3-D SecureCard Authentication & Fraud Protection Technology for Cardholders & Merchants

July 27, 2023 | 14 min read

This image was created by artificial intelligence using the following prompts:

3DS logo on a shield, in the style of futuristic holographic graphic design, illusion of three-dimensionality, lively action poses, red and teal, realistic scenery. (3DS text added, created from a different prompt)

3-D Secure

In a Nutshell

Is 3-D Secure the security solution you’ve been searching for or a one-way street to higher friction and abandoned carts? In this article, we’ll explain everything you need to know about 3-D Secure, like what it is, how it works, why you need it… and why it won’t be enough on its own.

What is 3-D Secure? How Can You Benefit From Domain Security Protocols?

What do platforms like Verified by Visa, Mastercard SecureCode, and American Express SafeKey all have in common? They’re all fraud protection tools based on a technology called 3-D Secure (often shortened to just 3DS).

Over the past two decades, 3-D Secure (or just “3DS”) has been instrumental in combating criminal fraud. However, adoption has always been sluggish among merchants due to concerns about its impact on conversion and shopping cart abandonment rates.

So, let’s delve into the inner workings of 3-D Secure, its evolution since its inception, and its advantages and disadvantages. We’ll also address the question of whether its impact on conversion rates should genuinely concern you.

What is 3-D Secure?

3-D Secure

[noun]/THrē • dē • sə • kur/

3-D Secure is a customer authentication protocol created for eCommerce. The system is used to validate buyers at checkout, creating an additional layer of security for online transactions. Card networks recommend that both issuing banks and merchant acquirers support the protocol.

The “3-D” in 3DS  is short for “three domains.” It alludes to the trio of distinct domain servers essential for protocol execution:

The first successful rollout of a 3-D Secure solution was Verified by Visa. After this, numerous other networks adopted their own versions of the technology rooted in 3DS protocols.

Merchants can enroll in 3DS programs through each card brand. However, many merchants find it easier to do this through their acquirer.

How Does 3-D Secure Work?

With the latest version of 3-D Secure, nearly 150 points of transaction data are sent to the issuing bank, automatically and in real time. This includes things like IP address, merchant category code, shipping address, and so on.

3-D Secure also involves adding an additional authentication step during the checkout process. Typically, the cardholder would be asked to provide either a pre-established password, a one-time passcode sent to their mobile phone or email, or the answer to a unique security question.

Also, note that not all transactions will require 3-D Secure measures. Acquirers may deploy transaction risk analysis to identify “low-risk” transactions, such as payments below a certain limit or recurring payments. These will not require 3DS verification.

3-D Secure can help stop fraud-coded chargebacks... but that’s just a small subset of overall chargebacks.REQUEST A DEMO

Breaking Down 3-D Secure by Card Brand

Although based on the same technology, 3-D Secure verification tools vary slightly depending on the card scheme. It also goes by different names, according to the brand.

3-D Secure

Visa Secure

Visa Secure is an advanced security feature from Visa that helps authenticate purchasers as authorized cardholders. This extra layer of verification helps protect both cardholders and merchants during checkout.

Learn More About Visa Secure
3-D Secure

Mastercard Identity Check

Identity Check is the Mastercard-branded deployment of 3-D Secure technology (replacing the earlier Mastercard SecureCode). It was developed to make online Mastercard transactions as safe, fast, and convenient as purchases made in a store. The program works by verifying a customer's identity at the checkout stage.

Learn More About Mastercard Identity Check
3-D Secure

Discover ProtectBuy

ProtectBuy is a 3-D Secure service specific to Discover, which implements real-time authentication software to verify credit card users before a transaction. This data can be leveraged to detect stolen cards, identify unauthorized users, and thwart fraud attempts before a transaction is made.

Learn More About Discover ProtectBuy
3-D Secure

American Express SafeKey

SafeKey is a 3-D Secure service specific to Amex. SafeKey data detects stolen cards, identifies unauthorized users, and thwarts fraud attempts before a transaction can be processed. This technology aims to help merchants improve their anti-fraud and chargeback prevention efforts.

Learn More About Amex SafeKey
3-D Secure

JCB J/Secure

Like other 3DS deployments, J/Secure enables merchants and issuers to exchange detailed information, helping reduce fraud and minimizing the need for a one-time passcode. This improves the user experience and helps prevent shopping cart abandonment.

Learn More About JCB J/Secure

Benefits of 3-D Secure

The primary benefit of 3-D Secure technology is security and fraud prevention.

The 3DS2 protocol uses Risk-Based Authentication (RBA) to analyze data and assess the fraud risk of each transaction in real-time. Because the risk level is backed by so much information, the process provides a high level of security and lowers the risk of criminal fraud.

