Need Help? Chat icon | Call - 1 888 414 7111
Merchant Accounts.ca logo
Home > News and Blog

January 10, 2024
by David Goodale

What Is 3DSecure?

(Slightly edited from video transcript for greater readability)

Key Takeaways

1
What is 3DSecure?
3DSecure is a security tool that merchants can enable on e-commerce websites to fight fraud.
2
Prevents Chargebacks
Every 3DS approved transaction is protected against chargebacks for fraud. You will eliminate your fraud related financial losses by enabling it.
3
3DSecure aims to be frictionless
For most 3DS transactions the 3DS approval is automatic, the cardholder isn't bothered in any way and doesn't even realize they've gone through 3DS authentication.
Need help with this topic? Or a rate quote?
Whether its questions about this article, or you want to see how we can lower your costs. Don't hesitate to contact us.

Hello, David here at Merchant-Accounts.ca. What is 3DSecure? That's the topic I'm going to tackle today and I'll start by telling you it's probably one of the most important tools that e-commerce merchants can ever hope to use to minimize fraud. Stay tuned, we'll dig in in one second.

What is 3DSecure?

3DSecure is a security tool used on e-commerce websites to prevent fraud. Once a transaction is 3DSecure authenticated the cardholder cannot claim fraud via a chargeback.
3DSecure

3DSecure versions

There are two versions of 3DSecure. The original version opened a pop-up box during the checkout process for every customer. It caused a ton of customer frustration and click-offs, which made it unpopular with e-commerce merchants due to the friction it introduced in the checkout process. It was not considered to be very good and has now been discontinued.

A much better implementation, version two of 3DSecure is now available, and that's what we'll be talking about in this article. The main difference between version one and version two of 3DSecure is that version two is supposed to be frictionless. Your customers aren't even supposed to know that you're using it.

3DSecure benefits

3DSecure benefits

Reduced friction is great for the marketers out there who care about security causing cart abandonment. For financial folks, business owners, and merchants, the main benefit of using 3DSecure is if you get a 3DSecure authentication, you can't get a chargeback for that order.

Think about every frustrating loss your business has ever had to somebody who used a stolen credit card. That problem is completely solved with 3DSecure and that's the main reason to use it. There are other anti-fraud solutions out there, but this is the only one endorsed officially by Visa and MasterCard where you can't get chargebacks for fraud reasons.

How 3DSecure works

It works like this. Normally when you process an e-commerce transaction, your website talks to a payment gateway. Your website goes, hey, payment gateway, wake up, it's me t-shirts.com. Can you please run this credit card transaction for me? Here's the credit card number.

The shopping cart software talks to the gateway and the gateway do its thing with 3DSecure. There's an extra step that happens before your shopping cart communicates with the payment gateway. It talks to a 3DSecure provider. It says, hey, 3DSecure company, I have this guy here Dave, and he wants to process a $500 order on his credit card and I'd like you to 3DSecure authenticate this transaction. Behind the scenes what happens is that the 3DSecure provider talks to your customer's card issuing bank about the order you're asking the card issuing bank to give a 3DSecure approval.

Without getting too technical, in the step where your website talks to the 3DSecure provider, there's a lot of info being passed. The API's easy to use and programmatically it's not that hard to set up. There are over a hundred data elements. That's a lot of info that the card issuer's able to look at and evaluate and determine if this a legitimate transaction. What they're trying to do is verify if this is the cardholder, and in this example that is Dave trying to make a transaction.

In the original version of 3DSecure, they didn't pass all these data elements, they just forced the customer to type in a secret password you had verified by Visa or a MasterCard, which was an extra thing that people had to remember and it was very inconvenient. It was like a big intrusive overlay on the e-commerce website that came up. On every order with the original version of 3DSecure, the customer was always bothered and they had to do something. The magic of 3DSecure version two is that because so many data elements are passed in the transaction request, there's enough info there for the card issuer to determine usually whether to issue a 3DSecure approval or not.

