Contents

What is 3-D Secure version 2?

 

What is 3-D Secure?

3-D Secure is a standard designed to reduce fraud and chargebacks during e-commerce transactions. It allows card issuers to provide an extra level of protection, by authenticating cardholders at the point of sale (e.g. with a secret password or biometrics) if the payment is deemed high risk. Exemptions apply for MOTO (Mail or Telephone Order) transactions and/or MIT (Merchant Initiated Transactions), for which 3-D Secure cannot be performed.

 

Compliance with Revised Directive on Payment Services (PSD2)

The Revised Directive on Payment Services (PSD2) mandates that a form of Strong Customer Authentication (SCA) is performed on all transactions initiated by the customer through their browser. You will need to utilise 3-D Secure to comply with PSD2.

 

Process overview

The following diagrams show standard e-commerce transactions using 3-D Secure:

When payment is deemed low-risk

Frictionless payment allows for a streamlined checkout experience

 

 

  1. The customer enters their card details on your checkout and clicks on the “Pay” button.
  2. Data regarding the payment session and customer’s device is shared with the card issuer. The customer is deemed low-risk, so no action is needed on their part to verify their identity.
  3. Following these checks the payment will be processed. The checkout will then display a success message to the customer.

If the authentication fails, your checkout will display an error message and provide the customer an opportunity to re-attempt payment or provide an alternative card.

 

When payment is deemed high-risk

Customer will be challenged prior to completing the purchase

 

 

  1. The customer enters their card details on your checkout and clicks on the “Pay” button.
  2. Data regarding the payment session and customer’s device is shared with the card issuer. The customer is deemed high-risk, so their browser may display an overlay prompting them to complete some basic actions to authenticate their identity.
  3. Following any authentication steps required by the customer’s card issuer, the overlay will close automatically, and the payment will be processed. The checkout will then display a success message to the customer.

If the authentication fails, your checkout will display an error message and provide the customer an opportunity to re-attempt payment or provide an alternative card.

 


 

Checks performed

The card issuer is able to utilise a rich data-set in order to determine the risk of fraud. Typical examples include:

 

Click here to learn more about checks performed by card issuers >>>

 


 

Methods of authentication

The following are methods that card issuers may use to verify the identity of customers performing transactions:

 

 

 

Info
Notes:

  • For most legitimate transactions, the customer will not be prompted to perform any of these authentication methods, as the card issuer has already performed enough checks in the background to be satisfied the transaction poses minimal risk of fraud.
  • The authentication methods is determined by the card issuer and cannot be affected by the merchant

 


 

Liability shift

Similar to 3-D Secure version 1, if the customer is authenticated as part of the 3-D Secure version 2 process and it is later determined that fraud has been committed, the card issuer will normally take financial responsibility for the chargeback.

Click here to view a table that outlines in which scenarios the card issuer would be liable

 


 

What is the difference between 3-D Secure version 1 and 2?

The original 3-D Secure standard was launched in 2010. It was an important step taken by the banking and e-commerce industry to protect businesses and their customers from fraud. While remaining a popular method of securing online checkouts, there have been many changes in the way customers make purchases online since 3-D Secure was first introduced. More than ever, consumers expect a secure and frictionless checkout experience, with which they can complete payments on their device of choice (be that a desktop computer or smartphone).

3-D Secure version 2 was introduced in late 2019 to address these new demands. It enables you to further strengthen the security of your checkout, allowing for intelligent authentication which is faster and easier for your customers than ever before. Read the table below to learn how:

 

Version 1 Version 2
Both standards are compliant with PSD2. Both standards are compliant with PSD2.
In the event of a dispute with the transaction at a later date, the card issuer will take financial responsibility for the chargeback in most instances. In the event of a dispute with the transaction at a later date, the card issuer will take financial responsibility for the chargeback in most instances.
Allows for checking of a basic set of metadata and session data during the transaction, and is more likely to interrupt customers to perform authentication. Checks a richer set of metadata and session data during the transaction, allowing most payments to be processed without interruption.
Authentication using PIN or passwords that the customer may struggle to remember. Authentication can be performed with biometrics (fingerprint / facial recognition) or sending a code to a customer’s mobile device (two-factor authentication).
Minimal support for modern mobile devices. Comprehensive support for modern mobile devices.

 


 

Which version of 3-D Secure is my system using?

 

For those using our API, check the response

 

Check our records by performing a transaction query

You can submit a TRANSACTIONQUERY request to Trust Payments using our Webservices API, passing through the transactionreference of the relevant AUTH. Check the value of the threedversion field returned in the record to determine the 3-D Secure version.

 

Check our records by signing into MyST

Sign in to MyST and view the details of transactions you have been processing. The 3-D Secure version should be displayed under the “3-D Secure” tab.

 

About downgrades to 3-D Secure version 1

If the customer’s card is not enrolled in a 3-D Secure version 2 scheme, the card will instead be checked for enrolment in a 3-D Secure version 1 scheme. If this is the case, 3-D Secure version 1 standard is used instead, to ensure the customer is authenticated. For this reason, even if your site reference(s) is configured to use 3-D Secure version 2, some payments in your records may still be shown as processed using 3-D Secure version 1.

 


 

Enabling 3-D Secure version 2 on your site reference(s)

 

Payment Pages

Contact our Support Team to discuss configuring your site reference(s) to support 3-D Secure version 2.

 

JavaScript Library

 


 

Glossary of 3-D Secure version 2 terminology

Frictionless payment

One of the advantages of version 2 is the enhanced nature of checks performed in real time during the checkout process, allowing the card issuer to determine with greater certainty whether not a given transaction poses a risk of fraud. Because of this, most legitimate transactions are correctly determined to be safe to proceed without prompting the customer to verify their identity. For this reason, scenarios in which the customer can complete payment without interruption from 3-D Secure processes are often referred to as “frictionless”.

 

Step-up authentication

When 3-D Secure checks raise doubts over the customer’s intentions during a payment session, they may be asked to perform additional steps to verify their identity. This may involve the customer entering a pre-assigned PIN or password, using biometric security (i.e. fingerprint or facial recognition) or performing two-factor authentication (prompting the customer to enter a code sent to another device they own). The term “step-up” is used to highlight how security measures are heightened in situations where the card issuer suspects the customer’s account presents a higher risk of fraud.