As online shopping continues to grow, so does the need for robust payment data security programs. One such measure is 3D Secure (3DS) – a security protocol used for online card transactions to provide an additional layer of authentication. Also known as Payer authentication, 3D Secure verifies the identity of the cardholder by requiring them to enter a password or a one-time code sent via text message or email. This extra step helps prevent unauthorized transactions, reduces the risk of fraud and provides merchants an added peace of mind when conducting online transactions. It is widely used by banks and card issuers to protect their customers’ online transactions. Besides, the implementation of this messaging protocol is governed by regulatory requirements under PCI 3DS Core Security Standard. We often hear about 3DS in the form of “Verified by Visa” or “Mastercard SecureCode.” However different card networks have developed their own 3D Secure transaction products.
The term 3DS stands for 3 Domain Server because the 3DS transaction involves three parties to act as additional level of payment protection:
This refers to the organization that issued the card being used in the online transaction. Issuers are responsible for enrolling the card holders in the service through verifying their identity and authenticating cardholders during online purchase.
This domain pertains to merchant’s banks accepting card payments. Banks must ensure that the merchants operate under a merchant agreement with the acquirer and comply with 3DS requirements. The acquirer domain is also responsible for processing the authenticated transactions
This domain consists of payment systems that act as connectors between an Acquirer Domain and an Issuer Domains for secure exchange of transactions. This domain decides which network is required for the transaction.
The figure below explains the infrastructure setup in a 3DS enrolment and authentication process.
The 3D Secure authentication uses a combination of XML messages, TLS connections, Digital certificates, and client authentication to confirm the identities of the different domains involved in online transactions.
To understand it better, the 3D Secure process can be broken down into two steps:
For a customer to perform a 3D Secure transaction, the cardholder must register for the service. The cardholder performs the registration by visiting the issuer enrolment site and enters their unique credit/debit card data. A shared secret is established at this time. The issuer then verifies the cardholder identity and if successful, the shared secret information is stored for later use.
The second step involves the end-to-end transaction flow, illustrated in the figure below.
The 3D Secure protocol with enhanced security comes with a host of benefits for merchants, card issuers and customers alike. Besides improving the legitimacy of the firm and strengthening customer loyalty, the biggest benefit of 3D Secure is its ability to decrease fraud while still being simple to use.
A key benefit that 3D Secure confers on merchants is the Liability Shift rule. If a merchant has enrolled for 3D Secure, and a shopper denies they made or authorized a purchase (lost or stolen card), the liability for the fraudulent chargeback shifts from the merchant to the card issuer. It is noteworthy to mention that the 3D Secure liability shift doesn’t apply to recurring transactions. However, if a merchant does not perform the enablement of 3D Secure, the liability of any fraudulent online transaction is shifted to the merchant.
With additional layers of security authentication, it’s harder for scammers to commit fraud online. The newer version 3D Secure 2.0 has been vastly improved to provide enhanced fraud prevention features along with better customer experiences compared to its predecessor 3D Secure 1.0. Due to a significant reduction in checkout time and abandonment rates, the major payment brands have shown an agile move toward 3D Secure 2.0 and are almost set to stop support for 3D Secure 1.0. Hence it’s the right time for merchants to move to 3D Secure 2.0.
3D Secure 2.0 lets the merchant send 10 times more data to issuers with each transaction compared to 3D Secure 1.0. Issuers can use this data to make more informed risk assessments of transactions and determine whether the shopper is the legitimate cardholder.
3D Secure authorization requires confirmation of identity, code, OTP (one-time-password), etc. from the card issuer. The added layer of security means fraudulent transactions are less likely with 3D Secure, making online payments safer.
3D Secure 2.0 simplifies the payment process. The use of token-based and biometric authentication instead of static password (in 3D Secure 1.0) means less checkout hassle for customers, shorter waiting time, and most importantly, fewer steps when completing the purchase. The frictionless shopping in turn means lower cart abandonment rate resulting in higher trust and satisfaction.
In conclusion, payment data security is critical for any business that accepts online payments and therefore implementing 3D Secure becomes important. Getting started with 3D Secure first requires merchants, acquirers and payment gateways to understand the scope, applicability and technical specifications of the protocol. PCI 3DS training can help payment security professionals develop the skills and knowledge they need to assess and mitigate risks effectively. As a pioneer in payments security and as a leading global Payment Forensic Investigator (PFI), SISA conducts forensic-driven PCI 3DS and PCI DSS Compliance trainings and workshops to educate security professionals and practitioners on every aspect of payment security. The payment data security programs are available in onsite, online, and cohort-based models and can help organizations get started with 3D Secure journey. SISA also provides consulting services around 3D Secure implementation to enable organizations to meet compliance and audits.
To learn more about our training and certification programs, click here.
Customer Success Stories
SISA Radar – Data Discovery and Classification Tool
Fast | Accurate | Reliable
Get Daily Updates on our Latest Threat Advisories