January 10, 2024
by David Goodale
What Is 3DSecure?
(Slightly edited from video transcript for greater readability)
Hello, David here at Merchant-Accounts.ca. What is 3DSecure? That's the topic I'm going to tackle today and I'll start by telling you it's probably one of the most important tools that e-commerce merchants can ever hope to use to minimize fraud. Stay tuned, we'll dig in in one second.
What is 3DSecure?
There are two versions of 3DSecure. The original version opened a pop-up box during the checkout process for every customer. It caused a ton of customer frustration and click-offs, which made it unpopular with e-commerce merchants due to the friction it introduced in the checkout process. It was not considered to be very good and has now been discontinued.
A much better implementation, version two of 3DSecure is now available, and that's what we'll be talking about in this article. The main difference between version one and version two of 3DSecure is that version two is supposed to be frictionless. Your customers aren't even supposed to know that you're using it.
Reduced friction is great for the marketers out there who care about security causing cart abandonment. For financial folks, business owners, and merchants, the main benefit of using 3DSecure is if you get a 3DSecure authentication, you can't get a chargeback for that order.
Think about every frustrating loss your business has ever had to somebody who used a stolen credit card. That problem is completely solved with 3DSecure and that's the main reason to use it. There are other anti-fraud solutions out there, but this is the only one endorsed officially by Visa and MasterCard where you can't get chargebacks for fraud reasons.
How 3DSecure works
It works like this. Normally when you process an e-commerce transaction, your website talks to a payment gateway. Your website goes, hey, payment gateway, wake up, it's me t-shirts.com. Can you please run this credit card transaction for me? Here's the credit card number.
The shopping cart software talks to the gateway and the gateway do its thing with 3DSecure. There's an extra step that happens before your shopping cart communicates with the payment gateway. It talks to a 3DSecure provider. It says, hey, 3DSecure company, I have this guy here Dave, and he wants to process a $500 order on his credit card and I'd like you to 3DSecure authenticate this transaction. Behind the scenes what happens is that the 3DSecure provider talks to your customer's card issuing bank about the order you're asking the card issuing bank to give a 3DSecure approval.
Without getting too technical, in the step where your website talks to the 3DSecure provider, there's a lot of info being passed. The API's easy to use and programmatically it's not that hard to set up. There are over a hundred data elements. That's a lot of info that the card issuer's able to look at and evaluate and determine if this a legitimate transaction. What they're trying to do is verify if this is the cardholder, and in this example that is Dave trying to make a transaction.
In the original version of 3DSecure, they didn't pass all these data elements, they just forced the customer to type in a secret password you had verified by Visa or a MasterCard, which was an extra thing that people had to remember and it was very inconvenient. It was like a big intrusive overlay on the e-commerce website that came up. On every order with the original version of 3DSecure, the customer was always bothered and they had to do something. The magic of 3DSecure version two is that because so many data elements are passed in the transaction request, there's enough info there for the card issuer to determine usually whether to issue a 3DSecure approval or not.
3DSecure intervention rate
Roughly 80% of the time 3DSecure approval is supposed to automatically happen, which means roughly 20% of the time the cardholder may or may not be presented with a challenge. As the merchant, you don't need to do anything and the cardholder doesn't need to do anything for that 80%. Now, once you get that 3DSecure approval, the 3DSecure provider responds to your website, hey, you asked me to 3DSecure authenticate Dave. Well, we did, and here's your 3DSecure code. At that point, your website will talk to the payment gateway as normal just like it does now if you have an e-commerce website today. Your website's going to talk to the payment gateway as normal, but you're going to include one extra thing. You're going to include your 3DSecure authentication code and that's how your payment processor knows, this isn't a normal order, this is a 3DSecure authenticated order, and that gets passed into Visa, MasterCard.
The cardholder cannot claim fraud
If in the future that cardholder ever contacts their bank to try and claim fraud, they will lose the chargeback because this is now a 3DSecure authenticated order. What's important to point out is in everything I've described so far; your customer likely didn't even know it was a 3DSecure transaction because it was frictionless. They didn't have to type in a password or anything, but that doesn't always happen. Sometimes the card issuer gets it wrong, so let's assume that it's a legitimate customer, but the card issuer doesn't automatically issue a 3DSecure approval. Are you stuck? No, you can still get a 3DSecure approval. What happens is at that point, if it's not automatically approved, the card issuer can display a challenge step, kind of like the original version of 3DSecure but not as intrusive. The interface is a lot better.
