3DSecure: Difference between revisions

From Barion Documentation
Jump to navigation Jump to search
mNo edit summary
No edit summary
 
(20 intermediate revisions by 4 users not shown)
Line 3: Line 3:




3D Secure (3DS, Three-Domain Secure) is a messaging protocol developed by [https://www.emvco.com EMVCo] to provide a more secure online card payment process. It enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases.  
3D Secure ([https://en.wikipedia.org/wiki/3-D_Secure|3DS, Three-Domain Secure]) is a messaging protocol developed by [https://www.emvco.com EMVCo] that provides a more secure online card payment process. It enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases.  
If the card is enrolled into 3DS authentication, additional information is required to decide whether the purchase is fraudulent or not. This decision is made by the card's issuer (the bank or other institution that issued the card) not by the Barion system.  
If the card is enrolled into 3DS authentication, additional information is required to decide whether the purchase is fraudulent or not. This decision is made by the card issuer (the bank or other institution that issued the card), not by the Barion system.  


There are two major versions of the protocol:  
There are two major versions of the protocol:  
* '''3D Secure 1''' is a HTTP redirect based scenario where the customer almost always needs to provide some extra proof for the transaction. The verification is usually a password or SMS code. Card schemes will decommission 3D Secure 1 by 2021/2022. Barion does not support this old protocol.
* '''3D Secure 1''' is an HTTP redirect-based scenario where the customer almost always needs to provide some extra proof for the transaction. The verification is usually a password or SMS code. Card schemes decommissioned 3D Secure 1 in 2021/2022. Barion does not support this old protocol.


* '''3D Secure 2''' is more sophisticated and uses additional information about the purchase, the shop and the cardholder to make the decision. This requires more input data but provides better flow with less friction. The card issuer may verify the shopper's identity using passive, biometric, and two-factor authentication approaches. According to the [https://en.wikipedia.org/wiki/Strong_customer_authentication Strong Customer Authenticaton (SCA) rules of PSD2 RTS] every card issued in the EU has to be authenticated. 3D Secure 2 complies with the regulation.
* '''3D Secure 2''' is more sophisticated and uses additional information about the purchase, the shop, and the cardholder to make the decision. This requires more input data but provides better flow with less friction. The card issuer may verify the shopper's identity using passive, biometric, and two-factor authentication approaches. According to the [https://en.wikipedia.org/wiki/Strong_customer_authentication Strong Customer Authentication (SCA) rules of PSD2 RTS] every card issued in the EU has to be authenticated. 3D Secure 2 complies with the regulation.


{{NotificationBox|title=IMPORTANT|text=If the shopper completes a 3DSecure authenticaton successfully, the liability shifts from the merchant to the card issuer in case of fraud.|color=#FF7A3D}}
{{NotificationBox|title=IMPORTANT|text=If the shopper completes a 3DSecure authentication successfully, the liability shifts from the merchant to the card issuer in case of fraud.|color=#FF7A3D}}
==Liability shift rules==
==Liability shift rules==
If a merchant implements 3D Secure authentication, he/she can avoid the liability for chargebacks in case of fraud (e.g. chargeback claim because of lost or stolen cards). This is called a liability shift.
If a merchant implements 3D Secure authentication, they can avoid liability for chargebacks in case of fraud (that is, chargeback claims because of lost or stolen cards). This is called a liability shift.
In general if a shopper completes a 3D Secure challenge authentication flow succesfully, the liability for fraudulent chargebacks shifts from the merchant to the card issuer.
In general, if a shopper completes a 3D Secure challenge authentication flow successfully, the liability for fraudulent chargebacks shifts from the merchant to the card issuer.


{| class="wikitable"
{| class="wikitable"
Line 22: Line 22:


|-
|-
|3D Secure 2 transactions with challange.||style="text-align:center;" |Yes
|3D Secure 2 transactions with challenge.||style="text-align:center;" |Yes


|-
|-
|3D Secure 2 transactions where '''card issuer applies a PSD2 exemption''' without the merchant requesting it. E.g. issuer TRA.||style="text-align:center;" |Yes
|3D Secure 2 transactions where '''card issuer applies a PSD2 exemption''' without the merchant requesting it. For example, issuer TRA.||style="text-align:center;" |Yes


|-
|-
|3D Secure 2 PSD2 SCA out-of-scope transactions: shopper's issuer is outside of the EEA, anonymous prepaid cards up to 150€ or merchant initiated transactions.||style="text-align:center;" |No
|3D Secure 2 PSD2 SCA out-of-scope transactions: shopper's issuer is outside of the EEA, anonymous prepaid cards up to 150€ or merchant-initiated transactions.||style="text-align:center;" |No


|-
|-
Line 38: Line 38:


