3-D Secure version 2

What is 3-D Secure?

3-D Secure is a standard designed to reduce fraud and chargebacks during e-commerce transactions. It allows card issuers to provide an extra level of protection, by authenticating cardholders at the point of sale (e.g. with a secret password or biometrics) if the payment is deemed high risk. Exemptions apply for MOTO (Mail or Telephone Order) transactions and/or MIT (Merchant Initiated Transactions), for which 3-D Secure cannot be performed.

Compliance with Revised Directive on Payment Services (PSD2)

The Revised Directive on Payment Services (PSD2) mandates that a form of Strong Customer Authentication (SCA) is performed on all transactions initiated by the customer through their browser. You will need to utilise 3-D Secure to comply with PSD2.

Process overview

The following diagrams show standard e-commerce transactions using 3-D Secure:

When payment is deemed low-risk

Frictionless payment allows for a streamlined checkout experience

The customer enters their card details on your checkout and clicks on the “Pay” button.
Data regarding the payment session and customer’s device is shared with the card issuer. The customer is deemed low-risk, so no action is needed on their part to verify their identity.
Following these checks the payment will be processed. The checkout will then display a success message to the customer.

If the authentication fails, your checkout will display an error message and provide the customer an opportunity to re-attempt payment or provide an alternative card.

When payment is deemed high-risk

Customer will be challenged prior to completing the purchase

The customer enters their card details on your checkout and clicks on the “Pay” button.
Data regarding the payment session and customer’s device is shared with the card issuer. The customer is deemed high-risk, so their browser may display an overlay prompting them to complete some basic actions to authenticate their identity.
Following any authentication steps required by the customer’s card issuer, the overlay will close automatically, and the payment will be processed. The checkout will then display a success message to the customer.

If the authentication fails, your checkout will display an error message and provide the customer an opportunity to re-attempt payment or provide an alternative card.

Checks performed

The card issuer is able to utilise a rich data-set in order to determine the risk of fraud. Typical examples include:

Click here to learn more about checks performed by card issuers >>>

Methods of authentication

The following are methods that card issuers may use to verify the identity of customers performing transactions:

Notes:

For most legitimate transactions, the customer will not be prompted to perform any of these authentication methods, as the card issuer has already performed enough checks in the background to be satisfied the transaction poses minimal risk of fraud.
The authentication methods is determined by the card issuer and cannot be affected by the merchant

Liability shift

Similar to 3-D Secure version 1, if the customer is authenticated as part of the 3-D Secure version 2 process and it is later determined that fraud has been committed, the card issuer will normally take financial responsibility for the chargeback.

Click here to view a table that outlines in which scenarios the card issuer would be liable

3-D Secure v2 exemptions

There are certain scenarios where you, as a merchant, may deem the risk of fraud for a given transaction to be sufficiently low that you would prefer to bypass 3-D Secure authentication. In these situations, where you want to ensure the customer can complete their payment without the possibility of being interrupted to perform authentication, certain acquiring banks support the ability to flag transactions as exempt.

Only supported by certain acquiring banks.

Please contact your acquiring bank and check you are permitted to apply exemptions before updating your requests to do so, and contact our Support Team to check which of these exemptions are supported.

This functionality is subject to the following conditions:

Any transaction that your system flags as exempt from authentication is reviewed by the relevant card issuer prior to authorisation to check their pre-determined criteria for exemption have been met. They reserve the right to reject your request, in which case the transaction will still be subject to 3-D Secure authentication. There are different types of exemptions that can be applied. It is your responsibility to assign the correct exemption and ensure the transaction meets the necessary criteria for said exemption.
If a transaction is successfully exempted from 3-D Secure authentication, it will typically forgo the liability shift, meaning that if fraud occurs on the exempted transactions, you will be financially liable for the subsequent chargeback. The exact terms will depend on the relevant card issuer.
There are also certain situations where the card issuer may apply an exemption automatically (even if you do not request one) if certain conditions are met, in order to streamline the purchasing experience for the customer. If this occurs, the liability shift will not be affected.

