It's interesting both that there have been no comments so far about this story and that there are quite a number of other blogs where the value of 3-D secure has been questioned. This seems to be an example of the Emperor's new clothes where everyone knows
he is naked but won't admit it.
My experience of 3-D secure tends to support the Cambridge
findings that there are inherent weaknesses. Each Bank tends to implement it differently and it isn't an integrated solution in that I am often called to verify transactions I have undertaken using it. What point a validation at purchase if the strength of
verification isn't passed on to the paying Bank?
The problem I think is not just technical but much deeper rooted. Sure it is possible to devise a better technical solution and one is certainly needed. The problem however is more fundamental and is one of Governance.
In the past Visa and MasterCard were both wholly Bank owned and Banks which were issuers were often acquirers too. Now we have a total mix of issuers and acquirers and Visa & MasterCard are no longer wholly Bank owned. Who then are they working for? Their
shareholder or their members? There seems to me to be a duopoly (members & shareholders) of interests which is in no one's interest. I may be wrong but it may not be long before the issuers and acquirers decide that their interests are better served by setting
up a new payment system.
Ultimately it's an issue of standards. If someone can come up with an open but secure payments protocol with the ability to route transactions to the issuer for authorisation then why do we need an expensive middle layer called Visa & MasterCard?
There are already other options to V&MC. China Union Pay is already a major card system quite independent of the duopoly (of V&MC). Despite appearing unassailable I doubt whether in ten year time the payment landscape will bear any resemblance to what it
does now. And maybe it really will offer a simple, secure, consistent and integrated authorisation process.