3DS Operation
3DS is an online payment fraud prevention protocol designed to make credit and debit card transactions safer. It requires cardholders to complete an extra verification step with their bank (e.g., a biometric scan, one-time passcode, or mobile app prompt) when checking out. It helps prevent chargeback fraud and moves financial responsibility for fraudulent transactions from the merchant to the card-issuing bank.
Overview
- 3D Secure is an authentication method employed to reduce fraud and increase security for card-not-present transactions.
- Customers are required to complete an additional step of verification to confirm their identity. Typically, after providing their card details, the customer is redirected to an authentication page hosted by their bank where they enter a password, a code that is sent to their phone or authenticate via their mobile banking app.
- 3D Secure is also referred to by its branded name for each card network:
- Visa Secure
- Mastercard Identity Check
- American Express SafeKey
3DS1 vs. 3DS2
| 3DS1 | 3DS2 |
|---|---|
| Original 3D secure authentication method introduced in 2001 by Visa and later adopted by Mastercard. | Introduced in October 2016 to improve the user experience by creating “frictionless” authentication. |
| Requires customers to authenticate using a code or password. Some banks required a static password to be created which led to increased purchase abandonment. | 3DS2 allows businesses and their payment provider to include additional transaction data elements to be sent to the cardholder’s bank. |
| The added steps to authenticate added “friction” to the payment flow and can lead to abandoning purchases. | The additional data such as shipping address, device ID, or previous transaction history is used by the bank to determine if the transaction can go through a frictionless flow where the authentication occurs without additional input from the cardholder. |
| Despite the additional data, the bank can still require the cardholder to authenticate if they assess the risk to be higher. In this case, it will be sent through the “challenge” flow. | |
| 3DS2 also allowed banks to offer authentication services via mobile devices on their banking apps instead of passwords or text messages. |
Strong Customer Authentication & PSD2
- Strong Customer Authentication (SCA) is a requirement in Europe for authenticating online payments that was introduced in September 2019.
- The goal of SCA is to reduce fraud and increase security when processing transactions online.
- Strong Customer Authentication requires that any online transaction use at least two (2) methods of verification to confirm the identity of the cardholder:
- SCA is required for “customer-initiated” transactions processed online or using contactless offline payments such as with the use of digital payment methods like Apple Pay, Google Pay.
- Merchant initiated transactions are exempt from SCA provided that they include the proper indicators to signify prior authorization.
- Currently, SCA is required in Europe, but it is expected to be enforced in other regions as well.
3D Secure & Aria
- Aria supports 3DS1 and 3DS2 with the following payment processors:
- Chase Paymentech
- Worldpay International
- Adyen
- Worldline (Ingenico)
- Cybersource
- Braintree
- The API sequence to execute 3DS1 and 3DS2 vary. The numbers of steps for each API sequence is:
- 3DS1 – 3 Step Process
- 3DS2 – 5 Step Process
3DS1 Aria API Sequence - 3-Step Process