Applying exemptions

To apply an exemption, you must either:

(For those using Payment Pages) include the scaexemptionindicator field in the POST to Trust Payments.
Click here to view full field specification for the POST >>>

(For those using our JavaScript Library or Mobile SDKs) include the scaexemptionindicator field in the JWT payload.
Click here for JavaScript Library documentation
Click here for Android SDK documentation
Click here for iOS SDK documentation

Field

Format

Description

scaexemptionindicator

Numeric (1)

Submit one of the following values:

1 – Low value
2 – Transaction Risk Analysis
3 – Trusted Merchant
4 – Secure Corporate payment
5 – Delegated authentication

Card issuers may enforce additional requirements for certain exemptions to be applied. They reserve the right to reject the request for an exemption. If this occurs, standard 3-D Secure authentication will be applied.

Checking if an exemption has been applied

To see if an exemption has been applied to a 3-D Secure transaction you can either:

View transaction details in MyST – Click the “3-D Secure” header and if an exemption has been applied, the field SCA Exemption Indicator is displayed with a numerical value.
Click here for documentation on viewing transactions in MyST >>>

(For those using Payment Pages) Check the URL notification – You can configure URL notifications posted to your servers to include the additional field scaexemptionindicator. This is returned in the notification with a numerical value when an exemption has been applied.
Click here to learn how to add fields to URL notifications >>>

(For those using our JavaScript Library or Mobile SDKs) Check the response JWT – If an exemption has been applied, the additional field scaexemptionindicator is returned in the response JWT with a numerical value.
Click here for JavaScript Library documentation
Click here for Android SDK documentation
Click here for iOS SDK documentation

What is the difference between 3-D Secure version 1 and 2?

The original 3-D Secure standard was launched in 2010. It was an important step taken by the banking and e-commerce industry to protect businesses and their customers from fraud. While remaining a popular method of securing online checkouts, there have been many changes in the way customers make purchases online since 3-D Secure was first introduced. More than ever, consumers expect a secure and frictionless checkout experience, with which they can complete payments on their device of choice (be that a desktop computer or smartphone).

3-D Secure version 2 was introduced in late 2019 to address these new demands. It enables you to further strengthen the security of your checkout, allowing for intelligent authentication which is faster and easier for your customers than ever before. Read the table below to learn how:

Version 1	Version 2
Both standards are compliant with PSD2.	Both standards are compliant with PSD2.
In the event of a dispute with the transaction at a later date, the card issuer will take financial responsibility for the chargeback in most instances.	In the event of a dispute with the transaction at a later date, the card issuer will take financial responsibility for the chargeback in most instances.
Allows for checking of a basic set of metadata and session data during the transaction, and is more likely to interrupt customers to perform authentication.	Checks a richer set of metadata and session data during the transaction, allowing most payments to be processed without interruption.
Authentication using PIN or passwords that the customer may struggle to remember.	Authentication can be performed with biometrics (fingerprint / facial recognition) or sending a code to a customer’s mobile device (two-factor authentication).
Minimal support for modern mobile devices.	Comprehensive support for modern mobile devices.

Which version of 3-D Secure is my system using?

For those using our API, check the response

If you are using version 3 of our JavaScript Library or our Mobile SDK, all transactions will attempt 3-D Secure version 2, providing you specify the “THREEDQUERY” request in your JWT payload. Check the value of the threedversion field returned in the JWT response to determine the 3-D Secure version.
(See below to learn about situations where transactions may be downgraded to 3-D Secure version 1)
If you are using version 2 of our JavaScript Library, all transactions will attempt 3-D Secure version 2. Check the value of the threedversion field returned in the JWT response to determine the 3-D Secure version.
(See below to learn about situations where transactions may be downgraded to 3-D Secure version 1)
If you are using version 1 of our JavaScript Library or using our Webservices API, transactions will attempt 3-D Secure version 1 if you have configured your solution to do so (this involves submitting a THREEDQUERY request to check enrolment, and then manually redirecting the customer’s browser to the card issuer’s ACS server for authentication).

Check our records by performing a transaction query

You can submit a TRANSACTIONQUERY request to Trust Payments using our Webservices API, passing through the transactionreference of the relevant AUTH. Check the value of the threedversion field returned in the record to determine the 3-D Secure version.

Check our records by signing into MyST

Sign in to MyST and view the details of transactions you have been processing. The 3-D Secure version should be displayed under the “3-D Secure” tab.

