Overview

Building a modern checkout experience requires that merchants balance security and ease of use for their customers. Coupled with strict regulatory requirements, 3D Secure (3DS) can help to prevent fraud and meet Strong Customer Authentication (SCA) requirements.

Table of Contents

• What's 3D Secure?
• What is SCA
• When is SCA required?
• Payment flow

What's 3D Secure?

3D Secure (3DS) is a security protocol designed to add an extra layer of security for online transactions. 3DS links three domains — the issuer domain, the acquirer domain, and the interoperability domain (which includes the card scheme, payment processors, merchant plugins, and access control servers) — to facilitate data sharing and authenticate transactions through an additional verification step during checkout. 3DS involves requesting further information from the customer, aiding in identity verification and assessing the risk of fraud. Merchants adopting 3DS benefit by reducing fraud risk, as the liability for chargebacks on transactions verified through 3DS shifts from them to the card issuer.

3DS serves as a foundational mechanism for implementing Strong Customer Authentication (SCA) requirements, especially crucial in regions like the European Economic Area under the PSD2 regulation. SCA mandates a two-factor authentication process for online transactions to enhance security measures against fraud. By integrating 3DS, payment processors and merchants can comply with these regulatory requirements, ensuring that transactions meet the necessary authentication standards to protect consumer data and reduce fraudulent activity.

The latest iteration, 3DS2, builds upon the original by incorporating additional data transfer capabilities, such as device information, into the authentication process. This version is designed to make risk assessments more accurate, allowing issuers to approve more transactions without additional verification steps. 3DS2 has been optimized for mobile and other digital transactions, focusing on reducing friction and improving the user experience during checkout, which in turn can help increase conversion rates and provide a more streamlined payment process.

Looking towards the future of authentication, 3DS is evolving to facilitate more sophisticated data-sharing mechanisms. Innovations like 3DS Data-Only, Visa's Digital Authentication Framework, and the anticipated integration of Machine Learning (ML) and Artificial Intelligence (AI) into authentication processes represent the next frontier. These advancements aim to enhance the security and efficiency of online transactions by leveraging extensive data analysis and predictive algorithms to authenticate user identities. As these technologies develop, they will likely set new standards for secure and user-friendly online payment authentication, further strengthening the digital commerce ecosystem.

Most card brands have their own 3D Secure services. We support the following:

• Visa Secure (formerly known as Verified by Visa)
• MasterCard Identity Check and MasterCard SecureCode (including Maestro)
• Discover ProtectBuy (including Diners Club)
• American Express SafeKey

What is SCA?

Strong Customer Authentication (SCA) is part of PSD2 regulations mandating that many transactions need to be carried out securely using at least 2 forms of customer authentication outlined in the PSD2 regulatory technical standards. This means that merchants will need to provide card issuers with two independent authentication factors from its customers for the transaction to be approved.

There are 3 authentication factors laid out in the specification:

• Knowledge: Something you know, typically a password or PIN.
• Possession: Something you have, such as a device or credit card.
• Inherence: Something you are physically, typically a fingerprint or other biometric.

Issuers will vary on whether they support all three authentication factors, and which methods they use for each factor.

3D Secure is the standard way to meet SCA requirements.

When is SCA required?

SCA is currently only required when both the acquirer and the issuer countries are both regulated by PSD2, such as countries in the EEA. This means that merchants who contract with an acquirer licensed in a PSD2 country will likely see an increase in declines on transactions processed on credit cards issued in a PSD2 regulated country if SCA requirements are not met. This should not be the case on transactions processed on a card issued in a non-PSD2 regulated country, nor would it apply to merchants contracting with acquirers licensed in non-PSD2 regulated countries, regardless of whether the card is issued in a PSD2 regulated country.

Payment flow

To make a 3D Secure call:

• Generate a client token
• Render a checkout page to collect customer payment information
• Verify the credit card amount
• The customer may then be prompted to authenticate if requested by the issuing bank, or otherwise required to do so by relevant local legislation

To apply 3D Secure:

• If the 3D Secure authentication is completed successfully or none is required, use the returned nonce or authentication_id to create a transaction, create a customer, or create a payment method.

See also

• 3D Secure Support Article