What is 3D Secure authentication and how does it work?

For any merchant or enterprise accepting card payments online, 3D Secure, or 3DS, is an essential part of your card acceptance process. The industry introduced the international authentication protocol 25 years ago and has made several upgrades since version 2.0 launched in 2016 to meet the needs of a new, more digital world.

While this functionality has played a key role in enabling more secure, authenticated transactions, it also poses an extra step or barrier in the payment process, which can lead to dropoff and failed transactions. That’s why we offer merchants a number of configuration options, including dynamic 3DS, enabling them to optimise for the best possible balance between security and conversion. 

What is 3D Secure?

3 Domain Secure, also known as 3D Secure or 3DS, is a cardholder identity authentication protocol for card-not-present (CNP) transactions. The name comes from the use of three domains involved to certify the cardholder’s identity: the merchant acquirer domain, the card issuer domain and the interoperability domain.

In 2013, the Payments Association of South Africa (PASA) mandated the protocol for all online transactions, so merchants would likely have it enabled on their payment gateway.

How does it work?

At a high level, the process looks like this:

1. The customer enters their card details on the merchant checkout page to make a payment.
2. The merchant’s payment gateway directs the transaction details to the card issuer and submits the request for 3DS authentication through the interoperability domain.
   The interoperability domain certifies that the card and issuing bank have 3DS enabled.
3. If enabled, the issuing bank prompts the cardholder to verify their identity via a pin, biometric or confirmation on their banking app.
4. If the cardholder authenticates their identity successfully, the system confirms and completes the payment.

3D Secure 2.0 is an improvement to the previous version, with a few key enhancements. First, it introduces more ways to verify the cardholder’s identity, including more frictionless authentication, moving beyond the static PIN and OTP approach used previously.

The newer protocol provides merchants and issuers the flexibility to take a risk-based approach to initiate authentication. If the risk is low based on parameters such as amount, transaction history and behaviour, no OTP or biometric processes are required, and payments are completed in a much more seamless way. 

What are the benefits?

The purpose of 3D Secure is to reduce the risk of card fraud. In 2022, the South African Banking Risk Information Centre (SABRIC) reported that CNP transactions accounted for nearly 77% of total credit card fraud losses. Debit card CNP fraud accounted for nearly 65%. These losses can be absorbed by merchants through chargeback costs triggered by disputes initiated by the cardholder. With this protocol, merchants can evidence that the cardholder authenticated their identity when the purchase was made and have grounds to defend the online transaction. In addition, chargeback costs are reduced as fewer transactions are being disputed.

When it comes to customer experience, 3D Secure 2.0 provides merchants with an option to process transactions seamlessly in cases where the identity of the payer can be otherwise verified. As previously mentioned, they can use a risk-based approach to bypass the protocol, offering customers an uninterrupted checkout process that reduces cart abandonment rates. 

What options do merchants have when it comes to 3D Secure?

Stitch offers merchants configuration options to tailor their 3D Secure settings, enabling the merchant to determine their appetite for risk (no 3DS) vs a less seamless user experience which may impact conversion (requiring 3DS). Each configuration helps merchants keep online purchases safe while defending against failed payments and chargebacks: 

Lastly, if a merchant receives payments from international customers who are using cards that are not 3D Secure enabled, they have the option to reject or allow these transactions based on their goals.  

What happens when 3D Secure fails?

If the protocol fails to verify the cardholder’s identity, it terminates the instruction on the payment gateway domain and does not process the payment.

There are 2 ways a 3DS flow can fail. Firstly, this can happen if the user or user's bank rejects the payment. In this case, 3D Secure would not be retried, as the result is "final". Secondly, 3D Secure can fail if the payment network or bank is experiencing a technical issue.

Stitch improves the latter situation better by maintaining redundancies and automatically switching over to an alternative system if the primary one fails.

Payment complete

South Africa’s enterprises and online merchants need 3DS-enabled payment gateways to compete in the local e-commerce space and protect their revenue from fraudulent transactions. At Stitch, we offer payment services that can take your checkout process to the next level.