Learn More About Fraud Prevention

The technology offers multiple other benefits as well, though. Using the latest version of 3-D Secure can help regardless of whether you’re upgrading from the original protocol or deploying 3-D Secure payment verification for the first time:

Customer Experience

3DS2’s frictionless flow authenticates most customers in real-time, with no additional action needed on the part of the cardholder. Merchants benefit from this enhanced customer experience, as well. Frictionless transactions lead to more conversions and less churn. More combined data points mean fewer false positives.

PSD2 Compliance

Strong Customer Authentication (SCA) is a fraud reduction/online payment security mandate integral to the revised Payment Services Directive (PSD2). SCA requires transactions in the European Union to have two forms of customer identification unless transaction risk analysis or some other exemption applies.

3-D Secure represents the latest standard in global payment security, and the protocol is a requirement in order to accept credit cards in Europe. The technology involves such a robust transaction analysis that most transactions deploying 3DS2 may be deemed “SCA compliant” even without the secondary identification. 3DS2 supports alternate authentication methods such as biometrics (fingerprint scanning or voice recognition) or single-use passwords/security codes.

Liability Shift

Merchants also benefit from a liability shift on qualifying 3DS transactions. Normally, merchants are the ones liable for a transaction when a chargeback occurs. Using the original 3-D Secure technology shifts the liability for chargebacks to the issuing bank.

3DS 2.0 still supports this liability shift, but the coverage differs. This protection only applies if a) authentication was successful and b) a fraud-based chargeback is filed. If both of these criteria are not met, the chargeback liability stays with the merchant.

Seamless Support Across Devices

3DS1 was not compatible with mobile devices. 3-D Secure 2.0 allows merchants to integrate the protocol into pre-existing mobile apps natively.

You can reliably conduct 3-D Secure 2.0 payments in both application and browser-based solutions, as well as on mobile and other consumer-connected devices. Also, a 3DS2 payment can be made using a payment card and through in-app or digital wallet purchases.

Finally, 3-D Secure 2.0 also offers a "Non-payment Authentication” option. This lets you validate cardholders without requiring a purchase or processing a small refundable charge.

What is 3-D Secure 2.0?

3-D Secure 2.0 is an updated version of the original 3-D Secure system. It improves upon its predecessor in several significant ways.

One of the main drawbacks of the original 3DS was that it added an additional step in the checkout process, which could disrupt the user experience and potentially deter customers from completing their purchases. This was particularly the case on mobile devices, where the additional authentication page was not always optimally displayed.

3DS 2.0 addresses these problems by introducing a more seamless, risk-based approach to customer authentication. It uses real-time data analysis to assess transaction risk levels. For low-risk transactions, it can authenticate the payment in the background without requiring additional input from the customer, thus maintaining a smooth checkout process. This is called 'frictionless' authentication.

3DS 2.0 is designed to meet Strong Customer Authentication (SCA) requirements. Overall, it maintains the protective advantages of its predecessor while addressing previous concerns about user experience, particularly on mobile devices.

Learn More About 3DS 2.0

What are ECI Indicators?

In essence, an Electronic Commerce Indicator (or “ECI”) code acts as a 3-D Secure response code. It provides direction on the next steps in a 3DS transaction; whether to proceed, decline the purchase, or attempt again.

Let’s say a customer registered with 3-D Secure initiates a transaction. The system activates during checkout, requiring the cardholder to provide additional information for identity verification.

The ECI indicator, furnished by the Directory Server and the Access Control System (ACS), represents the outcome of the authentication request for 3DS transactions. It serves as an invaluable reference for merchants, guiding their decision on whether to proceed with the transaction.

The ECI indicator a merchant receives may instruct them to proceed with a purchase. Or, it may inform them that an unsuccessful attempt was made to authenticate the customer, or that the buyer is not the authorized cardholder.

Learn More About ECI Indicators

Why Did a 3-D Secure Authentication Error Occur?

An “Authentication Failed” response typically indicates an error in the details entered by the customer. This could be related to card details, such as the wrong card number, expiration date, or an incorrect authentication passcode.

In this case, the customer's card provider will halt the payment and impede further transaction progress. This protective measure deters fraudsters.

The cardholder may retry the authentication process to correct the error. If the customer has verified their card details and fulfilled the correct 3DS security conditions, but still encounters a failure message, they should reach out to their card provider for assistance.

It's crucial to remember that certain browser extensions may disrupt the 3-D Secure page's functioning. For instance, pop-up blockers could hinder the 3DS page's performance. Deactivating browser extensions, or attempting the payment through a different browser, could then resolve the error message.

Stop fraud. Save time. Prevent chargebacks.REQUEST A DEMO

Where is 3-D Secure Authentication Currently Available?

3-D Secure is widely deployed across global eCommerce platforms, including regions like Europe, the US, Australia, China, India, and Singapore.

3-D Secure is not legally mandatory across all regions. That said, the EU's PSD2 regulation, enacted in 2018-2019, sought to bolster online card transaction security and curb fraud risks. One crucial component of PSD2 is the Strong Customer Authentication (SCA) requirement (above), enforced since September 2021 in the European Economic Area and the UK. This rule makes 3DS compulsory for sites accepting credit and debit transactions.

