3D Secure Payment Authentication

3D Secure (3DS) is one of the most crucial security protocols for merchants who process payments online. You’ve likely seen it under brand names like Mastercard Identity Check or Visa Secure.

Europe is seeing a sharp increase in online card payments, but fraud is also on the rise. Effective security measures are necessary for business owners to safeguard both their clientele and their own financial interests.

However, what exactly is 3DS verification, how does it operate, and how does it protect your online sales?

What Is 3D Secure?

3D Secure is a security protocol that was developed to provide online card transactions with an additional layer of protection. It reduces the risk of fraud for both card issuers and online retailers by helping them authenticate consumers making card-not-present payments.

“3D” stands for “three-domain model”:

• Acquirer Domain: The merchant’s bank or payment processor
• Issuer Domain: The customer’s card issuing bank
• Interoperability Domain: The card network (Visa, Mastercard, etc.), which assists the issuer and acquirer in communicating

The 3D Secure protocol initiates an authentication procedure overseen by the issuing bank when a consumer enters their card information while shopping online. Before approving the payment, the bank confirms the customer’s identity, providing an additional degree of security against fraudulent transactions.

How Does 3D Secure Work?

The 3D Secure authentication procedure follows these steps:

1. First Transaction: A customer inputs their card information at the checkout when making an online purchase.
2. Authentication Triggered: The merchant’s payment gateway contacts the cardholder’s bank via the card network to request authentication. To facilitate better risk assessments, this message contains information about the merchant’s risk level, device details, and transaction history.
3. Issuer Chooses an Authentication Method: The issuing bank (the bank that issued the customer’s card) determines whether the transaction is low-risk or high-risk. A frictionless flow, in which the customer doesn’t need to take any further action, may occur for low-risk transactions.
4. Customer Authentication: The cardholder is asked to confirm their identity using an authentication method, like the following, if the issuer determines that the transaction is high-risk:
   • One-time codes (e-mail or SMS code)
   • PIN codes
   • Security questions
   • Biometric verification (such as fingerprint or facial recognition), connected to the bank’s mobile app
5. Liability shift: If the merchant follows the 3D Secure protocol, the card issuer becomes liable for fraudulent activity after the transaction has been authenticated (with some exceptions).
6. Payment Process Completion: The customer sees the secure payment confirmation page, and the transaction continues as normal.

Tip: In order to cross-check the cardholder’s billing address during credit card processing, many merchants also integrate 3D Secure with the address verification service (AVS), which adds another layer of fraud prevention on top of the issuer’s checks.

Regulations Driving Enhanced Security Measures

3D Secure is directly linked to Strong Customer Authentication (SCA) under the Second Payment Services Directive (PSD2), so European merchants cannot afford to overlook it. For client authentication, SCA requires at least two of these three independent factors:

• The customer’s possessions (phone, card, digital certificates)
• Something the customer knows (password, PIN code, secret questions)
• The customer’s identity (biometric information like fingerprint or facial recognition)

With improved support for mobile browsers, biometric authentication, and a more seamless user experience than the original protocol, 3D Secure 2 (3DS2) was created to comply with these regulations.

Warning: Failing to put in place compliant security measures for payment processing could lead to a rise in chargebacks and regulatory penalties.

Advantages of 3D Secure

3D Secure offers several compelling advantages for customers and merchants.

For Cardholders (Your Customers)

• Increased security when buying online: 3D Secure provides an additional line of defence against fraudulent transactions and phishing scams.
• Greater trust: Customers trust your brand more when they know their card transaction information and personal information are safeguarded.
• Lower Fraud Risk: It is more difficult for fraudsters to abuse stolen card information when authentication techniques like biometric verification are used.

For Merchants

• Liability Shift: With 3D Secure, the card issuer assumes accountability for the majority of fraudulent activity instead of you, the merchant.
• Better Risk Assessment: Access to additional data points on each initial transaction supports better fraud detection and decision-making.
• Trust and Customer Loyalty: By providing safe payment methods and stopping fraudulent transactions, you establish a reputation as a reliable seller, which boosts client loyalty and lowers the number of transactions that are cancelled due to fraud concerns.
• Regulation Compliance: You avoid regulatory problems by adhering to PSD2 and SCA regulations.

Disadvantages of 3D Secure

Consider the following disadvantages of 3D Secure and plan for them as part of your strategy.

