This article includes the following sections:
- What is 3D Secure?
- Three domains/stakeholders involved in 3D Secure
- What does 3D Secure look like?
- 3D Secure FAQ's
- 3D Secure and customer disputes
- 3D Secure 2.0
What is 3D Secure?
- 3D secure is a security protocol that adds a layer of authentication to the online card-not-present online payment experience by verifying a cardholders’ identity prior to authorisation. The purpose is to protect a customer’s card against unauthorised use when shopping online.*
- The first iteration of 3DS appeared in 1999. Card networks like Visa (Verified by Visa) and Mastercard (Mastercard Identity Check) implemented this feature in 2001. In the first iteration, customers needed to authenticate themselves using OTP or One Time Password.
- 3D Secure can also now include a Banking Mobile App verification step
- 3DS 1.0 promised to help prevent fraud by shifting the burden of authentication onto the issuers (Customer’s bank).
- This led to a huge loss in false declines as customers would choose to cancel a transaction when seeing a 3DS pop-up (or more likely a redirect) to avoid any potential fraud.
- To authenticate the customer is usually required to provide something they have (device), something you know (One Time Pin), or something you are (Biometrics - like a fingerprint)
*Please note that 3D Secure is Mandatory in South Africa as per PASA (Payments Association of South Africa) - more here
Three domains/stakeholders involved in 3D Secure:
- The Acquiring Bank (or the merchant’s bank)
- The Issuing Bank (or the cardholder’s bank)
- Payment Gateway/infrastructure supporting this protocol, such as Peach Payments.
What does 3DS look like?
- When you buy something online and a little pop up appears asking you to enter an OTP or approve your purchase in your banking app? Yes, that’s 3DSecure in action.
- 3 domain secure (3D Secure) is a messaging system that allows for a customer to receive a one-time password or pin (OTP), USSD or in-app prompt and enter it typically in a page from their issuing bank, on the website.
- The purpose is to authenticate an online or eCommerce debit or credit card payment, by proving that the customer is the cardholder, according to the bank that issued the card.
3D Secure FAQ's
Below are some frequently asked questions that help a customer to understand the 3D Secure process :
How does a card get setup for 3D Secure ?
- The customer's bank and the customer is responsible for enrolling the card for 3D Secure
- The customer can receive an OTP and/or a Security Verification through their Banking App when they enter their card details and would like to authenticate the transaction.
Who sends/handles the OTP and/or Banking App Security Verification ?
- The customer's bank (Issuing bank) sends a password prompt to the customer via Mobile Banking App, phone, email, or USSD.
- The customer is then prompted to enter this password on the website to complete the payment.
What can I do if I do not receive an OTP ?
- As a customer, should you not receive an OTP, you would need to:
- Check that the means of receiving this OTP from your bank is functional (Phone network is active, email working, etc)
- Call your bank online banking department to ensure that their 3D Secure process is functioning.
As a merchant, how do I know which transaction to apply 3D Secure to ?
- 3D Secure is mandatory for all eCommerce transactions.
- It is especially critical for initial and once-off transactions to go through 3D Secure.
- It is safe for a transaction that is done with a stored or previously saved card, to not be processed without 3D Secure, since the the initial transaction would have been stored with 3D Secure.
Please note however that liability shift for a merchant can only be applied on transactions that are processed with 3D Secure.
As a merchant, how do I apply 3D Secure ?
- Peach payments supplies necessary authentication credentials and endpoints that will route a transaction through 3D Secure.
- It is a merchant's responsibility to implement these credentials correctly to process a transaction through 3D Secure.
- If an API request from a merchant server does not give instructions to skip 3D Secure, then the transaction will be processed with 3D Secure
- Peach Payments together with the Acquiring Bank set up the Merchant Account to have 3DS applied mandatory and/or Peach instructs the Acquiring Bank to activate 3D Secure.
How can I see if a transaction has been 3D Secure authenticated ?
- A 3D Secure authenticated transaction would return an ECI (Electronic Commerce Indicator) value/number.
- Peach payments provides merchants with proof of 3D Secure in the event that a transaction has been disputed by the cardholder, with their bank.
- A customer will know their transaction went through 3D Secure, if they receive an OTP to authenticate their transaction with their bank.
3D Secure Version 2.0
Peach Payments is always looking to improve our product and customer experience. 3DS 2.0 is the next step in fraud prevention and a big leap in improving the customer online purchasing experience.
- Peach Payments has been supporting 3DS 2.0 by 31st October 2021 and will be expecting all Merchants to support 3DS 2.0 by 31st October 2022 as 3DS 1.0 will no longer be supported by our banks.
- 3DS 2.0 can increase conversion rates by almost 8%, reduce false declines and is overall a better checkout experience.
- More on 3D Secure 2.0 here
3D Secure and Customer Disputes:
- The benefit of 3D Secure is an added layer of security to make sure that you as the seller or merchant is accepting a card payment from the true card holder, according to the issuing bank.
- Helps Merchant with customer transaction disputes:
- When a transaction is processed with 3D Secure, in the event that the transaction is disputed by the customer, for whatever reason (see some reasons below) liability shift may apply (depending on the reason) from the merchant who sold the goods, to the issuer domain for resolution with the customer.
How does liability shift work ?
- A customer may go to their bank to dispute a transaction or report it as fraud, possibly because they do not recognise the charge or it was done without their authorisation (3D Secure authorisation).
- If the transaction was processed through 3D Secure, then there will be an ECI flag value reflecting this.
- Should this ECI flag value be showing for the transaction, the customer's bank would need to remedy the dispute with the customer.
- Please note that liability shifts to the Merchant in cases where transactions are processed through a non-3D Secure Channel/there is no record of the successful transaction successfully going through the 3D Secure process
What happens if a transaction is processed without 3D Secure?
- A transaction that is not passed through 3D Secure may be disputed by the cardholder through the chargeback process, with the issuing bank.
- In South Africa, 3D Secure is mandatory and a merchant will be held liable to pay a fee in addition to the value of the transaction, in the event that disputes arise from a transaction not being processed through 3DSecure.
- Chargeback disputes are also raised for other reasons such as non-delivery of goods, duplicate billing, defective goods etc
What should you as a merchant do if a chargeback dispute is received from your merchant acquiring bank ?
Should you receive a chargeback dispute from your Bank who holds your Merchant Account :
- Check the reason for the dispute
- You may opt to contact the customer to resolve any misunderstanding, which in turn may warrant the customer withdrawing the dispute at their bank.
- Check the merchant dashboard for the transaction, to find the ECI flag value.
- Download the proof of 3D Secure (showing the ECI flag value) and send that along with proof of delivery and other requested documents, to the dispute resolution department at the bank.