What is 3-D Secure? How Can You Benefit From Domain Security Protocols?
What do platforms like Verified by Visa, Mastercard SecureCode, and American Express SafeKey all have in common? They’re all fraud protection tools based on a technology called 3-D Secure (often shortened to just 3DS).
Over the past two decades, 3-D Secure (or just “3DS”) has been instrumental in combating criminal fraud. However, adoption has always been sluggish among merchants due to concerns about its impact on conversion and shopping cart abandonment rates.
So, let’s delve into the inner workings of 3-D Secure, its evolution since its inception, and its advantages and disadvantages. We’ll also address the question of whether its impact on conversion rates should genuinely concern you.
Recommended reading
- Verified by Visa: How Much Protection Does It Really Offer?
- The Top 10 Fraud Detection Tools You Need to Have in 2024
- ECI Indicators: How to Understand 3DS Response Codes
- Proxy Piercing: How Merchants Can Use it to Prevent Fraud
- Card Verification Values: What Are CVVs & How Do They Work?
- Payment Authentication: How to Verify Buyers Before a Sale
What is 3-D Secure?
- 3-D Secure
3-D Secure is a customer authentication protocol created for eCommerce. The system is used to validate buyers at checkout, creating an additional layer of security for online transactions. Card networks recommend that both issuing banks and merchant acquirers support the protocol.
[noun]/THrē • dē • sə • kur/The “3-D” in 3DS is short for “three domains.” It alludes to the trio of distinct domain servers essential for protocol execution:
The first successful rollout of a 3-D Secure solution was Verified by Visa. After this, numerous other networks adopted their own versions of the technology rooted in 3DS protocols.
Merchants can enroll in 3DS programs through each card brand. However, many merchants find it easier to do this through their acquirer.
How Does 3-D Secure Work?
With the latest version of 3-D Secure, nearly 150 points of transaction data are sent to the issuing bank, automatically and in real time. This includes things like IP address, merchant category code, shipping address, and so on.
3-D Secure also involves adding an additional authentication step during the checkout process. Typically, the cardholder would be asked to provide either a pre-established password, a one-time passcode sent to their mobile phone or email, or the answer to a unique security question.
Also, note that not all transactions will require 3-D Secure measures. Acquirers may deploy transaction risk analysis to identify “low-risk” transactions, such as payments below a certain limit or recurring payments. These will not require 3DS verification.
Breaking Down 3-D Secure by Card Brand
Although based on the same technology, 3-D Secure verification tools vary slightly depending on the card scheme. It also goes by different names, according to the brand.
Visa Secure
Visa Secure is an advanced security feature from Visa that helps authenticate purchasers as authorized cardholders. This extra layer of verification helps protect both cardholders and merchants during checkout.
Learn More About Visa Secure
Mastercard Identity Check
Identity Check is the Mastercard-branded deployment of 3-D Secure technology (replacing the earlier Mastercard SecureCode). It was developed to make online Mastercard transactions as safe, fast, and convenient as purchases made in a store. The program works by verifying a customer's identity at the checkout stage.
Learn More About Mastercard Identity Check
Discover ProtectBuy
ProtectBuy is a 3-D Secure service specific to Discover, which implements real-time authentication software to verify credit card users before a transaction. This data can be leveraged to detect stolen cards, identify unauthorized users, and thwart fraud attempts before a transaction is made.
Learn More About Discover ProtectBuy
American Express SafeKey
SafeKey is a 3-D Secure service specific to Amex. SafeKey data detects stolen cards, identifies unauthorized users, and thwarts fraud attempts before a transaction can be processed. This technology aims to help merchants improve their anti-fraud and chargeback prevention efforts.
Learn More About Amex SafeKey
JCB J/Secure
Like other 3DS deployments, J/Secure enables merchants and issuers to exchange detailed information, helping reduce fraud and minimizing the need for a one-time passcode. This improves the user experience and helps prevent shopping cart abandonment.
Learn More About JCB J/SecureBenefits of 3-D Secure
The primary benefit of 3-D Secure technology is security and fraud prevention.
