Introduction to 3D Secure
3D Secure adds an additional security layer for online purchases by requiring cardholders who are enrolled in either the Verified by Visa or the Mastercard SecureCode program to authenticate themselves, typically by providing a password. With 3D Secure, merchants can mitigate fraud while at the same time cardholders enjoy additional security when using their cards online. Paysafe is compliant to 3DS version 1.0.2.
A transaction using Verified by Visa or Mastercard SecureCode will initiate a redirection to the website of the card issuing bank to authorize the transaction. Each issuing bank could use any kind of authentication method (the protocol does not cover this) but typically, a password-based method is used. So to effectively buy on the Internet means using a password linked to the card. The Verified by Visa protocol recommends the bank's verification page load in an iframe. In this way, the bank's systems can be held responsible for most security breaches.
Steps in 3D Secure Cardholder Authentication
Once you have set up a Paysafe merchant account, you can connect to the Paysafe Payments Platform with our simple-to-use API. See our Scenarios section for a quick overview of integration options when using the API. Here is a summary of the process:
3D Secure Process Flow
- The merchant submits an Enrollment Lookup request on the cardholder PAN (card number) to the enrollmentchecks endpoint.
Paysafe submits an enrollment lookup to the appropriate Visa or Mastercard directory server to identify whether the card is registered for 3D Secure.
If the call to the directory server does not return within 10 seconds, a call is made to the secondary directory server.
- The response from the directory server is returned to Paysafe.
Paysafe returns the enrollmentchecks response to the merchant. The response contains the threeDEnrollment flag. If this is "N" then the cardholder is not enrolled in the card issuer's 3D Secure scheme, so a normal payment authorization can be made using the Card Payments API. If this is "Y" then the acsURL and paReq fields are populated in the response and the customer must now be authenticated.
- The merchant redirects the customer's browser to the acsURL returned in step 4 above, using an HTTP form POST. The content of this POST request needs to contain the payment authentication request value (PaReq - note capitalization), the merchant response URL (TermUrl - note capitalization), and an optional merchant-defined variable (MD) that the 3D ACS server will return at the end of the cardholder authentication process.
- The 3D ACS server will post the MD (merchant data) and payment response (PaRes) parameter back to the TermUrl provided. At this stage, the customer has now been authenticated by the card issuer.
- The merchant posts an Authentication message containing the paRes parameter (note capitalization) returned from the ACS server and their merchantRefNum to the Paysafe authentication endpoint. The endpoint includes the enrollment_id that was returned in the original enrollment lookup request.
- Paysafe links the authentication to the customer's card and returns a response to the merchant, which contains the threeDResult, signatureStatus, eci, cavv, and xid parameters.
- The merchant uses the Card Payments API to submit a payment Authorization request, containing the above values along with the original card details.
- Assuming these details are passed to the Card Payments API correctly and the card is 3D Secure authorized, fraud liability is typically shifted from the merchant to the bank.
- Cardholder Authentication (3D Secure) is a recommended step which merchants should implement in regions where the 3D Secure scheme is prevalent, to reduce the risks of fraud and chargebacks.
- If a customers is not enrolled in the 3D Secure scheme (enrollment lookup returns "N") merchants can immediately request a purchase authorization using the Card API.
- If a customer is enrolled in 3D Secure (enrollment lookup returns "Y") merchants should redirect the customer to the card issuer's 3D Access Control Server (ACS), where the customer will be authenticated. In many cases (e.g. low transaction amounts or customers identified by the bank as low-risk ) the card issuer will return a successful authentication response without requiring the customer to enter a username and password, meaning a seamless process for the customer. Merchants will still benefit from liability shift and can then request a purchase authorization as described in steps 7-9 above.
- If the response to a 3D Secure authentication is unsuccessful, merchants should consider asking the customer to resubmit their payment or pay using a different payment method. For more information see 3D Secure Results and Liability Shift.
Example of a 3D Secure Page
The figure below shows an example of the 3D Secure page shown to customers. This page can be embedded in an iframe on your website.
3D Secure Page Example