Learn about 3D Secure
Three Domain Secure (3D Secure) is a regulatory requirement specified by EMVCo to ensure safe and secure online card transactions. 3D stands for the three domains that are the browser, the issuing bank, and the card network. It is a mandatory requirement that from 1.01.2021 merchants process all card transactions as 3D Secure.
3D Secure must be applied if:
- You are conducting business in European Economic Area (EEA)
- Your customers are in the EEA
- You are accepting card payments (credit or debit)
What is Strong Customer Authentication (SCA)?
Processing all card transactions as 3D Secure is a requirement from the Second Payments Services Directives (PSD2) for all transactions in the European Economic Area (EEA). This enables Strong Customer Authentication (SCA) to reduce fraud when paying online. You must have additional authentication checks when a customer is paying with cards on your website.
This could include any two of the following verification methods.
|Something the customer knows
||Something that the customer owns
||Something that the customer is
|Exclusive knowledge, such as the password or CVV.||A device or instrument that the customer registered with the consumer, such a mobile device.||Biometrics to identify the customer, such as face ID or fingerprint.|
Some of the reasons for being 3DS compliant are:
It is mandatory to process card transactions as 3D Secure from 1st January 2021. It is very likely that the payments are declined if the transaction is processed without applying 3D Secure.
Fraudulent transactions can be minimized to a great extent by verifying and authenticating the cardholder’s identity.
It is now easier for the issuing banks to verify and authenticate the transactions. They are now able to avoid false declines. This generates more confidence for customers who are shopping on your portal.
If you are using 3DS-secured transaction workflow, it is very likely that the liability in case of fraud and misrepresentation is with the issuer because they must authenticate the identity of the customer. The chargeback liability now shifts to the issuer. During full authentication where merchant, issuer, and card is registered as 3D Secure, the liability shifts to the issuer. If you, as a merchant, are not registered as 3D Secure, the liability shifts to you in case of a fraudulent transaction.
The 3DS-secured transactions are verified by the Issuer and the card network, and hence the rejection rate of transactions is lower. The 3DS2 is also more user-friendly. The issuers are more confident of approval because of valid authentication.
There are certain cases in which card transactions are not subject to SCA and therefore the 3DS.
If a customer signs up to a subscription or recurring billing for exactly the same amount with the same online seller, they will only need to authenticate the first time they pay. This is a great exemption for sellers like Netflix, but it won’t cover repeat payments if the amounts differ (eg. a weekly online grocery shop) or if the value changes (eg. if Netflix increases their prices).
This exemption allows payment providers to avoid applying strong customer authentication for online payments under €30 up to a certain cumulative limit. The customer’s bank has the choice to either request strong customer authentication on every sixth payment under €30 or request strong customer authentication if the combined value of several payments goes above €100.
Although it may look attractive on the surface, this exemption is tricky for online sellers and payment providers. The cardholder’s bank decides which cumulative limit to use, so it’s hard to know whether the bank will choose to limit the number of transactions or total value.
For example, a customer could make five payments of €10 and be challenged on the sixth, or make up to 10 payments of €10 before they need to authenticate.
This exemption also doesn’t help online sellers with an average order value above €30.
Payments where the card is issued outside of Europe or where the country you are acquiring from is outside of Europe.
Mail Order and Telephone Orders (MOTO) are excluded from 3D Secure Strong Customer Authentication (SCA) in all cases. MOTO transactions are not considered “electronic” payments and therefore do not fall within the scope of the PSD2 regulation.
Below, you can see a diagram showing the workflow for a 3D Secure transaction.
- Create card resource based on the information that the customer enters in their browser. The cardholder’s email is used for identifying the customer for 3D Secure. The generated resource ID is used for charge or authorization.
- The Unzer API creates a
Authorizationtransaction based on the payment workflow
- Once the payment transaction is sent for
Charge, the customer is redirected to the 3D Secure verification page provided by their bank using a redirect URL. The bank performs the verification and validation and redirects the customer to the shop after the payment.
- The Unzer API sends the payment completed message to your shop. This is now displayed in the browser of your customer.