The 3DS2 protocol uses Risk-Based Authentication (RBA) to analyze data and assess the fraud risk of each transaction in real-time. Because the risk level is backed by so much information, the process provides a high level of security and lowers the risk of criminal fraud.
Learn More About Fraud PreventionThe technology offers multiple other benefits as well, though. Using the latest version of 3-D Secure can help regardless of whether you’re upgrading from the original protocol or deploying 3-D Secure payment verification for the first time:
What is 3-D Secure 2.0?
3-D Secure 2.0 is an updated version of the original 3-D Secure system. It improves upon its predecessor in several significant ways.
One of the main drawbacks of the original 3DS was that it added an additional step in the checkout process, which could disrupt the user experience and potentially deter customers from completing their purchases. This was particularly the case on mobile devices, where the additional authentication page was not always optimally displayed.
3DS 2.0 addresses these problems by introducing a more seamless, risk-based approach to customer authentication. It uses real-time data analysis to assess transaction risk levels. For low-risk transactions, it can authenticate the payment in the background without requiring additional input from the customer, thus maintaining a smooth checkout process. This is called 'frictionless' authentication.
3DS 2.0 is designed to meet Strong Customer Authentication (SCA) requirements. Overall, it maintains the protective advantages of its predecessor while addressing previous concerns about user experience, particularly on mobile devices.
Learn More About 3DS 2.0What are ECI Indicators?
In essence, an Electronic Commerce Indicator (or “ECI”) code acts as a 3-D Secure response code. It provides direction on the next steps in a 3DS transaction; whether to proceed, decline the purchase, or attempt again.
Let’s say a customer registered with 3-D Secure initiates a transaction. The system activates during checkout, requiring the cardholder to provide additional information for identity verification.
The ECI indicator, furnished by the Directory Server and the Access Control System (ACS), represents the outcome of the authentication request for 3DS transactions. It serves as an invaluable reference for merchants, guiding their decision on whether to proceed with the transaction.
The ECI indicator a merchant receives may instruct them to proceed with a purchase. Or, it may inform them that an unsuccessful attempt was made to authenticate the customer, or that the buyer is not the authorized cardholder.
Learn More About ECI IndicatorsWhy Did a 3-D Secure Authentication Error Occur?
An “Authentication Failed” response typically indicates an error in the details entered by the customer. This could be related to card details, such as the wrong card number, expiration date, or an incorrect authentication passcode.
In this case, the customer's card provider will halt the payment and impede further transaction progress. This protective measure deters fraudsters.
The cardholder may retry the authentication process to correct the error. If the customer has verified their card details and fulfilled the correct 3DS security conditions, but still encounters a failure message, they should reach out to their card provider for assistance.
It's crucial to remember that certain browser extensions may disrupt the 3-D Secure page's functioning. For instance, pop-up blockers could hinder the 3DS page's performance. Deactivating browser extensions, or attempting the payment through a different browser, could then resolve the error message.
Where is 3-D Secure Authentication Currently Available?
3-D Secure is widely deployed across global eCommerce platforms, including regions like Europe, the US, Australia, China, India, and Singapore.
3-D Secure is not legally mandatory across all regions. That said, the EU's PSD2 regulation, enacted in 2018-2019, sought to bolster online card transaction security and curb fraud risks. One crucial component of PSD2 is the Strong Customer Authentication (SCA) requirement (above), enforced since September 2021 in the European Economic Area and the UK. This rule makes 3DS compulsory for sites accepting credit and debit transactions.
According to SCA stipulations, banks must perform dual identity verification checks for online payments and bank transfers. This two-factor authentication mandates that a customer provide at least two elements of identity verification to complete an online transaction.
By integrating 3-D Secure, businesses can ensure they’re adhering to SCA requirements. The technology fulfills the two tiers of Strong Customer Authentication needed to validate their identity.
