VEReq/VERes and PAReq/PARes.[7] Visa and Mastercard do not permit merchants to send requests directly to their servers. Merchants must instead use MPI (merchant plug-in) providers.

Merchants

The advantage for merchants is the reduction of "unauthorized transaction" chargebacks. One disadvantage for merchants is that they have to purchase a merchant plug-in (MPI) to connect to the Visa or Mastercard directory server. This is expensive[clarification needed] (setup fee, monthly fee, and per-transaction fee); at the same time, it represents additional revenue for MPI providers. Supporting 3-D Secure is complicated and, at times, creates transaction failures. Perhaps the biggest disadvantage for merchants is that many users view the additional authentication step as a nuisance or obstacle, which results in a substantial increase in transaction abandonment and lost revenue.[8]

Buyers and credit card holders

In most current implementations of 3-D Secure, the card issuer or its ACS provider prompts the buyer for a password that is known only to the card issuer or ACS provider and the buyer. Since the merchant does not know this password and is not responsible for capturing it, it can be used by the card issuer as evidence that the purchaser is indeed their cardholder. This is intended to help decrease risk in two ways:

  1. Copying card details, either by writing down the numbers on the card itself or by way of modified terminals or ATMs, does not result in the ability to purchase over the Internet because of the additional password, which is not stored on or written on the card.
  2. Since the merchant does not capture the password, there is a reduced risk from security incidents at online merchants; while an incident may still result in hackers obtaining other card details, there is no way for them to get the associated password.

3-D Secure does not strictly require the use of password authentication. It is said to be possible[9] to use it in conjunction with smart card readers, security tokens and the like. These types of devices might provide a better user experience for customers as they free the purchaser from having to use a secure password. Some issuers are now using such devices as part of the Chip Authentication Program or Dynamic Passcode Authentication schemes.[10]

One significant disadvantage is that cardholders are likely to see their browser connect to unfamiliar domain names as a result of vendors' MPI implementations and the use of outsourced ACS implementations by card issuers, which might make it easier to perform phishing attacks on cardholders.

General criticism

Verifiability of site identity

The system involves a pop-up window or inline frame appearing during the online transaction process, requiring the cardholder to enter a password which, if the transaction is legitimate, their card issuer will be able to authenticate. The problem for the cardholder is determining if the pop-up window or frame is really from their card issuer when it could be from a fraudulent website attempting to harvest the cardholder's details. Such pop-up windows or script-based frames lack any access to any security certificate, eliminating any way to confirm the credentials of the implementation of 3-DS.

The Verified-by-Visa system has drawn some criticism,[11][12][13][6] since it is hard for users to differentiate between the legitimate Verified-by-Visa pop-up window or inline frame, and a fraudulent phishing site. This is because the pop-up window is served from a domain which is:

  • Not the site where the user is shopping
  • Not the card issuer
  • Not visa.com or mastercard.com

In some cases, the Verified-by-Visa system has been mistaken by users for a phishing scam[14] and has itself become the target of some phishing scams.[15] The newer recommendation to use an inline frame (iframe) instead of a pop-up has reduced user confusion, at the cost of making it harder, if not impossible, for the user to verify that the page is genuine in the first place. As of 2022[update], web browsers do not provide a way to check the security certificate for the contents of an iframe. Some of these concerns in site validity for Verified-by-Visa are mitigated, however, as its current implementation of the enrollment process requires entering a personal message which is displayed in later Verified-by-Visa pop-ups to provide some assurance to the user the pop-ups are genuine.[16]

Some card issuers also use activation-during-shopping (ADS),[17] in which cardholders who are not registered with the scheme are offered the opportunity of signing up (or forced into signing up) during the purchase process. This will typically take them to a form in which they are expected to confirm their identity by answering security questions which should be known to their card issuer. Again, this is done within the iframe where they cannot easily verify the site they are providing this information to—a cracked site or illegitimate merchant could in this way gather all the details they need to pose as the customer.

Implementation of 3-D Secure sign-up will often not allow a user to proceed with a purchase until they have agreed to sign up to 3-D Secure and its terms and conditions, not offering any alternative way of navigating away from the page than closing it, thus suspending the transaction.

