mobile payment with a credit card

Enabling Secure Online Payments with 3D Secure and Payment HSM

Many people turn to e-commerce for its speed, global accessibility, and the convenience of shopping at their own pace. Central to this seamless experience are secure and efficient online payment systems, enabling customers to make purchases digitally with confidence and privacy. 

As e-commerce continues to grow, so does the need for robust systems to ensure the payments security. Such a system is 3D Secure, a widely adopted security protocol that provides an additional layer of protection for both cardholders and merchants.

What is 3D Secure?

3D Secure (Three-Domain Secure) was developed by VISA to add an extra layer of security to online payment transactions by requiring cardholder authentication when needed. The protocol is primarily created for two key scenarios. 

  1. In the first scenario, it enhances the security of online payment transactions by authenticating the cardholder’s details during transactions. 
  2. In the second scenario, the protocol is used to verify or validate the cardholder’s data during information updates or enrollment. 

In this blog, we will focus primarily on the first scenario: the payment authentication aspect of 3D Secure.

The name 3D Secure reflects the protocol’s operation across three domains, which collectively manage the payment authentication process:

  • Acquirer domain is the merchant or the bank acquiring the payment from the cardholder
  • Issuer domain is the cardholder’s bank
  • Interoperability domain is the payment network and infrastructure facilitating communication between the acquirer and the issuer.  

3D Secure adds an additional layer of authentication, requiring the cardholder to complete an extra verification step during checkout if they purchase through a browser or app. For example, if they choose a payment method such as PayPal on the merchant’s browser or app, they will receive a notification for authentication on the PayPal app. This helps to prevent unauthorized usage of payment data, reducing fraud and chargebacks for merchants.  

In addition to security during payment transactions, 3D Secure helps to fulfill compliance requirements like PSD2, which mandates Strong Customer Authentication (SCA). Under PSD2, all electronic payments in Europe must have SCA, requiring two-factor authentication during online payment transactions. 3D Secure meets the SCA requirements by prompting cardholders to verify their identity using two-factor authentication.

How does Payment Authentication with 3D Secure work?

When using 3D Secure, the payment authentication process varies depending on whether the cardholder needs to undergo additional verification (a Challenged Transaction) or can complete their purchase without it (a Frictionless Transaction). Here’s an engaging breakdown of the steps involved:

  • Customer Initiates Purchase: A cardholder attempts to complete a purchase on a merchant’s website or through the App.  
  • 3D Secure Protocol is Triggered: The merchant sends a request to the payment gateway, which forwards the information to the card-issuing bank.
  • Authentication: The cardholder’s bank (Issuing Bank) determines whether further authentication is needed based on the risk of fraudulent activities
  • Response: The cardholder either completes the authentication, if required (named as Challenge Transactions), or proceeds to complete the purchase without authentication. (named as Frictionless Transactions). The terms Challenge Transactions and Frictional Transactions are described below.
  • Transaction Completion: The transaction is either approved or denied based on the authentication result.

3D Secure authentication supports two types of transactions depending on the necessity of authentication.  

Challenged Transaction

Challenged Transaction occur when there's a higher risk of fraudulent activities. To ensure security, the cardholder is prompted to authenticate through an additional step. This extra step might be entering a password, responding to OTP, or even biometric verification.  

Frictionless Transaction

Frictionless Transaction occurs in cases where the issuing bank is confident that the transaction is low risk—such as small-value purchases, or cardholders' details are already saved and authenticated. In this scenario, the cardholder is considered authentic, and no additional step is needed. While the transaction is smooth and improves the user experience by eliminating additional authentication steps, it is not secure, and the risk of fraud is higher.  

The Transactional Security is Based on the Authentication Value

During payment transactions involving 3D Secure, the additional security is based on an authentication value, a unique cryptographic value generated during the transaction process. This value is used to verify that the cardholder has been successfully authenticated. It acts as a digital signature, confirming that the issuing bank has validated the cardholder's identity.

The authentication value ensures the integrity of the transaction and provides proof in the event of disputes.  

One of the market-leading Payment Hardware Security Modules (HSM) is the Atalla AT1000 Payment HSM, which generates authentication values to protect sensitive cardholder data. It is a preferred choice in the market because it supports Visa's authentication value method, utilizing specific cryptographic algorithms to generate authentication values as part of the Visa Secure program. This capability enhances transaction security and helps prevent fraud in online payments.

Download the Atalla AT1000 Simulator now!

Overview

Tushar Bhanage

Tushar Bhanage

Product Marketing Manager
Downloads

Downloads

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      About Utimaco's Downloads

      Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).

      For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.

      Download via e-mail

       

      A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.