Learn More About SCAHow to Set up 3-D Secure Authentication
To implement 3-D Secure, merchants need to follow a few steps:
Step #1 | Consult With Acquirer or PSP
Merchants should start by speaking with their acquiring bank or payment service provider. This entity can provide detailed information about how to enable 3-D Secure and the costs.
Step #2 | Integration with 3-D Secure
Most payment gateways and platforms provide support for 3-D Secure. Merchants may need to integrate the protocol into their online payment systems. This could involve updating software or adding new plug-ins.
Step #3 | Enrollment in 3-D Secure Program
The merchant needs to enroll in a 3-D Secure program provided by the card networks they accept, such as Verified by Visa, Mastercard SecureCode, or American Express SafeKey.
Step #4 | Testing
After implementation, rigorous testing should be conducted to ensure the system works as expected without disrupting the customer experience. Verifying that low-risk transactions are handled smoothly, and that high-risk ones trigger the appropriate additional authentication steps, are both essential.
Step #5 | Customer Education
Finally, it's advisable for merchants to educate their customers about the new security feature. Clear communication can help alleviate customer concerns about additional authentication steps and positively influence the perception of enhanced security.
Implementation details may vary based on the specific platforms and tools used by the merchant. It's always a good idea to consult with experts or seek professional assistance to ensure a smooth implementation process.
Does 3DS Make a Transaction "Chargeback-Proof"?
Unfortunately not.
This is a common misconception. The 3DS2 protocol has proven to be a highly effective fraud deterrent. However, this only applies to chargebacks designated with a “Fraud” reason code.
With Visa transactions, for instance, 3DS would prevent chargebacks from being filed using reason code 10.4 — Other Fraud: Card-absent Environment / Condition. However, the transaction could still be subject to disputes filed using a “Processing Error” or “Customer Dispute” reason code.
3DS can be very effective at stopping third-party fraud. However, it does nothing to prevent first-party fraud, which makes up the bulk of the average merchant’s chargebacks. First-party fraud happens post-transaction; authenticating the customer prior to purchase doesn’t help if the fraud occurs after the fact.
3-D Secure is a great tool, but it works best as part of a multi-level fraud and chargeback management strategy. This calls for deploying multiple complementary tools, all backed by fraud scoring, which will allow merchants to automatically decline orders that present too much risk. This, coupled with optimized policies and best practices, will go a long way to help protect business against fraud and chargebacks.
Learn More About Chargeback ManagementInterested in learning more about 3-D Secure? Or, have questions about any other aspect of chargeback management? Contact Chargebacks911® today.
We can show you how to take chargebacks completely off your plate and increase your ROI. Help is just a click away.
FAQs
What does 3-D Secure mean?
The “3-D” in 3-D Secure stands for “three domains,” referencing the trio of distinct domain servers essential for protocol execution: the merchant, issuer, and interoperability domains.
How do I activate 3-D Secure?
Consult with your acquirer or payment service provider (PSP) first, then enroll in the 3DS platform. Next, you’ll integrate your 3DS account with your payment gateway or POS. Lastly, you’ll want to test the integration to ensure all components are working.
Should I enable 3-D Secure?
Yes. While “lower risk” payments (for instance, payments below $30) might not require 3DS authentication, it’s a good idea for merchants to have that extra authentication step enabled whenever possible.
Does 3-D Secure prevent chargebacks?
No. The 3DS2 protocol has proven to be a highly effective fraud deterrent, but it doesn’t prevent or resolve non-fraud chargebacks at all. Aside from this, the protocol is also more prone to false positives. Customers can be confused by the pop-up window or annoyed at the extra step at checkout. Either situation can lead to cart abandonment.
Can 3-D Secure be bypassed?
Yes. This can be done legitimately using transaction risk analysis. That said, any anti-fraud protocol can be bypassed under the right circumstances. Merchants should take that into account when building their fraud prevention strategies.
Which banks use 3-D Secure?
3-D Secure is widely adopted across global eCommerce platforms, including regions like Europe, the US, Australia, China, India, and Singapore.
All banks and credit card processing networks in the U.S. require 3-D Secure, so most credit cards should be accepted and not require extra authentication.
