What is 3-D Secure version 2?
What is 3-D Secure?
3-D Secure is a standard designed to reduce fraud and chargebacks during e-commerce transactions. It allows card issuers to provide an extra level of protection, by authenticating cardholders at the point of sale (e.g. with a secret password or biometrics) if the payment is deemed high risk. Exemptions apply for MOTO (Mail or Telephone Order) transactions and/or MIT (Merchant Initiated Transactions), for which 3-D Secure cannot be performed.
The Revised Directive on Payment Services (PSD2) mandates that a form of Strong Customer Authentication (SCA) is performed on all transactions initiated by the customer through their browser. You will need to utilise 3-D Secure to comply with PSD2.
Process overview
The following diagrams show standard e-commerce transactions using 3-D Secure:
When payment is deemed low-risk
Frictionless payment allows for a streamlined checkout experience
- The customer enters their card details on your checkout and clicks on the “Pay” button.
- Data regarding the payment session and customer’s device is shared with the card issuer. The customer is deemed low-risk, so no action is needed on their part to verify their identity.
- Following these checks the payment will be processed. The checkout will then display a success message to the customer.
If the authentication fails, your checkout will display an error message and provide the customer an opportunity to re-attempt payment or provide an alternative card.
When payment is deemed high-risk
Customer will be challenged prior to completing the purchase
- The customer enters their card details on your checkout and clicks on the “Pay” button.
- Data regarding the payment session and customer’s device is shared with the card issuer. The customer is deemed high-risk, so their browser may display an overlay prompting them to complete some basic actions to authenticate their identity.
- Following any authentication steps required by the customer’s card issuer, the overlay will close automatically, and the payment will be processed. The checkout will then display a success message to the customer.
If the authentication fails, your checkout will display an error message and provide the customer an opportunity to re-attempt payment or provide an alternative card.
Checks performed
The card issuer is able to utilise a rich data-set in order to determine the risk of fraud. Typical examples include:
Click here to learn more about checks performed by card issuers >>>
Methods of authentication
The following are methods that card issuers may use to verify the identity of customers performing transactions:
- For most legitimate transactions, the customer will not be prompted to perform any of these authentication methods, as the card issuer has already performed enough checks in the background to be satisfied the transaction poses minimal risk of fraud.
- The authentication methods is determined by the card issuer and cannot be affected by the merchant
Liability shift
Similar to 3-D Secure version 1, if the customer is authenticated as part of the 3-D Secure version 2 process and it is later determined that fraud has been committed, the card issuer will normally take financial responsibility for the chargeback.
Click here to view a table that outlines in which scenarios the card issuer would be liable
What is the difference between 3-D Secure version 1 and 2?
The original 3-D Secure standard was launched in 2010. It was an important step taken by the banking and e-commerce industry to protect businesses and their customers from fraud. While remaining a popular method of securing online checkouts, there have been many changes in the way customers make purchases online since 3-D Secure was first introduced. More than ever, consumers expect a secure and frictionless checkout experience, with which they can complete payments on their device of choice (be that a desktop computer or smartphone).
3-D Secure version 2 was introduced in late 2019 to address these new demands. It enables you to further strengthen the security of your checkout, allowing for intelligent authentication which is faster and easier for your customers than ever before. Read the table below to learn how:
| Version 1 | Version 2 |
 Both standards are compliant with PSD2. |
Both standards are compliant with PSD2. |
| In the event of a dispute with the transaction at a later date, the card issuer will take financial responsibility for the chargeback in most instances. |
In the event of a dispute with the transaction at a later date, the card issuer will take financial responsibility for the chargeback in most instances. |
 Allows for checking of a basic set of metadata and session data during the transaction, and is more likely to interrupt customers to perform authentication. |
Checks a richer set of metadata and session data during the transaction, allowing most payments to be processed without interruption. |
| Authentication using PIN or passwords that the customer may struggle to remember. |
Authentication can be performed with biometrics (fingerprint / facial recognition) or sending a code to a customer’s mobile device (two-factor authentication). |
| Minimal support for modern mobile devices. |
Comprehensive support for modern mobile devices. |
Which version of 3-D Secure is my system using?