3DSecure frictionless

3DSecure intervention rate

Roughly 80% of the time 3DSecure approval is supposed to automatically happen, which means roughly 20% of the time the cardholder may or may not be presented with a challenge. As the merchant, you don't need to do anything and the cardholder doesn't need to do anything for that 80%. Now, once you get that 3DSecure approval, the 3DSecure provider responds to your website, hey, you asked me to 3DSecure authenticate Dave. Well, we did, and here's your 3DSecure code. At that point, your website will talk to the payment gateway as normal just like it does now if you have an e-commerce website today. Your website's going to talk to the payment gateway as normal, but you're going to include one extra thing. You're going to include your 3DSecure authentication code and that's how your payment processor knows, this isn't a normal order, this is a 3DSecure authenticated order, and that gets passed into Visa, MasterCard.

The cardholder cannot claim fraud

If in the future that cardholder ever contacts their bank to try and claim fraud, they will lose the chargeback because this is now a 3DSecure authenticated order. What's important to point out is in everything I've described so far; your customer likely didn't even know it was a 3DSecure transaction because it was frictionless. They didn't have to type in a password or anything, but that doesn't always happen. Sometimes the card issuer gets it wrong, so let's assume that it's a legitimate customer, but the card issuer doesn't automatically issue a 3DSecure approval. Are you stuck? No, you can still get a 3DSecure approval. What happens is at that point, if it's not automatically approved, the card issuer can display a challenge step, kind of like the original version of 3DSecure but not as intrusive. The interface is a lot better.

How does the 3DSecure version two challenge work?

Most typically the card issuer will send a text to the cardholder's phone. This all happens automatically behind the scenes, it's all taken care of for you by the 3DSecure provider. What will happen is the customer will get either a text message or maybe a phone call, or often, especially for European card holders, a message in their mobile banking app. Then what will happen, for example, most Canadian banks issue a text to the cardholder and it will say, we see you trying to do this $500 transaction on your Visa card. If this is a legitimate transaction, please text back one and we will approve it. If so, the customer texts back one to that text message from their issuing bank, and again, the issuing bank approves, and they now 3DSecure the transaction because it passed the second factor of authentication.

3DSecure challenge

The challenge step is optional

What I just described was a 3DSecure transaction where the automatic approval failed but then the customer completed the challenge step. Here's the important bit. You don't have to issue that challenge step. Some merchants are worried about friction. They don't want the customer to have to do anything. They like the advantage of 3DSecure, they like the fraud protection, but they don't want the customer jumping through any hoops. I'm describing a merchant that's more worried about conversions. They want every sale they can get rather than a merchant that's worried about fraud. In that case, the challenge step that I described is optional. You send the request to the 3DSecure provider and this 3DSecure provider in this example does not automatically issue the 3DSecure approval.

You don't have to proceed with the challenge step, you don't have to hassle the customer. You can then just go back; it'll go back to your website and then you just send the transaction as normal to the payment gateway. The transaction won't include a 3DSecure authentication code because you didn't get one and it's just normal e-commerce.

If you omit the challenge then you won't be protected from fraud chargebacks

Unfortunately, though, you won't be protected from chargebacks because you did not successfully get the 3DSecure authentication. I'm not trying to confuse my audience here, what I'm saying is that 3DSecure version two is flexible. You can always seek automatic approval, but where you don't get it, you can then either choose to allow the customer to go through the challenge step or you don't have to, you can proceed with a normal transaction without 3DSecure. That's something that a lot of people don't understand and why I want it to be very clear in this part of the video. If you do decide to proceed with orders that failed 3DSecure authentication, those are suspect orders, you need to be doing something.

My recommendation would be to manually follow up with the orders that failed 3DSecure. That way if you're worried about cart abandonment or friction, you can still let the orders through, but you have to spot and stop the fraudulent ones. In reality, though, this depends on your business, how expensive your items are, how many orders you do per day, and whether is it even humanly possible to scrub through that many orders manually. This is something for you to consider about your business.

How do I implement 3DSecure?

