3D Secure (3DS) – commonly known by its branded names: Visa Secure, Mastercard Identity Check – requires customers to complete an extra authentication step with their card issuer when making a payment. Typically, you direct the customer to their bank’s website where they enter a password or a code sent to their phone to verify the payment. This helps protect you from fraud and makes payments more secure.
The new version of 3D Secure – 3D Secure 2 (EMV 3DS v. 2.2.0) – improves the checkout experience compared to 3D Secure v1. It uses a wider range of data and biometric authentication to allow for “frictionless authentication”, meaning a smoother, more secure payment flow for both you and your customers. If you do business in Europe, it's the best way to comply with the new Strong Customer Authentication (SCA) requirements introduced by the revised Payment Services Directive (PSD2).
With 3DS2, you can embed the authentication process in your checkout flow, making for a better user experience compared to the original 3DS.
Whenever a customer makes a payment, 3DS2 allows the merchant and a payment provider like us to send over 100 data elements (like the customer's shipping address, card, email, etc) to the cardholder's bank to assess its risk level. And this all takes place behind the scenes within your web or mobile checkout flow.
Based on this data, the customer's bank will then choose to immediately authenticate the payment (frictionless flow) or ask for more cardholder interaction before authenticating the payment (challenge flow).
In a frictionless flow, the acquirer, issuer, and card scheme exchange all necessary information in the background through passive authentication using the customer's payment data. The transaction is completed without further shopper interaction.
In a challenging flow, the issuer requires additional customer interaction, either through biometrics, two-factor authentication, or similar methods based on SCA authentication factors.
Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online and contactless offline payments more secure. To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements.
When a customer makes an online payment, their bank may "challenge" them to provide more information before authenticating the payment – this is where SCA comes in.
SCA requires you to build additional authentication into your payment flow, using two out of the following three authentication elements:
- Something the customers know (like a password or PIN)
- Something the customer has (like a mobile phone or wearable device)
- Something the customer is (like their fingerprint or facial recognition)
Under this new regulation, specific types of low-risk payments may be exempted from Strong Customer Authentication. Specific types of payments may be exempted for 3D Secure. Using exemptions for low-risk payments can reduce the number of times you will need to authenticate a customer and reduce friction.
The most relevant exemptions for your businesses are:
This is an exemption that can be used for payments of a low amount. Transactions below €30 are considered “low value” and may be exempted from SCA. Banks however need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. The cardholder’s bank needs to track the number of times this exemption has been used and decide whether authentication is necessary.
This exemption can apply when the customer makes a series of recurring payments for the same amount, to the same business. SCA is required for the customer’s first payment—subsequent charges however may be exempted from SCA.
Payments made with saved cards when the customer is not present in the checkout flow (sometimes called “off-session”) may qualify as merchant-initiated transactions. These payments technically fall outside the scope of SCA. In practice, marking a payment as a “merchant-initiated transaction” will be similar to requesting an exemption. And like any other exemption, it is still up to the bank to decide whether authentication is needed for the transaction.
To use merchant-initiated transactions, you need to authenticate the card either when it’s being saved or on the first payment. Finally, you need to get an agreement from the customer (also referred to as a “mandate”), in order to charge their card at a later point.
Card details collected over the phone fall outside the scope of SCA and do not require authentication. This type of payment is sometimes referred to as “Mail Order and Telephone Orders” (MOTO). Similar to exempted payments, MOTO transactions need to be flagged as such—with the cardholder’s bank making the final decision to accept or reject the transaction.
This exemption may cover payments that are made with “lodged” cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).
One leg out (OLO) payments are transactions where the merchant, acquirer or issuer are based outside the European Economic Area (EEA).
To provide the best 3D Secure process for your customer, you can use one of the solutions below:
- paybal 3DSecure service. Payabl has a 3DSecure service inside the payment gateway.
- Your 3D Secure process. You should be PCI DSS compliant and send us some 3DS parameters.
Updated about 1 month ago