For those using our API, check the response
- If you are using version 3 of our JavaScript Library or our Mobile SDK, all transactions will attempt 3-D Secure version 2, providing you specify the “THREEDQUERY” request in your JWT payload. Check the value of the threedversion field returned in the JWT response to determine the 3-D Secure version.
(See below to learn about situations where transactions may be downgraded to 3-D Secure version 1) - If you are using version 2 of our JavaScript Library, all transactions will attempt 3-D Secure version 2. Check the value of the threedversion field returned in the JWT response to determine the 3-D Secure version.
(See below to learn about situations where transactions may be downgraded to 3-D Secure version 1) - If you are using version 1 of our JavaScript Library or using our Webservices API, transactions will attempt 3-D Secure version 1 if you have configured your solution to do so (this involves submitting a THREEDQUERY request to check enrolment, and then manually redirecting the customer’s browser to the card issuer’s ACS server for authentication).
Check our records by performing a transaction query
You can submit a TRANSACTIONQUERY request to Trust Payments using our Webservices API, passing through the transactionreference of the relevant AUTH. Check the value of the threedversion field returned in the record to determine the 3-D Secure version.
Check our records by signing into MyST
Sign in to MyST and view the details of transactions you have been processing. The 3-D Secure version should be displayed under the “3-D Secure” tab.
About downgrades to 3-D Secure version 1
If the customer’s card is not enrolled in a 3-D Secure version 2 scheme, the card will instead be checked for enrolment in a 3-D Secure version 1 scheme. If this is the case, 3-D Secure version 1 standard is used instead, to ensure the customer is authenticated. For this reason, even if your site reference(s) is configured to use 3-D Secure version 2, some payments in your records may still be shown as processed using 3-D Secure version 1.
Enabling 3-D Secure version 2 on your site reference(s)
Payment Pages
Contact our Support Team to discuss configuring your site reference(s) to support 3-D Secure version 2.
JavaScript Library
- If you are using version 3 of our JavaScript Library, your site reference(s) is already configured to use 3-D Secure version 2. You will need to ensure that the “THREEDQUERY” request is submitted in the JWT payload, in order for 3-D Secure version 2 to be performed on a given transaction.
- If you are using version 2 of our JavaScript Library, your site reference(s) is already configured to use 3-D Secure version 2, which will be attempted for every transaction providing your acquiring bank supports this (no additional steps are needed).
- If you are using version 1 of our JavaScript Library, you will need to contact our Support Team to enable 3-D Secure version 2, and then migrate to JavaScript Library version 3.
Mobile SDK
- If you are using our Mobile SDK, your site reference(s) is already configured to use 3-D Secure version 2. You will need to ensure that the “THREEDQUERY” request is submitted in the JWT payload, in order for 3-D Secure version 2 to be performed on a given transaction.
Glossary of 3-D Secure version 2 terminology
Frictionless payment
One of the advantages of version 2 is the enhanced nature of checks performed in real time during the checkout process, allowing the card issuer to determine with greater certainty whether not a given transaction poses a risk of fraud. Because of this, most legitimate transactions are correctly determined to be safe to proceed without prompting the customer to verify their identity. For this reason, scenarios in which the customer can complete payment without interruption from 3-D Secure processes are often referred to as “frictionless”.
Step-up authentication
When 3-D Secure checks raise doubts over the customer’s intentions during a payment session, they may be asked to perform additional steps to verify their identity. This may involve the customer entering a pre-assigned PIN or password, using biometric security (i.e. fingerprint or facial recognition) or performing two-factor authentication (prompting the customer to enter a code sent to another device they own). The term “step-up” is used to highlight how security measures are heightened in situations where the card issuer suspects the customer’s account presents a higher risk of fraud.