According to SCA stipulations, banks must perform dual identity verification checks for online payments and bank transfers. This two-factor authentication mandates that a customer provide at least two elements of identity verification to complete an online transaction.

By integrating 3-D Secure, businesses can ensure they’re adhering to SCA requirements. The technology fulfills the two tiers of Strong Customer Authentication needed to validate their identity.

Learn More About SCA

How to Set up 3-D Secure Authentication

To implement 3-D Secure, merchants need to follow a few steps:

Step #1 | Consult With Acquirer or PSP

Merchants should start by speaking with their acquiring bank or payment service provider. This entity can provide detailed information about how to enable 3-D Secure and the costs.

Step #2 | Integration with 3-D Secure

Most payment gateways and platforms provide support for 3-D Secure. Merchants may need to integrate the protocol into their online payment systems. This could involve updating software or adding new plug-ins.

Step #3 | Enrollment in 3-D Secure Program

The merchant needs to enroll in a 3-D Secure program provided by the card networks they accept, such as Verified by Visa, Mastercard SecureCode, or American Express SafeKey.

Step #4 | Testing

After implementation, rigorous testing should be conducted to ensure the system works as expected without disrupting the customer experience. Verifying that low-risk transactions are handled smoothly, and that high-risk ones trigger the appropriate additional authentication steps, are both essential.

Step #5 | Customer Education

Finally, it's advisable for merchants to educate their customers about the new security feature. Clear communication can help alleviate customer concerns about additional authentication steps and positively influence the perception of enhanced security.

Remember!

Implementation details may vary based on the specific platforms and tools used by the merchant. It's always a good idea to consult with experts or seek professional assistance to ensure a smooth implementation process.

Does 3DS Make a Transaction "Chargeback-Proof"?

Unfortunately not. 

This is a common misconception. The 3DS2 protocol has proven to be a highly effective fraud deterrent. However, this only applies to chargebacks designated with a “Fraud” reason code.

With Visa transactions, for instance, 3DS would prevent chargebacks from being filed using reason code 10.4 — Other Fraud: Card-absent Environment / Condition. However, the transaction could still be subject to disputes filed using a “Processing Error” or “Customer Dispute” reason code.

3DS can be very effective at stopping third-party fraud. However, it does nothing to prevent first-party fraud, which makes up the bulk of the average merchant’s chargebacks. First-party fraud happens post-transaction; authenticating the customer prior to purchase doesn’t help if the fraud occurs after the fact.

3-D Secure is a great tool, but it works best as part of a multi-level fraud and chargeback management strategy. This calls for deploying multiple complementary tools, all backed by fraud scoring, which will allow merchants to automatically decline orders that present too much risk. This, coupled with optimized policies and best practices, will go a long way to help protect business against fraud and chargebacks.

Learn More About Chargeback Management

Interested in learning more about 3-D Secure? Or, have questions about any other aspect of chargeback management? Contact Chargebacks911® today.

We can show you how to take chargebacks completely off your plate and increase your ROI. Help is just a click away.

FAQs

What does 3-D Secure mean?

The “3-D” in 3-D Secure stands for “three domains,” referencing the trio of distinct domain servers essential for protocol execution: the merchant, issuer, and interoperability domains.

How do I activate 3-D Secure?

Consult with your acquirer or payment service provider (PSP) first, then enroll in the 3DS platform. Next, you’ll integrate your 3DS account with your payment gateway or POS. Lastly, you’ll want to test the integration to ensure all components are working.

Should I enable 3-D Secure?

Yes. While “lower risk” payments (for instance, payments below $30) might not require 3DS authentication, it’s a good idea for merchants to have that extra authentication step enabled whenever possible. 

Does 3-D Secure prevent chargebacks?

No. The 3DS2 protocol has proven to be a highly effective fraud deterrent, but it doesn’t prevent or resolve non-fraud chargebacks at all. Aside from this, the protocol is also more prone to false positives. Customers can be confused by the pop-up window or annoyed at the extra step at checkout. Either situation can lead to cart abandonment.

Can 3-D Secure be bypassed?

Yes. This can be done legitimately using transaction risk analysis. That said, any anti-fraud protocol can be bypassed under the right circumstances. Merchants should take that into account when building their fraud prevention strategies.

Which banks use 3-D Secure?

3-D Secure is widely adopted across global eCommerce platforms, including regions like Europe, the US, Australia, China, India, and Singapore.
 
All banks and credit card processing networks in the U.S. require 3-D Secure, so most credit cards should be accepted and not require extra authentication.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
triangle shape background particle triangle shape background particle triangle shape background particle
Please share a few details and we'll connect with you!
Revenue Recovery icon
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form
Embed code has been copied to clipboard
  翻译: