P1: JDV
Merkow WL040/Bidgolio-Vol I WL040-Sample.cls June 20, 2003 12:46 Char Count= 0
256 SECUREELECTRONICTRANSACTIONS(SET)point of purchase prior to accepting the card as payment.
Meantime, Mastercard emerged in early 2002 with its own
standard for Mastercard-branded products, called Secure
Payments Application, or SPA.Verified by Visa
To implement VbV, merchants are only required to install
Visa-supplied software to activate a cardholder interface
that challenges cardholders for passwords or asks them to
insert their Visa smart cards into smart card readers and
enter PINs.
Cardholders register for Verified by Visa with their par-
ticipating issuer banks and can use the service when shop-
ping at merchants that are enrolled for Verified by Visa
through their merchant acquirer banks.
Verified by Visa works with traditional magnetic-strip
cards using a password to identify the cardholder and also
with Visa smart cards using cryptographic processing on
the chip that can only be activated with the correct entry
of a PIN at the time of purchase. Issuer banks must be
enrolled in Verified by Visa for cardholders to use the ser-
vice; otherwise the credit card payment is processed as a
traditional card-not-present transaction.
The overall objectives of Verified by Visa are to im-
prove the security of e-commerce payment transactions
and to improve both cardholder and merchant confidence
in Internet purchases, as well as to reduce disputes and
fraudulent activity related to the use of Visa payment
cards.Components Within Verified by Visa
Verified by Visa consists of the following components that
support cardholder enrollments with issuer banks and
cardholder authentication to determine payment autho-
rization:Merchant Commerce Server:Hardware and software to
support online transactions and facilitate communi-
cation between the merchant application and the mer-
chant’s acquirer bank.
Merchant Software:Software integrated into the mer-
chant’s e-commerce environment that enables mer-
chants to participate in the Verified by Visa service.
Validation Server:Software that verifies issuer identity on
digitally signed authentication responses sent to the
merchant. Merchants integrate this software into their
commerce server software.
Directory Server:Identifies participating Verified by Visa
Issuers and cardholders and routes authentication di-
alog between merchants and the appropriate issuer ac-
cess control server. This server is operated by Visa.
Transaction Manager Server:Stores transactions in the
transaction manager database for which authentica-
tion was performed. The database is used to verify
authenticated transactions and to provide additional
information during the dispute process. This server is
operated by Visa.
Visa Integrated Processing (VIP) Systems:Provides au-
thorization, clearing, and settlement services through
VisaNet for Visa members.Issuer Access Control Server (IACS):Stores information
about enrolled cardholder accounts and account ac-
cess information in the account holder file (AHF). The
server validates cardholder participation in the service
and provides a digitally signed authentication response
data to merchants. The IACS is operated by the issuer,
processor, or Visa, on behalf of the issuer.
Issuer Enrollment Server:A server that manages card-
holder enrollment by presenting a series of questions
to be answered by the cardholder and verified by the
issuer. The enrollment server is operated by the issuer,
its processor, or Visa on behalf of the issuer.Payer Authentication Processing
The seven steps below follow a transaction from initiation
to completion using Verified by Visa:Step 1. The Cardholder Makes a PurchaseAfter mer-
chandise selection through traditional online shopping
steps, the cardholder proceeds to checkout. At checkout,
the cardholder may complete the requested information
in any variety of ways, including self-entered, an elec-
tronic wallet, merchant one-click, or other checkout ca-
pabilities. After the purchase information is entered, the
cardholder selects the “buy” button. This activates the
merchant plug-in to determine if the Visa card account
participates in Verified by Visa.Step 2. The Merchant Starts the Authentication Process
The merchant plug-in identifies the account number and
queries the Visa directory server to determine if the card
account is enrolled in Verified by Visa. If the account num-
ber does not participate, the merchant plug-in returns the
transaction to the merchant’s commerce server and the
merchant proceeds with a standard authorization request.
If the account number participates in Verified by Visa, the
Web site address of the issuer access control server is re-
turned to the merchant plug-in.Step 3. The Issuer Access Control Server Takes Control
For participating cardholders, the merchant plug-in sends
an authentication request to the issuer via the cardholder’s
browser. The issuer access control server displays a pop-
up screen to the cardholder displaying information for
that purchase and prompts the cardholder to enter his or
her password. The cardholder enters the password and the
issuer server verifies it. A cardholder is given a maximum
of three attempts for password entry. If the cardholder is
unable to correctly enter his/her password, the cardholder
is prompted with the hint that was established during en-
rollment. The cardholder is given one last chance to enter
the correct response. If answered correctly, the transac-
tion continues as if the password was entered correctly. If
answered incorrectly, an authentication failed response is
returned to the merchant. If the cardholder has a smart
Visa card, the issuer server also prompts for insertion of
the chip card in the reader to initiate a dialogue with the
chip. The smart Visa card generates a cryptogram that is
sent to the issuer access control server along with the re-
lated transaction data used to generate the cryptogram.
The server validates the cryptogram and determines if the