The payment follows these steps:
The payment follows these steps:
# The shopper checks out from the merchant's website and decides to pay for the goods via Barion.
# You check out your purchase from the merchant's website and select to pay via Barion.
# Shopper is redirected to the Barion Smart Gateway.
# You are redirected to the Barion Smart Gateway.
# Shopper inputs card details and clicks the ''Pay'' button. <br/>--- Until this point nothing changed ---
# You input your card details and click '''Pay'''.  
# Barion checks whether the card the shopper used is a 3DSecure capable card and also the version the issuer supports. If the card is not '''3DSecure capable''', the card authorization (charge) goes along without any extra step.  
# Barion checks whether the card you used is a 3DSecure capable card and also the version the issuer supports. If the card is not '''3DSecure capable''', the card authorization (charge) goes along without any extra steps.  
# If the card is 3D Secure capable  
# If the card is 3D Secure capable with 3DSecure 2, the flow changes:
#* with 3DSecure 1, the v1 flow will be started:
#*# Barion starts the 3DS authentication in the background and sends the relevant information about the purchase to the card issuer. From this information, the issuer decides whether the payment is secure or if you should be challenged in some form.
#*# an authentication screen is displayed for the shopper within the Barion UI
#*# If the result is that you '''should not be challenged''' (this is the frictionless flow) your card is charged and the payment flow continues.
#*# the customer must complete the challenge displayed
#*# If the result is that the issuer '''needs more proof''' from you, a popup window is displayed. In this window, the issuer displays ''something'' for you. The content varies according to the issuer, and it allows you to provide proof (SMS, token, question).
#*# if the challenge is successful the payment process continues
#*# After you successfully complete the challenge, the card is authenticated and the payment flow continues with the authorization of the card. The card can still be declined after successful 3DS authentication.
#* with 3DSecure 2, the v2 flow will be started:
# At the end of the payment you are redirected to the merchant's website.
#*# Barion starts the 3DS authentication in the background. Sends a lot of ''relevant'' information about the purchase to the card issuer. From this information the issuer decides whether the payment is secure or should the customer be challenged in some form.
#*# If the result is that the customer '''should not be challenged''' (it is called frictionless flow) the customer's card is charged and the payment flow is continued.
#*# If the result is that the issuer '''needs more proof''' from the customer a popup window will be displayed. In this window the issuer will display ''something'' for the customer. The content is up to the issuer but will be something that allows the customer to provide proof (SMS, token, question).
#*# After the customer successfully completed the challenge the card is authenticated and the payment flow continues with the authorization of the card. The card still can be declined after successful 3DS authentication.
# At the end of the payment the customer will be redirected to the merchant's website
 
== 3D Secure 1 ==
 
In case the card is protected with 3DSecure 1 the customer will be presented with a popup. This popup will show an extra authentication step that has to be completed in order to continue the payment.


== 3D Secure 2 ==
== 3D Secure 2 ==


The reason behind the second version was to provide a way to achieve the same level of security for the authentication but with less friction. For this a lot more information is required (or at least it is strongly recommended to provide them). This information comes from different sources:
The reason behind the second version was to provide a way to achieve the same level of security for authentication but with less friction. For this, a lot more information is required (or at least it is strongly recommended to provide them). This information comes from different sources:
* merchant's data about the customer (purchase behavior, addresses, etc)
* merchant's data about the customer (purchase behavior, addresses, and so on)
* customer's browser information (screen size, timezone, language, etc)
* customer's browser information (screen size, timezone, language, and so on)
* customer provided data (card information, e-mail address)  
* customer provided data (card information, e-mail address)  
* Barion's data about the merchant, the purchase and the customer (merchant's MCC code, name of the shop, etc)
* Barion's data about the merchant, the purchase, and the customer (merchant's MCC code, name of the shop, and so on)


The card issuer receives this information package and calculates the risk of the transaction. The result of this calculation specifies the flow:
The card issuer receives this information package and calculates the risk of the transaction. The result of this calculation specifies the flow:
* Frictionless flow: The customer will not be presented with any challenge screen, no more information needed, the authorization can take place.
* Frictionless flow: The customer is not presented with any challenge screen, no more information is needed, and authorization can take place.
* Challenge flow: The information was not sufficient, additional challenge is needed to make sure that the card is not stolen.
* Challenge flow: The information is not sufficient, an additional challenge is needed to make sure that the card is not stolen.
 
