3D Secure 2
3D Secure 2 enables merchants and banks to share rich contextual cardholder data to quickly authenticate transactions behind the scenes without the additional consumer verification steps that typically cause friction during checkout (e.g. authentication redirects, remembering and entering static passwords). Merchants can now pass in over 100 fields during the authentication request that banks can then use to determine the risk level of the transaction. Using this enriched data transfer, the majority of low-risk transactions are able to be authenticated without requiring additional input from the consumer, leading to a safe, efficient, and frictionless checkout experience.
When 3D Secure 2 is used in conjunction with an authorization request through the Card Payments API—requiring the customer to authenticate the card used in the transaction—a major advantage to the merchant is that with disputed payments the financial liability can shift from the merchant to the card issuer. This means that in the event of a dispute or chargeback for fraud reasons (e.g., customer claims they did not make the transaction), the cardholder or in some cases the card issuer will be responsible for the amount authorized on the original transaction. The merchant will still receive the funds from the transaction, greatly reducing the risk of chargebacks.
There is no liability shift for non-fraud-related chargeback reasons, such as goods not delivered or defective goods.
The 3D Secure 2 API is used together with the Card Payments API:
- Use the 3D Secure 2 API to request authentication.
- Process the authorization with the Card Payments API.
3D Secure 2 Payment Integration Process
The payment integration process with 3D Secure 2 is as follows:
- A merchant uses the 3D Secure 2 API to collect the device fingerprint ID and authenticate the cardholder.
- The card issuer determines whether to challenge the cardholder or (if they have received enough contextual data) to complete the authentication.
- The Paysafe returns a response to the merchant. Depending on the result, the merchant either continues with the cardholder challenge or consults the Liability Shift matrix to determine whether to proceed with the Authorization request.
- After consulting the Liability Shift matrix, if the merchant decides to proceed, the merchant posts an authorization to Paysafe using the Card Payments API. The request contains the appropriate 3D Secure 2 Authentication results ( eci, cavv, threeDResult, threeDSecureVersion ...).
- Once an authorization has been obtained from the card issuer, the merchant can process a settlement (capture a payment), using the Card Payments API.
For more information, see the 3D Secure 2 section, and to get the most out of your integration, see our 3D Secure 2 Best Practices and Acceptance Guidelines.
When payment returns a ‘Soft Decline’ reason code
If a merchant incorrectly uses or skips 3D Secure authentication for a payment that necessitates SCA, Paysafe will automatically respond with a "Soft Decline" answer in accordance with industry standards. The business is required to attempt the payment with 3D Secure Authentication after obtaining a "Soft Decline".
Why would you receive a Soft decline?
You skipped 3DS2 before taking the payment.
You tried to take the payment even though the customer failed to Authenticate with their bank.
The customer Authentication is incomplete due to an integration or external issue.
If an Exemption from 3DS2 Authentication is requested too many times for the same customer.
You will receive the following standard ‘Soft Decline’ code and message as described in the Authorization Errors guide.
Error Code 3060 - Your request has been declined because Strong Customer Authentication is required.
When receiving the 3060 Error Code you have two options:
Option1: Attempt the Authorization again, but this time with 3DS2 Authentication in place
Option 2: Provide the appropriate 3DS exemption flag in the new Authorization
Merchants should not abandon the payment or notify the customer their card is declined when they receive a Soft Decline. It is mandatory to run the transaction again, this time with 3DS2 Authentication in place. Merchants will have a much greater likelihood of having their payment accepted if they run Authentication or request an exemption.