Yes authentication and authorization are two separate steps.
The transaction amount is sent twice.
The merchant may change the amount submitted for authorization. However, the cardholder may dispute the transaction.
-----Original Message-----
From: Jack A. Hudson [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 26, 2001 8:52 PM
To: 'Anders Rundgren'; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: 3D Secure Vulnerabilities?
>
> >> Regarding #4: The digital signature makes the transaction
tamperproof.
>
> >But, the transaction is sent twice: once for display in the password
> >dialog and again for authorization. A digital signature guarantees
> >integrity through one data transit. But it doesn't guarantee
> >equivalence of two separate transmissions sent to two separate
servers.
>
> The transaction sent twice? I do not have the latest draft so I
> may be misinformed but I though the transaction request (Shopping
Cart)
> was sent to the customers's bank through the browser. The return
> is not a shopping cart but a payment authorization.
I don't think that's how it works. If I'm understanding you, your
saying authentication and authorization are done in one step. The
merchant asks the issuer to do both and return a payment authorization.
But that's not what's happening. VbV is a two pass process. The
merchant asks for authentication (issuer). If successful, merchant then
asks for authorization (acquirer).
>
> >For example, the merchant sends transaction information to issuer for
> >display in password dialog. Digital signature guarantees issuer
> >receives untampered transaction data. After authentication, merchant
> >sends transaction to acquirer. Digital signature guarantees acquirer
> >receives untampered transaction data. But, the digital signatures
don't
> >ensure the issuer and acquire got the same data. Right?
>
> Aqquirer can only use data that the issuer issued (under the control
of
> its client),
> so I don't understand what the merchant could do in this case.
The issuer doesn't issue the data. The merchant does. The issuer only
issues a "success" code for authentication.
"This e-mail message may contain confidential, proprietary or legally privileged information. It should not be used by anyone who is not the original intended recipient. If you have erroneously received this message, please delete it immediately and notify the sender. The recipient acknowledges that ICICI or its subsidiaries and associated companies (including ICICI Bank) "ICICI Group", are unable to exercise control or ensure or guarantee the integrity of/over the contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of ICICI Group. Before opening any attachments please check them for viruses and defects."