About downgrades to 3-D Secure version 1

If the customer’s card is not enrolled in a 3-D Secure version 2 scheme, the card will instead be checked for enrolment in a 3-D Secure version 1 scheme. If this is the case, 3-D Secure version 1 standard is used instead, to ensure the customer is authenticated. For this reason, even if your site reference(s) is configured to use 3-D Secure version 2, some payments in your records may still be shown as processed using 3-D Secure version 1.

Enabling 3-D Secure version 2 on your site reference(s)

Payment Pages

Contact our Support Team to discuss configuring your site reference(s) to support 3-D Secure version 2.

JavaScript Library

If you are using version 3 of our JavaScript Library, your site reference(s) is already configured to use 3-D Secure version 2. You will need to ensure that the “THREEDQUERY” request is submitted in the JWT payload, in order for 3-D Secure version 2 to be performed on a given transaction.
If you are using version 2 of our JavaScript Library, your site reference(s) is already configured to use 3-D Secure version 2, which will be attempted for every transaction providing your acquiring bank supports this (no additional steps are needed).
If you are using version 1 of our JavaScript Library, you will need to contact our Support Team to enable 3-D Secure version 2, and then migrate to JavaScript Library version 3.

Mobile SDK

If you are using our Mobile SDK, your site reference(s) is already configured to use 3-D Secure version 2. You will need to ensure that the “THREEDQUERY” request is submitted in the JWT payload, in order for 3-D Secure version 2 to be performed on a given transaction.
- Android SDK documentation
- iOS SDK documentation

Glossary of 3-D Secure version 2 terminology

Frictionless payment

One of the advantages of version 2 is the enhanced nature of checks performed in real time during the checkout process, allowing the card issuer to determine with greater certainty whether not a given transaction poses a risk of fraud. Because of this, most legitimate transactions are correctly determined to be safe to proceed without prompting the customer to verify their identity. For this reason, scenarios in which the customer can complete payment without interruption from 3-D Secure processes are often referred to as “frictionless”.

Step-up authentication

When 3-D Secure checks raise doubts over the customer’s intentions during a payment session, they may be asked to perform additional steps to verify their identity. This may involve the customer entering a pre-assigned PIN or password, using biometric security (i.e. fingerprint or facial recognition) or performing two-factor authentication (prompting the customer to enter a code sent to another device they own). The term “step-up” is used to highlight how security measures are heightened in situations where the card issuer suspects the customer’s account presents a higher risk of fraud.

Summary of 3-D Secure version 2 fields

Field	Description
CAVV	The unique Cardholder Authentication Verification Value (CAVV) associated with the transaction.
ECI	The ECI (E-Commerce Indicator) security level associated with the transaction. The following values can be returned: 00 – 3-D Secure authentication either failed or could not be attempted. 01 – 3-D Secure authentication was attempted but not completed. 02 – 3-D Secure authentication was successful. Transaction is secured by 3-D Secure. 04 – Data only transaction that can be sent to Mastercard. 05 – 3-D Secure authentication was successful. Transaction is secured by 3-D Secure. 06 – 3-D Secure authentication was attempted but not completed. 07 – Returned in two cases: When 3-D Secure authentication either failed or could not be attempted. For successfully-authenticated recurring transactions using Mastercard-branded cards.
Enrolled	Indicates whether or not the customer’s card is enrolled in a 3-D Secure scheme. The following values can be returned: Y – The customer’s card is enrolled. N – The customer’s card is not enrolled. U – Unable to determine if card is enrolled. B – Merchant authentication rule is triggered to bypass authentication in this use case.
Status	Indicates whether or not the customer was authenticated on the card issuer’s ACS. The following values can be returned: Y – The customer was successfully authenticated. A – Authentication attempted but not completed. U – Authentication couldn’t be performed. C – Challenge required for authentication. N – The customer was not authenticated. The payment will not be processed. R – Authentication was rejected. The payment will not be processed. Important: We strongly recommend against attempting further payments with cards flagged with status N or R, as the customer failed authentication, indicating an elevated risk of fraud. Instead, we recommend displaying an error message to the customer, stating the payment was not completed, and offer alternative methods of payment.
Version	Version of 3-D Secure used to authenticate the payment. (e.g. “2.1.0”).
XID	The unique identifier for the transaction, assigned by your MPI (Merchant Plug-In).