Now that we've wrapped up 2001 (thank heavens!), it's time to take a sneak peek into another major industry initiative that will affect how you process credit cards online beginning sometime in 2002. For purposes of equal coverage and to set the stage for next month's EC Outlook column on Cyota Inc., it's instructive to examine what Mastercard International is up to in securing payment card transactions.

A few months ago, I wrote that the Verified by Visa program rollout was imminent, and early in December 2001, Bank of America announced its availability to card holders.

Since it's apparent that the Secure Electronic Transaction (SET) coffin has received its final set of nails by Visa and MasterCard (at least in the US), two payment card protocol specifications are on developer radar screens, and we'll be seeing a bevy of products that support BOTH the Verified by Visa (aka VbV, aka 3-Domain Secure, aka Visa Authenticated Payments, aka Visa Payer Authentication) and Mastercard's Secure Payment Application (SPA). This month, we'll take a closer look at SPA.

Mastercard Objections to VbV
Mastercard notes that the VbV service will add processing times to transactions, take customers off the merchant Web site, add complexity to integration woes, and have pledged not to support it. Instead, the SPA solution is Mastercard's answer to the card-not-present transaction problem. SPA relies on Mastercard's Universal Cardholder Authentication Field (UCAF) infrastructure to improve online security of payment transactions and reduce chargebacks for fraudulent transactions. SPA consists of these elements:

• Issuer-provided SPA-enabled E-wallet
• SPA/UCAF value generation
• Cardholder authentication
• Merchant collection, presentation, and processing of SPA/UCAF data
• Acquirer acceptance and processing of SPA/UCAF data
• Banknet support to carry SPA/UCAF data
• Authorizations support of SPA/UCAF

What's UCAF?
UCAF is a 32-byte field with a variable data structure that is useful to support any number of authentication approaches to cardholder identities, including:

• SPA
• Biometrics
• Digital certificates
• Smartcards
• Mobile and pervasive devices support

The flow for SPA processing, according to Mastercard, follows.

Cardholder Setup
Cardholder visits their credit card issuer Web site, registers their card with SPA, establishes a password or PIN, downloads and installs a SPA-enabled e-wallet.

Transaction Flow

1. Upon checkout, all traditional data is still collected (name, shipping address, billing address, etc.) whether it's filled-in by the cardholder, entered via a wallet, or already stored by the Merchant. This data is then posted to a Web page that the SPA-enabled wallet can access.
2. Once the SPA-wallet retrieves the data, it generates a payment authentication request and sends it to the Issuer's Wallet Server.
3. Upon receipt of the data from the SPA-wallet, the Issuer's Wallet Server challenges the identity of the cardholder using any method selected by the Issuer (entry of password or PIN, insertion of Smartcard, etc.). If the challenge is met with a successful response from the cardholder, the Wallet Server generates a transaction-specific authentication token and sends it back to the SPA-wallet. This token is referred to as the SPA/UCAF.
4. The cardholder's wallet then populates the Merchant's payment page with payment card details, optionally with the Mastercard Card Validation Check Value (CVC2), and the SPA/UCAF token within a hidden field. The page is then posted back to the Merchant Web server.
5. Once the merchant server receives the data, it will format an Authorization Request to the Acquirer and send along the SPA/UCAF token as a new attribute in the request.
6. The Authorization Request is then placed on Banknet and routed to the Issuer Bank for a response.
7. When received, the Issuer Bank validates that the SPA/UCAF is authentic and has not been previously used with a different transaction, then issues an approval or decline on the request based on the state of the underlying payment card. The response is then returned through the networks back to the Merchant Server for further processing of the sale.

SPA is intended to offer the digital equivalent of a physical cardholder signature on a Record of Charge, and bring the Holy Grail of Card-present transactions to the Internet. Whether Mastercard Merchant Services banks change their policies on chargebacks with SAP/UCAF transactions still remains to be seen.

You can find an online demonstration of SPA at the Mastercard International Web site and see for yourself how it's designed to operate. Meanwhile, 2002 is going to make for an interesting ride, and hopefully bring a swift end to some of the chargeback problems we've been plagued with for years.

Check back soon to see how VbV and SPA are quickly coming to life and how you can make them happen for yourselves and your customers!