3D Secure

Overviewanchor

Building a modern checkout experience requires that merchants find the balance between security and ease of use for their customers. Coupled with strict regulatory requirements, 3D Secure (3DS) can help to prevent fraud and meet Strong Customer Authentication (SCA) requirements.

What's 3D Secure?anchor

3D Secure is a security protocol that helps provide an extra layer of protection for online purchases. First deployed by Visa as “Verified by Visa” (later renamed “Visa Secure”), it was subsequently adopted by Mastercard, American Express, and other major issuers and card networks. 3DS connects three domains(3D) namely issuer domain, acquirer domain and Interoperability domain (card scheme, payment processors, merchant pug-in, access control server etc.). to share data and authenticate transactions with an additional verification step at checkout. This additional step requests more information from the customer at checkout and informs identity checks used to assess the likelihood of a fraudulent transaction. Merchants may also benefit from using 3DS as the liability for a chargeback due to a transaction that used 3DS is shifted from the merchant to the cardholder’s bank (i.e. the issuer).

The first version of 3DS, 3D Secure 1, was introduced to help address fraud and chargeback disputes. After entering their card information at checkout, customers were prompted with a step-up challenge that carried the branding and look of the Visa Secure, Mastercard Identity Check, or American Express SafeKey solutions. While this step-up helped increase security by requiring more information from the customer, it was ultimately an extra step that resulted in high cart abandonment.

3D Secure 1 vs 3D Secure 2anchor

3D Secure 2 support was introduced in Android v3, iOS v4, and Javascript v3 versions of our Client SDKs. 3DS2 improves on 3DS1 in several ways:

  • the 3DS2 protocol allows many more data elements to be collected, allowing issuing banks to perform a much more effective risk assessment decision. As a result, issuing banks will be able to allow more transactions to proceed without requiring additional authentication from the cardholder.
  • the 3DS2 protocol includes support for mobile apps and devices, allowing for native mobile authentication experiences, without redirects or webviews.
  • the 3DS2 protocol includes greatly improved support for frictionless authentication, granting the benefits of liability shift without requiring further action from the cardholder. Note that availability may be limited in regulated markets that require strong customer authentication.

You can find a lot more details and context in our blog post about 3DS2.

Strong Customer Authentication (SCA)anchor

3DS2 satisfies the Strong Customer Authentication (SCA) requirements coming into effect for European merchants transacting with European customers.

Payment flowanchor

On the client side:

  • Generate a client token
  • Render a checkout page to collect customer payment information
  • Verify the credit card amount
  • The customer may then be prompted to authenticate if requested by the issuing bank, or otherwise required to do so by relevant local legislation

On the server side:

  • If the authentication is completed successfully or none was required, use the returned nonce to create a transaction.

Next Page: Configuration