How does the 3DSecure version two challenge work?
Most typically the card issuer will send a text to the cardholder's phone. This all happens automatically behind the scenes, it's all taken care of for you by the 3DSecure provider. What will happen is the customer will get either a text message or maybe a phone call, or often, especially for European card holders, a message in their mobile banking app. Then what will happen, for example, most Canadian banks issue a text to the cardholder and it will say, we see you trying to do this $500 transaction on your Visa card. If this is a legitimate transaction, please text back one and we will approve it. If so, the customer texts back one to that text message from their issuing bank, and again, the issuing bank approves, and they now 3DSecure the transaction because it passed the second factor of authentication.
The challenge step is optional
What I just described was a 3DSecure transaction where the automatic approval failed but then the customer completed the challenge step. Here's the important bit. You don't have to issue that challenge step. Some merchants are worried about friction. They don't want the customer to have to do anything. They like the advantage of 3DSecure, they like the fraud protection, but they don't want the customer jumping through any hoops. I'm describing a merchant that's more worried about conversions. They want every sale they can get rather than a merchant that's worried about fraud. In that case, the challenge step that I described is optional. You send the request to the 3DSecure provider and this 3DSecure provider in this example does not automatically issue the 3DSecure approval.
You don't have to proceed with the challenge step, you don't have to hassle the customer. You can then just go back; it'll go back to your website and then you just send the transaction as normal to the payment gateway. The transaction won't include a 3DSecure authentication code because you didn't get one and it's just normal e-commerce.
If you omit the challenge then you won't be protected from fraud chargebacks
Unfortunately, though, you won't be protected from chargebacks because you did not successfully get the 3DSecure authentication. I'm not trying to confuse my audience here, what I'm saying is that 3DSecure version two is flexible. You can always seek automatic approval, but where you don't get it, you can then either choose to allow the customer to go through the challenge step or you don't have to, you can proceed with a normal transaction without 3DSecure. That's something that a lot of people don't understand and why I want it to be very clear in this part of the video. If you do decide to proceed with orders that failed 3DSecure authentication, those are suspect orders, you need to be doing something.
My recommendation would be to manually follow up with the orders that failed 3DSecure. That way if you're worried about cart abandonment or friction, you can still let the orders through, but you have to spot and stop the fraudulent ones. In reality, though, this depends on your business, how expensive your items are, how many orders you do per day, and whether is it even humanly possible to scrub through that many orders manually. This is something for you to consider about your business.
How do I implement 3DSecure?
You might be wondering also; do I need to go and find a company to do this? Does my credit card processor support 3DSecure? Most credit card processors have a 3DSecure partner that they work with by default. 3DSecure is a global standard, so you can use any provider on Earth. It doesn't matter which 3DSecure provider you choose to use. They will work just fine with your payment processor, but your payment processor probably already has a 3DSecure service that they work with. You should just ask them about it.
If you're curious about using is, Merchant-Accounts.ca we've partnered with a company called Paay and we did a podcast with them describing in more detail the ins and outs of 3DSecure. Please check that out. If you want to learn more, there'll be a link in the description of the video.
In summary, 3DSecure has only two real limitations. First, it's only available for e-commerce merchants. If you have customers on the phone and you're keying the orders manually into your virtual terminal, that won't work. It has to be the cardholder entering the data themselves on an e-commerce website. The second limitation is it only protects against chargebacks for fraud or no cardholder authentication. It won't stop chargebacks for things like, the item wasn't as described or I never got my item in the first place.
If you do want to implement 3DSecure for your business, why not consider reaching out to us at Merchant-Accounts.ca? We can give you a price for 3DSecure and your credit card processing and answer any questions you have. If you are having problems with online stores with fraud, you really should seriously consider 3DSecure version two. I hope this video was helpful. Thanks for watching. Have a nice day there. Bye now.
Need professional guidance?
Contact us for a free one hour consultation.
Can I Help Lower Your Processing Fees?
If you found this content helpful, will you give me the opportunity to quote on your business?