The Underscore Archives

There are two routes for dealing with payments online. They're often  
referred to as the "Direct" and "Redirect" methods. The Direct method  
is where your site takes the details and does whatever it needs to do  
with the banks in the background, behind the scenes. The Redirect  
method is where you redirect the customer to the bank's site for the  
payment bit.

If you use the Direct method you will have to do all the work when new  
systems like 3D Secure are rolled out. If you use the Redirect method,  
the bank will have to do that work, the new features just appearing in  
your payment process as they're released.

Hence the Redirect method being not only more secure in that you  
aren't dealing with the card details, but also a lot easier for you to  
implement.

3D Secure was *supposed* to be rolled out early 2006. It's dragged a  
lot. It's a merchant option; merchants can choose to have it switched  
on or not. It's in their interest to do so - a 3D Secured transaction  
is guaranteed to them by the banks.

3D Secure does not benefit the customer. If anything it makes it  
worse, having to typing in their 'secret' password all the time at  
various sites and if their password is ever compromised - they are to  
fault. No comeback.

If your clients need a good reason to switch to redirect - refer them  
to the PCI DSS guidelines they are required to adhere to otherwise.

-j