3D Secure: must-know things for businesses and cardholders

If you're reading these words, chances are you know 3DS has nothing to do with expensive movies and printing. That's a good start, but why don't we learn more about this widely-used payment security measure?

This article consists of four parts. The first explains the basics of 3D Secure, like what it is and how it works. The second is a grasp of the 3DS history and the current version specificities. As for the last two parts, they cover the most asked questions about 3DS among the cardholders and businesses. Hop on!

3D Secure basics worth knowing

What is 3D Secure?

In simple words, it is a set of rules regulating the exchange of payment data between programs and devices and imposing additional stages of card verification.

What does 3DS mean?

You may wonder why this security protocol features 3D in its name. It stands for 3 domains and refers to the levels of security that this protocol covers. These 3 domains are:

• Issuer domain — the bank that issued the buyer's card;
• Acquirer domain — the merchant's bank, which is the recipient of the payment;
• Interoperability domain — the infrastructure that makes payment possible and supports the protocol.

How does 3D Secure work?

3DS helps to ensure that the shopper using a card to pay for goods on the merchant's website is the actual cardholder. This is achieved by prompting the cardholder to pass 3D Secure authentication.

What is 3D Secure authentication?

It means redirecting the buyer at checkout to their bank's 3D Secure authentication page. On there, they are requested to fill in the one-time password, or verification code, that the bank sends to them via SMS, an email, phone call, or to verify the transaction on their mobile banking app.

In case of successful verification, the transaction can be completed. Otherwise, the payment won't pass.

Is 3D Secure mandatory?

The European PSD2 SCA (Strong Customer Authentication) regulations require the use of 3D Secure when making online card payments. This protocol is not mandatory in other regions, but it is still widely used as it is an efficient tool to prevent fraud.

The brief history of 3DS & the current version

The origins of 3D Secure go back to the security protocol created for Visa in 1999. The technology known under the Verified by Visa brand proved to be effective, so other major card networks began to implement their own solutions based on the protocol: Mastercard SecureCode, ProtectBuy by Discover, J/Secure by JCB, and American Express SafeKey.

Later, EMVCo, a consortium of the world's largest card networks, introduced the revised protocol called EMV 3D Secure. Its second version was published in 2016 following new European regulations.

Learn about the specificities and benefits of 3DS2 by checking out one of our previous articles.

The three most common questions cardholders ask about 3DS

How do I know if my card is 3D Secure?

Everyone with Visa or Mastercard plastic uses the 3D Secure protocol since all these cards are currently being issued with three-domain protection. Only cards released before the mass introduction of the technology do not have it, but most likely, they've already expired. Anyhow, the owner can reissue their card and receive a new protected version.

If the card does not support the 3D Secure protocol, the cardholder can no longer use it in most online stores.

3D Secure verification failed: what to do?

A failure usually may occur in 3 cases: if the customer entered wrong 3DS details, their bank doesn't support the version of security protocol used by the merchant, or some technical glitch occurred.

The shopper can quickly fix the first and last issue by retrying the payment and passing the 3DS authentication again. But if the failure is caused by the protocol versions incompatibility between the issuer and merchant, the only thing you can do is try using another card to make a transaction. However, the frequency of such situations decreases as 3DS2 adoption gets wider.

Can I bypass 3D Secure?

The EMVCo developed the protocol to reduce fraud and protect all parties involved in a transaction. If you're a genuine cardholder, we believe verifying yourself in a few seconds won't be a big deal. It is requested for your good!

The only ones who are truly interested in bypassing 3D Secure are fraudsters. They do it with the help of social engineering techniques: impersonating bank representatives, calling the victim and tricking them into verifying a fraudulent payment, etc. Beware of all cases when someone tries to get card details, security codes, and other sensitive information from you, regardless of who they say they are.

Things businesses should know about 3D Secure

• It's vital to keep an eye on payment market developments and implement new security measures and protocols. Other than maintaining compliance and ensuring fraud protection, it may even help you increase approval rates. Thus, with 3DS2, Mastercard expects around 95% of transactions to be approved right away. Visa forecasts the shopping cart abandonment rate will drop by 66%, facilitated by reduced payment transaction time, absence of explicit redirect, and password-related risks mitigation.
• With 3DS2, the liability for fraudulent chargebacks shifts from the merchant to the issuer. However, there is no liability shift for recurring transactions.
• Payment platforms like Corefy empower merchants to find the desired balance between conversions and security by defining the rules when 3DS check should be enabled and disabled. However, be cautious when using this feature, as fraudsters know that many merchants choose to disable 3DS for small transactions. They test the limit and then make transactions within it.