If you’ve asked yourself this question, you are doing things right! It means you’ve been doing your homework trying to protect your online business against fraud. And now ChargebackHelp is here to explain: what 3D Secure is and whether you need it for your business or not.
Technically speaking, 3D Secure (3DS) is an authentication process where three “domains” (hence 3D) are involved in authorizing a transaction. Those domains are the issuing bank, the acquiring bank, and an “interpolarity” domain, that handles communications between merchant, issuer and acquirer. Here’s how it works:
When a cardholder initiates a purchase, their card information is sent via SSL to the “interpolarity domain” to determine if a card is registered 3D Secure. If so, the user is directed to the issuing bank domain through a popup or iframe window to enter password or other authentication with their issuer. Upon successful entry, the transaction information is sent back with issuer confirmation and routed to the acquirer for its approval.
Other tips for a secure processing
Normally, the merchant gateway verifies the card information with the issuer, and upon success, the transaction is processed. With 3DS transactions, the issuer has its own gateway that comes up in the process for an added verification step. This could be a preset password, a one-time password via SMS, or even biometric recognition. Your acquiring bank is also involved in the authorization as it needs the issuer’s confirmation to finalize a transaction.
Sounds complicated… because it is. Many merchants don’t understand the concept of 3DS and the vast majority of our merchants do not use it. Cardholders have their reservations as well. Merchants who are considering adopting 3DS need to take this into account, and provide some handholding for users through the process.
When the issuer window comes up, many cardholders don’t recognize it as their issuer (they’re expecting a merchant page). So it is absolutely essential to tell the user where they are being redirected. It is also very important if you are adopting 3DS, to provide a secure https connection between the domains, and assure the user these connections are secure.
But all drawbacks aside, issuing banks are moving to a 100% enrollment of all cards in their respective 3DS programs. At some point, 3DS enrollment will be ubiquitous enough, and like the EMV migration, users will come to be used to this process. Meanwhile, issuing banks need to do a better job of pre-registering the cardholder in order to reduce gateway friction and transaction abandonment. The big question is will they? We advise merchants to consult with their acquiring bank and follow their lead on whether to adopt 3DS.