This article includes the following sections:
- What is 3D Secure?
- Three domains/stakeholders involved in 3D Secure
- What does 3D Secure look like?
- Recurring Transactions and MOTO
- 3D Secure FAQ's
- 3D Secure and customer disputes
- 3D Secure 2.0
What is 3D Secure?
- 3D secure is a security protocol that adds a layer of authentication to the online card-not-present online payment experience by verifying a cardholders’ identity prior to authorisation. The purpose is to protect a customer’s card against unauthorised use when shopping online.*
- The first iteration of 3DS appeared in 1999. Card networks like Visa (Verified by Visa) and Mastercard (Mastercard Identity Check) implemented this feature in 2001. In the first iteration, customers needed to authenticate themselves using OTP or One Time Password. Now, 3D Secure involves a Banking Mobile App verification step
- To authenticate the customer is usually required to provide something they have (device), something you know (One Time Pin), or something you are (Biometrics - like a fingerprint)
*Please note that 3D Secure is Mandatory in South Africa as per PASA (Payments Association of South Africa) - more information here
Three domains/stakeholders involved in 3D Secure:
- The Acquiring Bank (or the merchant’s bank)
- The Issuing Bank (or the cardholder’s bank)
- Payment Gateway/infrastructure supporting this protocol, such as Peach Payments.
What does 3DS look like?
- When you buy something online and a little pop up appears asking you to enter an OTP or approve your purchase in your banking app? Yes, that’s 3DSecure in action!
- 3 Domain Secure (3D Secure) is a messaging system that allows for a customer to receive a one-time password or pin (OTP), USSD or in-app prompt and enter it typically in a page from their issuing bank, on the website.
- The purpose is to authenticate an online or eCommerce debit or credit card payment, by proving that the customer is the cardholder, according to the bank that issued the card.
Recurring Transactions and Mail Order/Telephone Order (MOTO) Transactions:
It's crucial to recognize that the liability shift mechanism exclusively applies when a transaction undergoes the 3D Secure authentication process. In instances where a transaction is routed through the Recur channel, it's important to note that liability will shift to the merchant. Consequently, the merchant assumes responsibility in the event of a fraudulent chargeback. It's imperative for merchants to be aware that while liability shift provides enhanced protection for transactions authenticated through 3D Secure, a different set of considerations applies to transactions processed via the Recur channel.
Scenario | Liability Shift | Comments |
Transaction with 3D Secure authentication | Shifts to the Cardholder's Bank | The liability for fraudulent transactions is transferred to the bank that issued the card, providing added security for both merchants and cardholders. |
Recurring Transactions | Shifts to the Merchant (No 3D Secure) | In cases where recurring transactions bypass 3D Secure, the liability typically falls on the merchant, |
Mail Order/Telephone Order (MOTO) Transactions | Shifts to the Merchant (No 3D Secure) | Similar to recurring transactions, MOTO transactions without 3D Secure may hold the merchant liable in the event of a fraudulent chargeback. |
Card Issuer Confirms Card is NOT Enrolled | Shifts to the Card Issuer | When the card issuer confirms that a specific card is NOT enrolled, liability shift has occurred, and the issuer will be liable for any fraudulent chargebacks |
3D Secure FAQ's
1. How does a card get setup for 3D Secure?
- The customer's bank and the customer is responsible for enrolling the card for 3D Secure
- The customer can receive an OTP and/or a Security Verification through their Banking App when they enter their card details and would like to authenticate the transaction.
2. Who sends/handles the OTP and/or Banking App Security Verification?
- The customer's bank (Issuing bank) sends a password prompt to the customer via their Mobile Banking App, phone, email, or USSD.
- The customer is then prompted to enter this password on the website to complete the payment.
3. What can I do if I do not receive an OTP?
- As a customer, should you not receive an OTP, you would need to:
- Check that the means of receiving this OTP from your bank is functional (Phone network is active, email working, etc.)
- Call your bank to ensure that their 3D Secure process is functioning.
4. As a merchant, how do I know which transaction to apply 3D Secure to?
- 3D Secure is mandatory for all eCommerce transactions in South Africa therefore it should be applied to all transactions.
- It is especially critical for initial and once-off transactions to go through 3D Secure.
- It is safe for a transaction that is done with a stored or previously saved card, to not be processed without 3D Secure, since the the initial transaction would have been stored with 3D Secure.
*Please note that liability shift for a merchant can only be applied on transactions that are processed with 3D Secure.
5. As a merchant, how do I apply 3D Secure to my transactions?
- Peach payments supplies necessary authentication credentials and endpoints that will route a transaction through 3D Secure.
- It is a merchant's responsibility to implement these credentials correctly to process a transaction through 3D Secure.
- If an API request from a merchant server does not give instructions to skip 3D Secure, then the transaction will be processed with 3D Secure
- Peach Payments together with the Acquiring Bank set up the Merchant Account to have 3DS applied mandatory and/or Peach instructs the Acquiring Bank to activate 3D Secure.
6. How can I see if a transaction has been 3D Secure authenticated?
- A 3D Secure authenticated transaction would return an ECI (Electronic Commerce Indicator) value/number.
- Peach payments provides merchants with proof of 3D Secure in the event that a transaction has been disputed by the cardholder, with their bank. For more information on obtaining proof of 3D Secure, refer to our Documentation hub here.
- A customer will know their transaction went through 3D Secure, if they receive an OTP to authenticate their transaction with their bank.
3D Secure Version 2.0
Peach Payments is always looking for ways to improve our products and customer experience. 3DS 2.0 is the next step in fraud prevention and a big leap in improving the customer online purchasing experience.
- Peach Payments has been supporting 3DS 2.0 as of 31st October 2021.
- 3D Secure 2.0 can increase conversion rates by almost 8%, reduce false declines and is overall a better checkout experience.
- More on 3D Secure 2.0 here
3D Secure and Customer Disputes:
- The benefit of 3D Secure is an added layer of security to make sure that you as the seller or merchant is accepting a card payment from the true card holder, according to the issuing bank.
How does liability shift work?
- A customer may go to their bank to dispute a transaction or report it as fraud, possibly because they do not recognise the charge or it was done without their authorisation (3D Secure authorisation).
- If the transaction was processed through 3D Secure, then there will be an ECI flag value reflecting this.
- Should this ECI flag value be showing for the transaction, the customer's bank would need to remedy the dispute with the customer.
- Please note that liability shifts to the Merchant in cases where transactions are processed through a non-3D Secure Channel/there is no record of the successful transaction successfully going through the 3D Secure process.
*For more information about 3D Secure and Liability Shift, click here
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article