For Cardholders

• Added Friction at the Checkout: Using biometric authentication, responding to a security question, or entering an SMS code all draw out the online checkout process.
• Limitations of the Mobile Experience: Some users experience disorientation due to disparate pages or inadequately optimised mobile browsers.
• Abandoned Transaction Risk: If customers forget their static passwords or don’t have their phone close at hand for one-time codes, they may abandon the transaction.

For Merchants

• Possibility of Lost Sales: Adding extra steps may result in transactions being abandoned, particularly for impulse purchases or new clients.
• Implementation Costs: To enable 3D Secure, you must integrate the relevant software on your website to accommodate the authentication steps.
• Card Provider Complexity: Different authentication techniques may be used by each cardholder’s bank, which could lead to inconsistent user experiences.
• False Declines: Your conversion rates may suffer when valid customers’ online card transactions are denied due to authentication issues.

Notwithstanding these difficulties, the liability shift and security advantages with 3D Secure generally exceed the drawbacks, particularly for retailers in high-risk industries or those dealing with fraudulent activity on a regular basis.

How to Implement 3D Secure

Follow these steps to get up and running with 3D Secure:

1. Check With Your Acquirer or Payment Gateway: The majority of contemporary acquirer domains and payment gateways support 3D Secure authentication. Enquire if they provide 3DS2, the most recent version, which has a smoother flow for low-risk transactions.
2. Connect Your App or Website: To incorporate 3D Secure into your online checkout, collaborate with your developer or payment service provider. Make sure the authentication procedure runs smoothly, particularly on mobile browsers.
3. Evaluate the Client Experience: Run test transactions to see how the in-app authentication or separate page appears. Verify compatibility with issuers’ multi-factor and biometric authentication options.
4. Inform Customers: Inform your customers that you have implemented this extra security measure to safeguard them when they make purchases online. Explain why their cardholder’s bank might send them a one-time code or security question prompt.
5. Track Data Points and Fraud Detection: Examine your transaction history and fraud detection metrics after implementation. If you observe increases in abandoned transactions, modify your risk policies and authentication procedures.

FAQs About 3D Secure for Merchants

Q1: What is 3DS verification?

A: 3DS verification is a security protocol that adds an extra layer of protection to online card transactions by authenticating customers.

Q2: Does Europe require 3D Secure?

A: 3D Secure or a similar authentication procedure is required for the majority of e-commerce transactions under PSD2’s Strong Customer Authentication regulations.

Q3: What distinguishes Mastercard Identity Check from Visa Secure?

A: Mastercard Identity Check and Visa Secure use the same 3D Secure protocol under these brand names.

Q4: Who determines whether authentication is required?

A: The customer’s card issuer decides whether to initiate authentication, depending on the fraud risk of each transaction.

Q5: Does 3D Secure protect from phishing scams?

A: 3D Secure lessens the possibility of fraudulent transactions, but phishing scams cannot be completely eradicated.

Q6: Will chargebacks decrease with 3D Secure?

A: Chargebacks will go down with 3DS since, once a transaction is verified, the card issuer is held accountable for fraud, shielding the retailer.

Q7: What occurs if a client is unable to authenticate?

A: If the customer is genuine but can’t complete the authentication process, the transaction is still rejected. This potentially leads to lost sales but also prevents fraud.

Q8: Is it possible to use biometric verification for 3D Secure?

A: It is possible to use biometric verification for 3DS. 3DS2 supports biometric authentication using the app from the issuing bank, including fingerprint or facial recognition.

Q9: Is 3D Secure required for all online retailers?

A: 3DS (or similar) is required for all European online retailers that accept card payments, to comply with SCA regulations and reduce fraud risk.

Q10: How does EMVCo help merchants decrease the number of abandoned transactions?

A: EMVCo, the organisation of card networks that manages 3D Secure, is helping to decrease abandoned transactions by optimising the checkout process for mobile, streamlining low-risk transactions with 3DS2, and educating the public about the procedure.

3D Secure Payment Authentication Protects Everyone

Secure payments are necessary for European business owners to comply with regulations and protect their customers from payment fraud. 3D Secure authentication is a tried-and-true security method to safeguard consumer identity and ensure compliance with stringent laws.

You will successfully protect your customers and your business by partnering with a reliable payment gateway and putting the latest security measures in place. Online shopping becomes both safer and easier for you and your customers when you strike the correct balance between security and convenience. This is a line that the payment processing industry is working hard to achieve and maintain.