What is 3D Secure ?
3 domain secure (3D Secure) is a messaging system that allows for a customer to receive a one-time password or pin (OTP), USSD or in-app prompt and enter it typically in a page from their issuing bank, on the website.
The purpose is to authenticate an online or eCommerce debit or credit card payment, by proving that the customer is the cardholder, according to the bank that issued the card.
Some common 3D Secure questions
These are some frequently asked questions that help a customer to understand the 3D Secure process :
How does a card get setup for 3D Secure ?
The customer's bank is responsible for enrolling the card for 3D Secure, so that the customer can receive an OTP when they enter their card details and would like to authenticate the transaction.
Who sends the OTP ?
The customer's bank (Issuing bank) sends a password prompt to the customer via phone, email, app or USSD. The customer is then to enter this password on the website to complete the payment.
What can I do if I do not receive an OTP ?
As a customer, should you not receive an OTP, you would need to
1. Check that the means of receiving this OTP from your bank is functional (Phone network is active, email working, etc)
2. Call your bank online banking department to ensure that their 3D Secure process is functioning.
These are some key points and questions around 3D Secure processing from merchants and customer perspectives.
As a merchant, how do I know which transaction to apply 3D Secure to ?
3D Secure is mandatory for all eCommerce transactions.
It is especially critical for initial and once-off transactions to go through 3D Secure.
It is safe for a transaction that is done with a stored or previously saved card, to not be processed without 3D Secure, since the the initial transaction would have been stored with 3D Secure.
Please note however that liability shift for a merchant can only be applied on transactions that are processed with 3D Secure.
As a merchant, how do I apply 3D Secure ?
Peach payments supplies necessary authentication credentials and endpoints that will route a transaction through 3D Secure.
It is a merchant's responsibility to implement these credentials correctly to process a transaction through 3D Secure. If an API request from a merchant server does not give instructions to skip 3D Secure, then the transaction will be processed with 3D Secure.
The merchant would need to be enrolled for 3D Secure by the acquirer. This is the responsibility of the acquiring bank which supplies the merchant account to the merchant.
Some questions to help merchants with 3D Secure process :
How can I see if a transaction has been 3D Secure authenticated ?
A 3D Secure authenticated transaction would return an Electronic Commerce Indicator. Peach payments provides merchants with proof of 3D Secure in the event that a transaction has been disputed by the cardholder, with their bank.
A customer will know their transaction went through 3D Secure, if they receive an OTP to authenticate their transaction with their bank.
How does liability shift work ?
A customer may go to their bank to dispute a transaction or report it as fraud, possibly because they do not recognise the charge or it was done without their authorisation (3D Secure authorisation).
If the transaction was processed through 3D Secure, then there will be an ECI flag value reflecting this. Should this ECI flag value be showing for the transaction, the customer's bank would need to remedy the dispute with the customer.
Some more technical information on 3D Secure :
In the 3D Secure protocol, there are 3 domains
- Acquirer domain - The merchant account provider (eg. Nedbank, FNB, ABSA)
- Issuer domain - Your customer's bank that issues the debit or credit card
- Interoperability domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other types of payment card, to support the 3D Secure protocol). It includes the Internet, merchant plug-in, access control server and other software providers
Image source : 3DSecure Wiki
Why is 3D Secure useful ?
The benefit of 3D Secure is an added layer of security to make sure that you as the seller or merchant is accepting a card payment from the true card holder, according to the issuing bank.
When a transaction is processed with 3D Secure, in the event that the transaction is disputed by the customer, for whatever reason (see some reasons below) liability shift may apply (depending on the reason) from the merchant who sold the goods, to the issuer domain for resolution with the customer.
What happens if a transaction is processed without 3D Secure ?
A transaction that is not passed through 3D Secure may be disputed by the cardholder through the chargeback process, with the issuing bank.
In South Africa, 3D Secure is mandatory and a merchant will be held liable to pay a fee in addition to the value of the transaction, in the event that disputes arise from a transaction not being processed through 3DSecure.
Chargeback disputes are also raised for other reasons such as non-delivery of goods, duplicate billing, defective goods etc
What should you as a merchant do if a chargeback dispute is received from your merchant acquiring bank ?
Should you receive a chargeback dispute :
1. check the reason for the dispute
2. you may opt to contact the customer to resolve any misunderstanding, which in turn may warrant the customer withdrawing the dispute at their bank.
3. Check the merchant dashboard for the transaction, to find the ECI flag value.
4. Download the proof of 3D Secure (showing the ECI flag value) and send that along with proof of delivery and other requested documents, to the dispute resolution department at the bank.