Cardholders who are unwilling to take the risk of registering their card during a purchase, with the commerce site controlling the browser to some extent, can in some cases go to their card issuer's website in a separate browser window and register from there. When they return to the commerce site and start over they should see that their card is registered. The presence on the password page of the personal assurance message (PAM) that they chose when registering is their confirmation that the page is coming from the card issuer. This still leaves some possibility of a man-in-the-middle attack if the cardholder cannot verify the SSL server certificate for the password page. Some commerce sites will devote the full browser page to the authentication rather than using a frame (not necessarily an iFrame), which is a less secure object. In this case, the lock icon in the browser should show the identity of either the card issuer or the operator of the verification site. The cardholder can confirm that this is in the same domain that they visited when registering their card if it is not the domain of their card issuer.

Mobile browsers present particular problems for 3-D Secure, due to the common lack of certain features such as frames and pop-ups. Even if the merchant has a mobile website, unless the issuer is also mobile-aware, the authentication pages may fail to render properly, or even at all. In the end, many[vague] analysts have concluded that the activation-during-shopping (ADS) protocols invite more risk than they remove and furthermore transfer this increased risk to the consumer.

In some cases, 3-D Secure ends up providing little security to the cardholder, and can act as a device to pass liability for fraudulent transactions from the card issuer or retailer to the cardholder. Legal conditions applied to the 3-D Secure service are sometimes worded in a way that makes it difficult for the cardholder to escape liability from fraudulent "cardholder not present" transactions.[6]

Geographic discrimination

Card issuers and merchants may use 3-D Secure systems unevenly with regard to card issuers that issue cards in several geographic locations, creating differentiation, for example, between the domestic US- and non-US-issued cards. For example, since Visa and Mastercard treat the unincorporated US territory of Puerto Rico as a non-US international, rather than a domestic US location, cardholders there may confront a greater incidence of 3-D Secure queries than cardholders in the fifty states. Complaints to that effect have been received by Puerto Rico Department of Consumer Affairs "equal treatment" economic discrimination site.[18]

3-D Secure as strong customer authentication

Version 2 of 3-D Secure, which incorporates one-time passcodes, is a form of software-based strong customer authentication as defined by the EU's Revised Directive on Payment Services (PSD2); earlier variants used static passwords, which are not sufficient to meet the directive's requirements.

3-D Secure relies upon the issuer actively being involved and ensuring that any card issued becomes enrolled by the cardholder; as such, acquirers must either accept unenrolled cards without performing strong customer authentication or reject such transactions, including those from smaller card schemes which do not have 3-D Secure implementations.

Alternative approaches perform authentication on the acquiring side, without requiring prior enrolment with the issuer. For instance, PayPal's patented 'verification'[19] uses one or more dummy transactions are directed towards a credit card, and the cardholder must confirm the value of these transactions, although the resulting authentication can't be directly related to a specific transaction between merchant and cardholder. A patented[20] system called iSignthis splits the agreed transaction amount into two (or more) random amounts, with the cardholder then proving that they are the owner of the account by confirming the amounts on their statement.[21]

ACCC blocks 3-D Secure proposal

A proposal to make 3-D Secure mandatory in Australia was blocked by the Australian Competition & Consumer Commission (ACCC) after numerous objections and flaw-related submissions were received.[22]

India

Some countries like India made use of not only CVV2, but 3-D Secure mandatory, a SMS code sent from a card issuer and typed in the browser when you are redirected when you click "purchase" to the payment system or card issuer system site where you type that code and only then the operation is accepted. Nevertheless, Amazon can still do transactions from other countries with turned-on 3-D Secure.[23]

3-D Secure 2.0

In October 2016, EMVCo published the specification for 3-D Secure 2.0; it is designed to be less intrusive than the first version of the specification, allowing more contextual data to be sent to the customer's card issuer (including mailing addresses and transaction history) to verify and assess the risk of the transaction. The customer would only be required to pass an authentication challenge if their transaction is determined to be of a high risk. In addition, the workflow for authentication is designed so that it no longer requires redirects to a separate page, and can also activate out-of-band authentication via an institution's mobile app (which, in turn, can also be used with biometric authentication). 3-D Secure 2.0 is compliant with EU "strong customer authentication" mandates.[5][24][25]