To achieve the frictionless flow the merchant has to provide as many information as possible about the purchase and the customer. This must be provided during the [[Payment-Start-v2-3DS|v2/payment/start]] API call. The properties marked as '''3DS''' must be specified. However there are scenarios where not all of this data is available. In these cases there are ways to indicate the lack of information. If the merchant does not provide the necessary data the payment will be most likely fall into the challenge flow. This should be avoided because it causes friction and may result in the customer leaving the payment.
 
Although providing this data enhances the possibility of the frictionless flow it does not make it certain. This decision is up to the card issuer, Barion does not influence it. In case of challenge flow the card issuer will provide a challenge screen that the customer must complete. This can be various things: one time password sent via text, secret password, etc.
 
=== Token payment with 3D Secure v2 ===


A token payment is a payment where the customer (the payer) is not redirected to the Barion Smart Gateway instead a previously created token is used to charge the customer. The second version of 3DS defines different scenarios for different token payments.  
<div>
To achieve the frictionless flow the merchant has to provide as much information as possible about the purchase and the customer. This must be provided during the [[Payment-Start-v2-3DS|v2/payment/start]] API call. The properties marked as {{3dsfield}} must be specified. However, there are scenarios where not all of this data is available. In these cases, there are ways to indicate the lack of information. If the merchant does not provide the necessary data, the payment typically falls into the challenge flow. Ideally, we should avoid this as it causes friction and may result in the customer leaving the payment.
</div>


* '''Merchant Initiated Transaction''' is when the merchant initiates the payment without the customer being present on the merchant's website. In this scenario no 3DS authentication is required.
Although providing this data enhances the possibility of frictionless flow, it does not make it certain. This decision is up to the card issuer, Barion does not influence it. In case of challenge flow the card issuer provides a challenge screen that the customer must complete. This can be various things: one-time passwords sent via text, secret passwords, biometric identification, and so on.
* '''One Click Payment''' is when the merchant makes is available for the customer to purchase goods without using the Barion Smart Gateway to input thpayment e information again. In this case the customer is present at the time of the purchase but does not get redirected to Barion the payment happens in the background. The main point here is that customer initiates the payment process. In this scenario the 3DS authentication is required.
* '''Recurring Payment''' is the scenario where the customer already authorized the merchant to charge it's funding source without being present. In this case the customer is not present during the payment process. This is used for subscription based scenarios where the customer is charged regularly with the same amount for the services. This type of token payment can be exempted from the <abbr title="Strong Customer Authenticatio">SCA</abbr>


In case of '''One Click Payment''' the merchant has to reference JavaScript file provided by Barion on the checkout page.  
== Known issues ==
* If the user is challenged, additional user interaction is required, which results in increased abandonment. We recommend the following to reduce the churn:
** Send all available fields marked with the {{3dsfield}} badge in the [[Payment-Start-v2|PaymentStart]] request.
** Request [[ChallengePreference|TRA]] exemption. <br /> '''Note''': If you apply for this option, you are held liable in case of fraud.


{{draft|text=TODO: Describe the One Click Payment process in detail }}
== Additional resources ==
*[[Token_payment_3D_Secure|3DSecure Token payment]]
*[[3DS_FAQ|3DSecure FAQ]]

Latest revision as of 13:45, 13 March 2024

3DSecure


3D Secure (Three-Domain Secure) is a messaging protocol developed by EMVCo that provides a more secure online card payment process. It enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. If the card is enrolled into 3DS authentication, additional information is required to decide whether the purchase is fraudulent or not. This decision is made by the card issuer (the bank or other institution that issued the card), not by the Barion system.

