If you’re operating an eCommerce website, having a secure online payment gateway is fundamental to keeping business flowing.
That’s where 3D secure authentication comes in. As well as protecting your customers’ card data when they make a purchase, it can help to reduce the risk of online fraud and gives potential shoppers the confidence they need to know your storefront is legitimate.
Whether you’re looking to implement 3D secure authentication on your website or you want to brush up on your knowledge, our guide reveals everything you need to know about what it is, how it works, and what to do when it fails.
3D secure authentication, or 3D secure (3DS), is a card-not-present fraud prevention measure launched in 2001 by Visa as Verified-by-Visa. It is one of the key security features when you take online payments through a payment gateway and works by requesting cardholder authentication during the check-out process. 3D secure provides an additional layer of security for online card transactions to help protect against card payment fraud.
It’s called 3DS as it’s short for ‘three domains’, which refers to the three separate domain servers which are required to complete the protocol. These are:
Since the successful launch of Visa’s Verified-by-Visa 3D secure measures, several prominent credit and debit card providers have developed their own versions using 3DS protocols, such as Mastercard as SecureCode and American Express as SafeKey.
3D secure works by incorporating another step within the check-out process to authenticate the payment. They will usually be asked to provide:
Here’s how it works in more detail:
Customers won’t always be subject to 3D secure measures and may not be asked to provide any details at all. This could be the case for transactions that are seen as ‘low-risk’, like payments under a certain amount or regularly recurring payments. After entering the correct information and once the card provider approves the payment, they will automatically be sent back to the merchant website with an order confirmation message. It’s a quick and simple process.
The main benefit of 3D secure is that it gives an added level of security to help stop card details from being stolen and used online. For customers, it can help to limit online card fraud when they make a transaction. For merchants, it can reassure customers that their payment to your business is secure.
It also protects against any unauthorised transaction chargebacks. Once the transaction has passed the 3D secure authentication process, you, the merchant, are no longer liable for the purchase. The liability is passed to the card payment provider, who will be responsible for sorting any customer refunds. This means you can save time and money with fewer settlement disputes with your customers.
In summary, 3D secure authentication can help:
3D secure is implemented on eCommerce platforms all around the world in Europe, the US, Australia, China, India, and Singapore.
While 3D secure is not a legal requirement, the PSD2 legislation — a regulation for electronic payment services — was passed by the EU in 2018-2019 with the aim of increasing the safety of online card transactions and reducing the chances of fraud. As part of the PSD2, the Strong Customer Authentication (SCA) requirement was introduced and became mandatory on websites accepting credit and debit transactions. It came into effect in September 2021 for countries in the European Economic Area and the UK.
To comply with SCA regulations, banks must carry out two checks to confirm a customer’s identity for certain online payments and bank transfers. Also known as two-factor authentication, a customer must provide at least two elements of identity authentication to complete an online transaction.
Businesses can meet SCA requirements by implementing 3D secure as it covers the two levels of Strong Customer Authentication required to confirm their identity.
Find out more about SCA and card payment security measures here.
There are a few ways that small businesses can set up 3D secure authentication:
To accept credit or debit card payments with 3D secure authentication, you will also need to set up a merchant account. This is separate from your business bank account. It’s like a holding area where your payment funds are checked and processed before being sent to your account for you to access. Find out how we can help you set up a merchant account here.
Once you’ve got 3D secure integrated and set up with your payment gateway, you’re all set. But what about your customers?
As 3D secure is a SCA protocol, it’s the responsibility of banks and businesses to build it into their check-out flow. This means that customers don’t need to worry about activating 3D secure with their card or provider.
It’s more than likely that their bank has already enrolled their credit or debit card into 3D secure when it was issued to them. This is generally the case with cards from top payment providers like Visa, MasterCard, and Amex.
A ‘3D secure authentication failed’ error during the 3DS process usually means that the customer has entered their details incorrectly. It could be because they have typed in their card details — like the long card number or expiry date — or the additional authentication passcode wrong.
When this occurs, the customer's debit or credit card provider will reject the payment and prevent the transaction from going any further. This safety mechanism prevents scammers from using stolen card details, as they may not be able to get past the 3D secure authentication.
If a customer has checked their card details and entered the correct 3DS security requirements but still receives a failure message, they will need to contact their card provider for help.
It’s worth noting that some browser extensions can interfere with the 3D secure page, like pop-up blockers, which can prevent the 3DS page from working properly. Disabling browser extensions or trying the payment again from a different browser can sometimes fix the error message.
While the information required to verify 3DS adds more security to the transaction process, it increases the steps in the check-out flow and can make a shopper’s experience less seamless.
Despite payment providers being able to request exceptions to which transactions require 3DS, for example, for low-risk payments under a certain amount of money, these requests are ultimately decided by the cardholder’s bank and are not always guaranteed.
To streamline the 3DS payment process, 3D secure 2.0 was introduced to provide a better overall experience for customers across mobile devices as well as on desktops. Just like its predecessor, it also meets the requirements of PSD2 and classes as a method of Strong Customer Authentication.
3DS2, or EMV 3D Secure, works by harvesting and sending more data to the customer’s issuing bank. This might include an IP address, browser language, and a merchant category code. As more information is collected, the banks can make informed decisions on whether to approve a cardholder’s transaction without needing to trigger 3D secure security requirements – eliminating the need for the cardholder to input data and creating a frictionless experience, without compromising on security.
Here’s a quick overview of how it works:
Although 3D secure authentication helps add another layer of security to online payments, you'll still need to make sure that you're meeting the PCI compliance security measures. This makes sure that you're storing, processing, and transmitting customer data in the correct way.
If you need help getting PCI compliant, we can help with this. We have a team of PCI specialists who will guide you into getting your business fully compliant over the phone for a small one-off fee.
Ready to take online payments? Just fill in our quote form or give us a call today at 0808 274 2017.