Visa offers security spec for e-transactions

Teaming up with more than 60 technology vendors, Visa International Inc. has rolled out a new technical specification to support payment authentication services for online credit card transactions worldwide.

Foster City, Calif.-based Visa International's new 3-D Secure 1.0 specification puts a global spin on payment authentication capabilities that Visa's U.S. operations detailed in May. But at least one industry analyst criticized Visa's specification, saying that it and others like it used technology that was "lying around the shop" and that it could be a lot smarter.

Front-End Limitations

The technology lets consumers buying items online authenticate their identities with passwords or personal identification numbers through windows that pop up after their credit card numbers are entered.

Cardholders can use traditional Visa cards or smart cards at the electronic storefront. But that's where the smart-card technology stops at the front end. Analysts said the system could go further by allowing card-issuing banks to tie that information into relational databases that could, for example, add frequent-flier miles based on a rewards program to the card's memory.

"I wish that [Visa and MasterCard] and American Express and Discover would take chips seriously and use it for the security it offers," said Theodore Iacobuzio, an analyst at Needham, Mass.-based research and consulting firm TowerGroup.

IT managers at hundreds of banks and retailers will now be faced with installing the new specification during the next 18 months. Inc. in Costa Mesa, Calif., decided to jump on board Visa's new authentication network because the company believes the specification gives customers better security than chief competitor and market leader Ticketmaster.

"When you talk to customers about their biggest concern over conducting transactions on the Internet, security comes out as their No. 1 major concern," said Andy Donkin, president of's Internet ticketing group.

Mark Redding, vice president of Web development at, said he spent two weeks configuring his Web servers for the new specification and had a "few issues" with that end of the implementation. But, he added, "the coding literally took less than a week."

Oliver Althoff, a spokesman for Fleet Credit Services in Boston, said the installation difficulties on the back end depend entirely on a financial service company's existing network. For Fleet, which has a robust customer service network, it was an eight-month process that included adding Web servers both on- and off-site for redundancy and backup capability.

"We had some significant expenses around the smart-card technology, but we had a robust servicing platform that we were able to piggyback on," Althoff said.

Randi Purchia, an analyst at AMR Research Inc. in Cambridge, Mass., agreed with Iacobuzio that the technology Visa is using is nothing new. Merchants will be quick to adopt it because verifying the cardholder's identity promises to cut in half the number of chargebacks, or failed purchase attempts, they currently experience, Purchia said.

"I'd agree that the smart-card solution is the place where this is all heading," Purchia said. "It's just not moving as fast as we would hope."