You might be wondering also; do I need to go and find a company to do this? Does my credit card processor support 3DSecure? Most credit card processors have a 3DSecure partner that they work with by default. 3DSecure is a global standard, so you can use any provider on Earth. It doesn't matter which 3DSecure provider you choose to use. They will work just fine with your payment processor, but your payment processor probably already has a 3DSecure service that they work with. You should just ask them about it.

In terms of cost, 3DSecure is usually around 15 cents per transaction depending on which provider that you choose.

If you're curious about using is, Merchant-Accounts.ca we've partnered with a company called Paay and we did a podcast with them describing in more detail the ins and outs of 3DSecure. Please check that out. If you want to learn more, there'll be a link in the description of the video.

Conclusion

In summary, 3DSecure has only two real limitations. First, it's only available for e-commerce merchants. If you have customers on the phone and you're keying the orders manually into your virtual terminal, that won't work. It has to be the cardholder entering the data themselves on an e-commerce website. The second limitation is it only protects against chargebacks for fraud or no cardholder authentication. It won't stop chargebacks for things like, the item wasn't as described or I never got my item in the first place.

If you do want to implement 3DSecure for your business, why not consider reaching out to us at Merchant-Accounts.ca? We can give you a price for 3DSecure and your credit card processing and answer any questions you have. If you are having problems with online stores with fraud, you really should seriously consider 3DSecure version two. I hope this video was helpful. Thanks for watching. Have a nice day there. Bye now.

Related Topics
April 19, 2022
A chargeback is a dispute between a customer and the business. In this video we explore what a chargeback is, and some of the reasons that chargebacks occur.
April 07, 2022
If you get too many chargebacks your merchant account can be shut down. In this video we explore what you should do to keep your account in good standing if you've been targeted by fraudsters and suddenly start receiving a lot of chargebacks.
February 07, 2023
Card testing is an increasing problem for #ecommerce merchants. Fraudsters are constantly looking for ways to test cards. It's even a problem for payment processors, Visa and Mastercard. In this video David explains what card testing is, why fraudsters do it, and how to stop it, in addition to advice on how to get some of the fees reversed when it occurs.
January 20, 2022
Hello, David here at Merchant-Accounts.ca. Today I'm going to tackle a very frustrating topic. Sometimes it's infuriating. What do you do when you get a chargeback and you lose it and it's completely unfair? What's left? Stay tuned, I'm going to do my best to help in one second.
May 14, 2021
In the past the best way to manually screen suspicious orders was to call the customer on the phone and ask them questions. Now, with modern web based video technologies it's possible to validate customers in a way that was never previously possible.
March 16, 2018
Visa is addressing some of the most common chargeback related complaints from merchants. Going forward, chargebacks are a thing of the past and will now be known as disputes.
March 22, 2023
A positive AVS result is an indicator of a legitimate transaction. In this short explainer video David explains what AVS is, how it works, and things to be aware of when relying on an AVS security result for any particular order.
March 25, 2023
It can be difficult to win a chargeback dispute. David explores different ways to shift the odds into your favour.
March 29, 2023
David explains what two factor authentication is, how it works, and how it shifts chargeback risk for fraud onto the card issuer and away from the merchant.
July 21, 2023
How does Visa and MasterCard chargeback arbitration work? When a merchant has fought a chargeback and lost there is still one more chance to turn it around by taking it to the card brands for arbitration.
July 28, 2023
Merchants with businesses that are prone to disputes need to be careful to stay below the Visa and MasterCard thresholds.

Need professional guidance?
Contact us for a free one hour consultation.


Can I Help Lower Your Processing Fees?


If you found this content helpful, will you give me the opportunity to quote on your business?

View Rates
David Goodale About the Author

My name is David Goodale, CEO at Merchant Accounts.ca. I launched our business in 2001 and have over 20 years of expertise in the field of online payments. If you have a payments related question or project, and especially if it relates to multi-currency or international e-commerce don't hesitate to contact me. I'm always happy to help with an honest opinion, and enjoy chatting with folks from interesting businesses.

Toll free: 888-414-7111 ext. 5
Direct: (905) 901-2254
david.goodale@merchant-accounts.ca