Many people turn to e-commerce for its speed, global accessibility, and the convenience of shopping at their own pace. Central to this seamless experience are secure and efficient online payment systems, enabling customers to make purchases digitally with confidence and privacy.
As e-commerce continues to grow, so does the need for robust systems to ensure the payments security. Such a system is 3D Secure, a widely adopted security protocol that provides an additional layer of protection for both cardholders and merchants.
What is 3D Secure?
3D Secure (Three-Domain Secure) was developed by VISA to add an extra layer of security to online payment transactions by requiring cardholder authentication when needed. The protocol is primarily created for two key scenarios.
- In the first scenario, it enhances the security of online payment transactions by authenticating the cardholder’s details during transactions.
- In the second scenario, the protocol is used to verify or validate the cardholder’s data during information updates or enrollment.
In this blog, we will focus primarily on the first scenario: the payment authentication aspect of 3D Secure.
The name 3D Secure reflects the protocol’s operation across three domains, which collectively manage the payment authentication process:
- Acquirer domain is the merchant or the bank acquiring the payment from the cardholder
- Issuer domain is the cardholder’s bank
- Interoperability domain is the payment network and infrastructure facilitating communication between the acquirer and the issuer.
3D Secure adds an additional layer of authentication, requiring the cardholder to complete an extra verification step during checkout if they purchase through a browser or app. For example, if they choose a payment method such as PayPal on the merchant’s browser or app, they will receive a notification for authentication on the PayPal app. This helps to prevent unauthorized usage of payment data, reducing fraud and chargebacks for merchants.
In addition to security during payment transactions, 3D Secure helps to fulfill compliance requirements like PSD2, which mandates Strong Customer Authentication (SCA). Under PSD2, all electronic payments in Europe must have SCA, requiring two-factor authentication during online payment transactions. 3D Secure meets the SCA requirements by prompting cardholders to verify their identity using two-factor authentication.
How does Payment Authentication with 3D Secure work?
When using 3D Secure, the payment authentication process varies depending on whether the cardholder needs to undergo additional verification (a Challenged Transaction) or can complete their purchase without it (a Frictionless Transaction). Here’s an engaging breakdown of the steps involved:
- Customer Initiates Purchase: A cardholder attempts to complete a purchase on a merchant’s website or through the App.
- 3D Secure Protocol is Triggered: The merchant sends a request to the payment gateway, which forwards the information to the card-issuing bank.
- Authentication: The cardholder’s bank (Issuing Bank) determines whether further authentication is needed based on the risk of fraudulent activities
- Response: The cardholder either completes the authentication, if required (named as Challenge Transactions), or proceeds to complete the purchase without authentication. (named as Frictionless Transactions). The terms Challenge Transactions and Frictional Transactions are described below.
- Transaction Completion: The transaction is either approved or denied based on the authentication result.
3D Secure authentication supports two types of transactions depending on the necessity of authentication.
Challenged Transaction
Challenged Transaction occur when there's a higher risk of fraudulent activities. To ensure security, the cardholder is prompted to authenticate through an additional step. This extra step might be entering a password, responding to OTP, or even biometric verification.
Frictionless Transaction
Frictionless Transaction occurs in cases where the issuing bank is confident that the transaction is low risk—such as small-value purchases, or cardholders' details are already saved and authenticated. In this scenario, the cardholder is considered authentic, and no additional step is needed. While the transaction is smooth and improves the user experience by eliminating additional authentication steps, it is not secure, and the risk of fraud is higher.
The Transactional Security is Based on the Authentication Value
During payment transactions involving 3D Secure, the additional security is based on an authentication value, a unique cryptographic value generated during the transaction process. This value is used to verify that the cardholder has been successfully authenticated. It acts as a digital signature, confirming that the issuing bank has validated the cardholder's identity.
The authentication value ensures the integrity of the transaction and provides proof in the event of disputes.
One of the market-leading Payment Hardware Security Modules (HSM) is the Atalla AT1000 Payment HSM, which generates authentication values to protect sensitive cardholder data. It is a preferred choice in the market because it supports Visa's authentication value method, utilizing specific cryptographic algorithms to generate authentication values as part of the Visa Secure program. This capability enhances transaction security and helps prevent fraud in online payments.