Cardholder Authentication

Putting chips in credit cards has reduced credit card fraud for in-store transactions, but fraudsters have shifted their efforts to online transactions, and the rate of online credit card fraud has increased. Reducing online fraud requires cardholder authentication. The 3-D Secure 1.0 protocol introduced in 1999 provides cardholder authentication, but is unpopular with consumers and rarely used in the US due to the friction that it creates and the risk of transaction abandonment that results from the friction. The forthcoming 3-D Secure 2.0 reduces friction for low risk transactions, but by giving up on cardholder authentication altogether, replacing it with a risk assessment by the issuing bank based on data supplied by the merchant, at a cost in cardholder privacy.

We have invented a method of securing online credit-card payments with strong two-factor cryptographic authentication of the cardholder, without friction and without a privacy cost. This paper provides the details:

and this blog post introduces the paper: