alt

Important information

There was an update of Unzer TLS/SSL certificates. Learn more

Unzer

3D Secure

Learn about 3D Secure

Three Domain Secure (3D Secure) is a regulatory requirement specified by EMVCo to ensure safe and secure online card transactions. 3D stands for the three domains that are the browser, the issuing bank, and the card network. It is a mandatory requirement that from 1.01.2021 merchants process all card transactions as 3D Secure.

Who is impacted?

3D Secure must be applied if:

  • You are conducting business in European Economic Area (EEA)
  • Your customers are in the EEA
  • You are accepting card payments (credit or debit)

What is Strong Customer Authentication (SCA)?

Processing all card transactions as 3D Secure is a requirement from the Second Payments Services Directives (PSD2) for all transactions in the European Economic Area (EEA). This enables Strong Customer Authentication (SCA) to reduce fraud when paying online. You must have additional authentication checks when a customer is paying with cards on your website.

This could include any two of the following verification methods.

Something the customer knows Something that the customer owns Something that the customer is
Exclusive knowledge, such as the password or CVV. A device or instrument that is registered with the consumer, such a mobile device. Biometrics to identify the customer, such as face ID or fingerprint.

Why do you need to be 3DS compliant?

Some of the reasons for being 3DS compliant are:

Regulatory requirements

It is mandatory to process card transactions as 3D Secure from 1st January 2021. It is very likely that the payments are declined if the transaction is processed without applying 3D Secure.

Fraud prevention

Fraudulent transactions can be minimized to a great extent by verifying and authenticating the cardholder’s identity.

Higher conversion rates

It is now easier for the issuing banks to verify and authenticate the transactions. They are now able to avoid false declines. This generates more confidence for customers who are shopping on your portal.

Liability shift

If you are using 3DS-secured transaction workflow, it is very likely that the liability in case of fraud and misrepresentation is with the issuer because they must authenticate the identity of the customer. The chargeback liability now shifts to the issuer. During full authentication where merchant, issuer, and card is registered as 3D Secure, the liability shifts to the issuer. If you, as a merchant, are not registered as 3D Secure, the liability shifts to you in case of a fraudulent transaction.

Decreased rejected transactions

The 3DS transactions are verified by the issuer and the card network, and hence the rejection rate of transactions is lower. The 3DS2 is also more user-friendly. The issuers are more confident of approval because of valid authentication.

Out of scope for SCA

There are certain cases in which card transactions are not subject to SCA and therefore the 3DS.

Recurring payment

If a customer signs up to a subscription or recurring billing for exactly the same amount with the same online seller, they will only need to authenticate the first time they pay. This is a great exemption for sellers like Netflix, but it won’t cover repeat payments if the amounts differ (for example, a weekly online grocery shop) or if the value changes (for example, if Netflix increases their prices).

Low-value payments under €30

This exemption allows payment providers to avoid applying strong customer authentication for online payments under €30 up to a certain cumulative limit. The customer’s bank has the choice to either request strong customer authentication on every sixth payment under €30 or request strong customer authentication if the combined value of several payments goes above €100.

Although it may look attractive on the surface, this exemption is tricky for online sellers and payment providers. The cardholder’s bank decides which cumulative limit to use, so it’s hard to know whether the bank will choose to limit the number of transactions or total value.

For example, a customer could make five payments of €10 and be challenged on the sixth, or make up to 10 payments of €10 before they need to authenticate.

This exemption also doesn’t help online sellers with an average order value above €30.

One leg out

Payments where the card is issued outside of Europe or where the country you are acquiring from is outside of Europe.

Mail Order Telephone Order (MOTO)

Mail Order and Telephone Orders (MOTO) are excluded from 3D Secure Strong Customer Authentication (SCA) in all cases. MOTO transactions are not considered “electronic” payments and therefore do not fall within the scope of the PSD2 regulation.

3DS workflow

Below, you can see a diagram showing the workflow for a 3D Secure transaction.

3ds workflow

  1. Create card resource based on the information that the customer enters in their browser. The cardholder’s email is used for identifying the customer for 3D Secure. The generated resource ID is used for charge or authorization.
  2. The Unzer API creates a Charge or Authorization transaction based on the payment workflow
  3. Once the payment transaction is sent for Authorization or Charge, the customer is redirected to the 3D Secure verification page provided by their bank using a redirect URL. The bank performs the verification and validation and redirects the customer to the shop after the payment.
  4. The Unzer API sends the payment completed message to your shop. This is now displayed in the browser of your customer.

Next steps

Set up 3D Secure for card payments