3DSecure
3DSecure
3D Secure (3DS, Three-Domain Secure) is a messaging protocol developed by EMVCo to provide a more secure online card payment process. It enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases.
If the card is enrolled into 3DS authentication, additional information is required to decide whether the purchase is fraudulent or not. This decision is made by the card issuer (the bank or other institution that issued the card), not by the Barion system.
There are two major versions of the protocol:
- 3D Secure 1 is an HTTP redirect-based scenario where the customer almost always needs to provide some extra proof for the transaction. The verification is usually a password or SMS code. Card schemes will decommission 3D Secure 1 by 2021/2022. Barion does not support this old protocol.
- 3D Secure 2 is more sophisticated and uses additional information about the purchase, the shop, and the cardholder to make the decision. This requires more input data but provides better flow with less friction. The card issuer may verify the shopper's identity using passive, biometric, and two-factor authentication approaches. According to the Strong Customer Authentication (SCA) rules of PSD2 RTS every card issued in the EU has to be authenticated. 3D Secure 2 complies with the regulation.
Liability shift rules
If a merchant implements 3D Secure authentication, they can avoid liability for chargebacks in case of fraud (that is, chargeback claims because of lost or stolen cards). This is called a liability shift. In general, if a shopper completes a 3D Secure challenge authentication flow successfully, the liability for fraudulent chargebacks shifts from the merchant to the card issuer.
Transaction type | Liability shift to card issuer? |
---|---|
3D Secure 2 transactions with challenge. | Yes |
3D Secure 2 transactions where card issuer applies a PSD2 exemption without the merchant requesting it. For example, issuer TRA. | Yes |
3D Secure 2 PSD2 SCA out-of-scope transactions: shopper's issuer is outside of the EEA, anonymous prepaid cards up to 150€ or merchant-initiated transactions. | No |
3D Secure 2 transactions where merchant or acquirer requests for a PSD2 exemption and the issuer grants an exemption. | No |
The payment process
The payment follows these steps:
- The shopper checks out from the merchant's website and decides to pay for the goods via Barion.
- Shopper is redirected to the Barion Smart Gateway.
- Shopper inputs card details and clicks the Pay button.
--- Until this point, there is no difference in the workflow --- - Barion checks whether the card the shopper used is a 3DSecure capable card and also the version the issuer supports. If the card is not 3DSecure capable, the card authorization (charge) goes along without any extra steps.
- If the card is 3D Secure capable with 3DSecure 2, the v2 flow is started:
- Barion starts the 3DS authentication in the background and sends the relevant information about the purchase to the card issuer. From this information, the issuer decides whether the payment is secure or if the customer should be challenged in some form.
- If the result is that the customer should not be challenged (it is called frictionless flow) the customer's card is charged and the payment flow continues.
- If the result is that the issuer needs more proof from the customer a popup window is displayed. In this window, the issuer displays something for the customer. The content varies according to the issuer, and it allows the customer to provide proof (SMS, token, question).
- After the customer successfully completed the challenge the card is authenticated and the payment flow continues with the authorization of the card. The card still can be declined after successful 3DS authentication.
- At the end of the payment the customer is redirected to the merchant's website.
3D Secure 2
The reason behind the second version was to provide a way to achieve the same level of security for authentication but with less friction. For this, a lot more information is required (or at least it is strongly recommended to provide them). This information comes from different sources:
- merchant's data about the customer (purchase behavior, addresses, and so on)
- customer's browser information (screen size, timezone, language, and so on)
- customer provided data (card information, e-mail address)
- Barion's data about the merchant, the purchase, and the customer (merchant's MCC code, name of the shop, and so on)
The card issuer receives this information package and calculates the risk of the transaction. The result of this calculation specifies the flow:
- Frictionless flow: The customer is not presented with any challenge screen, no more information is needed, and authorization can take place.
- Challenge flow: The information is not sufficient, an additional challenge is needed to make sure that the card is not stolen.
Although providing this data enhances the possibility of the frictionless flow it does not make it certain. This decision is up to the card issuer, Barion does not influence it. In case of challenge flow the card issuer will provide a challenge screen that the customer must complete. This can be various things: one-time password sent via text, secret password, biometric identification, and so on.
Known issues
- If the shopper has no phone number registered, and no sms can be sent, the authentication fails.
- If the user is challenged, additional user interaction is required, which results in increased abandonment. We recommend the following to reduce the churn:
- Send all available fields marked with the 3DSbadge in the PaymentStart request
- Request TRA exemption. Note: If you apply for this option, you will be held liable in case of fraud.
- Send all available fields marked with the