There are two major versions of the protocol:

  • 3D Secure 1 is an HTTP redirect-based scenario where the customer almost always needs to provide some extra proof for the transaction. The verification is usually a password or SMS code. Card schemes decommissioned 3D Secure 1 in 2021/2022. Barion does not support this old protocol.
  • 3D Secure 2 is more sophisticated and uses additional information about the purchase, the shop, and the cardholder to make the decision. This requires more input data but provides better flow with less friction. The card issuer may verify the shopper's identity using passive, biometric, and two-factor authentication approaches. According to the Strong Customer Authentication (SCA) rules of PSD2 RTS every card issued in the EU has to be authenticated. 3D Secure 2 complies with the regulation.
IMPORTANT
If the shopper completes a 3DSecure authentication successfully, the liability shifts from the merchant to the card issuer in case of fraud.

Liability shift rules

If a merchant implements 3D Secure authentication, they can avoid liability for chargebacks in case of fraud (that is, chargeback claims because of lost or stolen cards). This is called a liability shift. In general, if a shopper completes a 3D Secure challenge authentication flow successfully, the liability for fraudulent chargebacks shifts from the merchant to the card issuer.

Transaction type Liability shift to card issuer?
3D Secure 2 transactions with challenge. Yes
3D Secure 2 transactions where card issuer applies a PSD2 exemption without the merchant requesting it. For example, issuer TRA. Yes
3D Secure 2 PSD2 SCA out-of-scope transactions: shopper's issuer is outside of the EEA, anonymous prepaid cards up to 150€ or merchant-initiated transactions. No
3D Secure 2 transactions where merchant or acquirer requests for a PSD2 exemption and the issuer grants an exemption. No

The payment process

The payment follows these steps:

  1. You check out your purchase from the merchant's website and select to pay via Barion.
  2. You are redirected to the Barion Smart Gateway.
  3. You input your card details and click Pay.
  4. Barion checks whether the card you used is a 3DSecure capable card and also the version the issuer supports. If the card is not 3DSecure capable, the card authorization (charge) goes along without any extra steps.
  5. If the card is 3D Secure capable with 3DSecure 2, the flow changes:
      1. Barion starts the 3DS authentication in the background and sends the relevant information about the purchase to the card issuer. From this information, the issuer decides whether the payment is secure or if you should be challenged in some form.
      2. If the result is that you should not be challenged (this is the frictionless flow) your card is charged and the payment flow continues.
      3. If the result is that the issuer needs more proof from you, a popup window is displayed. In this window, the issuer displays something for you. The content varies according to the issuer, and it allows you to provide proof (SMS, token, question).
      4. After you successfully complete the challenge, the card is authenticated and the payment flow continues with the authorization of the card. The card can still be declined after successful 3DS authentication.
  6. At the end of the payment you are redirected to the merchant's website.

3D Secure 2

The reason behind the second version was to provide a way to achieve the same level of security for authentication but with less friction. For this, a lot more information is required (or at least it is strongly recommended to provide them). This information comes from different sources:

  • merchant's data about the customer (purchase behavior, addresses, and so on)
  • customer's browser information (screen size, timezone, language, and so on)
  • customer provided data (card information, e-mail address)
  • Barion's data about the merchant, the purchase, and the customer (merchant's MCC code, name of the shop, and so on)

The card issuer receives this information package and calculates the risk of the transaction. The result of this calculation specifies the flow:

  • Frictionless flow: The customer is not presented with any challenge screen, no more information is needed, and authorization can take place.
  • Challenge flow: The information is not sufficient, an additional challenge is needed to make sure that the card is not stolen.
To achieve the frictionless flow the merchant has to provide as much information as possible about the purchase and the customer. This must be provided during the v2/payment/start API call. The properties marked as
3DS
must be specified. However, there are scenarios where not all of this data is available. In these cases, there are ways to indicate the lack of information. If the merchant does not provide the necessary data, the payment typically falls into the challenge flow. Ideally, we should avoid this as it causes friction and may result in the customer leaving the payment.

Although providing this data enhances the possibility of frictionless flow, it does not make it certain. This decision is up to the card issuer, Barion does not influence it. In case of challenge flow the card issuer provides a challenge screen that the customer must complete. This can be various things: one-time passwords sent via text, secret passwords, biometric identification, and so on.

Known issues

  • If the user is challenged, additional user interaction is required, which results in increased abandonment. We recommend the following to reduce the churn:
    • Send all available fields marked with the
      3DS
      badge in the PaymentStart request.
    • Request TRA exemption.
      Note: If you apply for this option, you are held liable in case of fraud.

Additional resources