3-D Secure is an XML-based protocol which adds an additional security layer to online credit card payments. The protocol was deployed by Visa in December 2001 as «Verified by Visa» and has also been adopted by Mastercard as «SecureCode». In the 3-D Secure protocol, each card issuing bank is required to maintain an Access Control Server (ACS) to support cardholder authentication. Customers authenticate themselves to this ACS by providing login information as username and password; the ACS gives the result as a success or a failure. This signature is then passed through the customer's browser and to the Merchant Plug-In (MPI) which verifies the ACS signature. MPI is installed with the acquiring banks, third party payment processors and merchants to activate the cardholder interface during the authentication process. MPI identifies the account number and queries card issuer servers to determine if it is enrolled in a 3-D Secure program; it then returns the web site address of the ACS if it is found.