Adopting 3D Secure for GPN Card in Indonesia
The technology behind your credit and debit card transactions in online merchants.
What is 3D Secure?
3D Secure is the technology behind your credit and debit card transactions in online merchants. When you are going to pay something in an online merchant by credit or debit card, this technology helps your payment safe and eliminates the risk of fraud.
The earliest version of this technology was developed by Arcot System in 1999 and adopted by Visa in 2001. Then, the other card issuers like Mastercard, JCB, American express roll out their own product.
The Benefit of using 3D Secure
- Reduces risk fraud
By using an additional layer of security, it can make it harder for scammers to commit online fraud.
2. Offer more protection for the customer
Card information of the customer will be safe and harder to be stolen. 3D secure use more than 1 encryption technology between merchants, directory servers, and Issuing Bank.
3. Facilitate more transaction
It will expand the transaction because the customer will have more options to pay by using their credit or debit card on online merchants all over the world.
GPN Card Challenges
GPN (Gerbang Pembayaran Nasional) cards are issued by the Central Bank of Indonesia and supported by 4 local principals in Indonesia. The cards are not associated with international principles like Visa, Mastercard, etc. In practice, each card will only be processed by the issuer card. Visa cards will be processed by Visa, Mastercard cards will be processed by Mastercard, and so on. That means GPN cards cannot be used in 3D secure technology used by international principals.
For now, if you want to pay your online transaction using your debit card with the GPN logo, you will not find the feature on the merchant where you want to pay. This is since the implementation is still in a penetration stage to adopt 3DS technology to GPN cards by local principals. Hence, only certain cards can be used to pay online in a few merchants.
Adopting by Local Principals
As 3D secure models, we need 3 domains to implement this technology:
- Acquirer Domain → refers to the merchant where the customer will pay something. It includes the payment gateway
- Interoperability Domain → refers to local principals in Indonesia as a directory server
- Issuer Domain → refers to the Bank of the card being issued. It includes an Access Control Server.
ALTO Network as one of the biggest local principals in Indonesia helps to speed up this penetration to Indonesia. In this particular part, ALTO Network has a role as a directory server and provides the protocols standard. ALTO Network also has been cooperating with online merchants and payment gateways to expand and speed up the network so that GPN cardholders can do online transactions in many online merchants around the world. It means acquire domain and interoperability domain has been covered by ALTO Network.
The most challenging part is in the issuer domain. Issuing Banks need to enhance their own system, so they can authenticate and authorize the financial transaction online. They need an Access Control Server as an authentication system that can make the transaction secure and avoid fraud.
Access Control Server (ACS)
The basic concept of an Access Control Server is a server/system to receive 3D Secure messages, process the messages, and authenticate the card user. ACS has some features to cover the needs, there are:
The authentication method of ACS
As an authentication system, ACS has multiple authentication methods for customer transactions.
1. SMS OTP
2. Email OTP
3. Out of Band
4. Biometrics Authentication method
5. Risk-Based Authentication
6. Etc
With those features, Issuing Banks give an additional service for the customers to choose the authentication method they want to use.
● Management of Card Data
Issuing banks can manage their cards in order to facilitate which cards can be used for transactions or not. This feature helps Issuing Banks to handle fraud and customer complaints easily. Issuer Banks can add new cards, delete cards, or update card statuses like active cards, inactive cards, or blocked cards.
● Fraud Detection and Risk Scoring
Fraud detection and risk scoring are additional features of ACS but those make your transaction more secure. Fraud detection keeps your transactions clear from fraud so the transaction will be filtered before being authenticated by the system. Risk scoring will calculate your transaction by using parameters that are sent by merchants.
ALTO Network has an Access Control Server product, named ALTO Online Secure (AOS), to support Issuing Bank in Indonesia for implementing this technology. AOS has basic features as mentioned above: multiple authentication methods, card management, and fraud detection.
AOS also has many valuable features to easily manage the ACS system:
● Customization cardholder-facing pages
● Multiple card types and BIN range on one system
● Dashboard monitoring transactions and reports, and
● Provide issuer-specific features
By having all parts of 3D secure: Issuer domain, Interoperability domain, and Acquire domain, Indonesia has implemented 3D Secure technology by its own protocols to support GPN cards. For now, we (local principal Indonesia, Issuing Banks, online merchants, and payment gateway) need cooperation to achieve it. Hence, Indonesian especially GPN cardholders, can do online transactions easily and securely in many online merchants.
The last, I will put a quote from Alexander Peh, Paypal, and Braintree
“The major winners will be financial services companies that embrace technology.”
If we embrace technology together, we all will win together.
See you!
