What is 3DS?
3D Secure (3DS) is a payment standard
3DS (3D Secure) is a payment standard for strong customer authentication (e.g. 2-factor authentication). It provides a software protocol for an issuing bank to authenticate that the user making a purchase is in fact who they say they are.
- Looks up the credit card issuing bank information
- Determines if this bank supports 3DS authentication
- Determines if this particular transaction requires 3DS authentication
If authentication is required, allows for a redirect of the customer to the issuing bank site where the customer can enter authentication proof
Card Network Solutions
Each card network has its own branded 3DS solution.
- Visa Secure (FKA Verified by Visa)
- Mastercard SecureCode/Identity Check
- American Express SafeKey
- Discover ProtectBuy
- Diners Club ProtectBuy
- JCB J/Secure
3DS version 1.0
- 3DS first version dates to 2001
- No option for a frictionless flow
- Many banks had customers create and remember a static password
- High rate of card abandonment
3DS version 2.0 (and above)
- Allows for a frictionless flow as determined by the issuing bank
- Many more data elements can be sent to the bank to influence the decision
- Does not require a full-page redirect
- Allows for out-of-band authentication (i.e. your banking app)
Does 3DS Impact Me?
A merchant doing business in the European Economic Area is required to support 3DS by the deadline if:
- The merchant is in the EEA and their acquirer is in the EEA
- The merchant is NOT in the EEA, but the acquirer IS in the EEA
If you are a merchant based in the EEA and have an acquirer also in the EEA, you fall under the EEA deadline of 31 Dec, 2020.
If you are a merchant solely doing business in the UK, and not doing business in the EEA, you will fall under the UK deadline of 14 Sept, 2020.
- 3DS may shift chargeback liability from the merchant to the issuing bank.
- Card Networks may begin to decline non-conformant transactions at some time in the future
- Including additional 3DS-supporting data may increase frictionless rate
For Visa and Mastercard, 3DS can result in 5 scenarios: authentication successful, authentication attempted, authentication failed, authentication unavailable, and error
The liability shift happens only when authentication was successful, followed by a chargeback. If authentication fails, an error occurs, or if authentication is unavailable, the chargeback liability stays with the merchant
NOTE: 3DS only applies to real-time transactions, either one-time transactions, the initial transaction of a subscription, or a payment method validation transaction
3DS does not apply to recurring transactions and does not apply to Vindicia Retain
Most current payment providers support 3DS Authentication natively. The implementation details may differ slightly, but most are now following the EMV 3D Secure Specification.
Some legacy platforms, such as Paymentech Stratus, do not have native 3DS support, so merchants will need to use a 3rd party authentication provider, such as Cardinal Commerce
For Vindicia, our implementation uses a combination of Cardinal Commerce or native processors support, depending on the given payment processor.
Customer Authentication Methods
The most common authentication methods used are one-time passcodes (OTP) delivered via SMS or email. Other options include:
- Biometric – fingerprint, facial recognition
- 3rd party app (i.e. login to your banking app to verify)
Are you exempt from 3DS?
The 3DS specification allows for exemptions that may allow a transaction to bypass the challenge, allowing for a frictionless purchase. Some possible exemptions:
- Low value transactions (i.e. under 30 EUR)
- Recurring transactions
- Trusted Merchant
Exempted transactions do not shift liability
- 3DS 2.0 includes risk mitigation by adding new data for the issuer, which makes requesting exemptions less compelling for the merchant
- Merchant initiated transaction markers can replace “recurring” exemption
- As with other issuer decisions, granting an exemption, when asked for, is determined by the issuing bank based on their own internal guidelines