See also

  • Secure electronic transaction (SET)
  • Merchant plug-in (MPI)
  • EMV

References

  1. ^ "3-D Secure".
  2. ^ "Visa USA tightens security with Arcot". ZDnet.
  3. ^ "ProtectBuy". discover.com. Archived from the original on 2019-08-22. Retrieved 2019-08-22.
  4. ^ "SafeKey". AmericanExpress.com. Archived from the original on 2011-08-07. Retrieved 2010-08-11.
  5. ^ a b "Merchants can't let 'PSD2' and 'SCA' be vague initials". PaymentsSource. 12 June 2019. Retrieved 2019-07-11.
  6. ^ a b c Murdoch, Steven J.; Anderson, Ross (25–28 January 2010). Sion, R. (ed.). Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication (PDF). Financial Cryptography and Data Security FC2010. Vol. 6052. Tenerife: Springer. pp. 336–342. doi:10.1007/978-3-642-14577-3_27. ISBN 978-3-642-14992-4. Retrieved 2012-04-23.
  7. ^ a b "Verified by Visa Implementation Guide" (PDF).
  8. ^ "Are Verified by Visa and MasterCard SecureCode Conversion Killers?". practicalecommerce.com. 14 June 2013. Retrieved 2013-07-30. This 2010 study documented increases in the number of abandoned transactions of 10% to 12% for merchants newly joining the program.
  9. ^ "Card authentication and 3D Secure". stripe.com. Retrieved 2021-08-25.
  10. ^ "What is 3D Secure? Advantages for E-commerce". MONEI. Retrieved 2021-08-25.
  11. ^ "Antiworm: Verified by Visa (Veriphied Phishing?)". Antiworm.blogspot.com. 2006-02-02. Retrieved 2010-08-11.
  12. ^ Muncaster, Phil. "Industry lays into 3-D Secure - 11 Apr 2008". IT Week. Archived from the original on 2008-10-07. Retrieved 2010-08-11.
  13. ^ Brignall, Miles (2007-04-21). "Verified by Visa scheme confuses thousands of internet shoppers". The Guardian. London. Archived from the original on 6 May 2010. Retrieved 2010-04-23.
  14. ^ "Is securesuite.co.uk a phishing scam?". Ambrand.com. Archived from the original on 2010-06-16. Retrieved 2010-08-11.
  15. ^ "Verified By Visa Activation – Visa Phishing Scams". MillerSmiles.co.uk. 2006-08-22. Archived from the original on 8 July 2010. Retrieved 2010-08-11.
  16. ^ "Verified by Visa FAQs". www.visa.co.uk. Retrieved 6 October 2016.
  17. ^ "Activation During Shopping" (PDF). Visa Europe. Retrieved 2010-08-11.
  18. ^ "daco.pr.gov". daco.pr.gov. Archived from the original on 2014-08-12. Retrieved 2014-07-17.
  19. ^ "US2001021725 System and Method for Verifying a Financial Instrument". Patentscope.wipo.int. 2002-01-17. Retrieved 2014-07-17.
  20. ^ "AU2011000377 Methods and Systems for Verifying Transactions". Patentscope.wipo.int. Retrieved 2014-07-17.
  21. ^ "EPCA Payment Summit: iSignthis presents its authentication service as an alternative to 3D Secure". The Paypers. Archived from the original on 2013-11-01. Retrieved 2014-07-17.
  22. ^ "ACCC Releases Draft Determination Against Mandated Use Of 3D Secure For Online Payments".
  23. ^ "Amazon.in Help: About CVV and 3-D Secure". www.amazon.in. Archived from the original on 2021-06-24. Retrieved 2020-06-17. 3-D secure password has been made mandatory by the Reserve Bank of India to ensure safer online shopping. This will prevent misuse of a lost/stolen card as the user will be unable to proceed unless they enter the password associated with your card, created by yourself and known only to you.
  24. ^ "Adyen Touts Its 3-D Secure 2.0 Service As "First" to Market". Digital Transactions. Retrieved 2019-07-11.
  25. ^ Godement, Olivier. "Stripe: 3D Secure 2 - Guide to 3DS2 Authentication". Stripe. Retrieved 2019-07-11.

  • American Express SafeKey (consumer site)
  • American Express SafeKey (global partner site)
  • Verified by Visa
  • Activating Verified by Visa
  • Verified by Visa Partner Network
  • Mastercard SecureCode home page
  • usa.visa.com
  • Discover Global Network ProtectBuy

Retrieved from "https://en.wikipedia.org/w/index.php?title=3-D_Secure&oldid=1111204791"