5 minute read

December 2, 2019

About 3-D Secure

The Three-Domain Secure (3-D Secure) security protocol, created and branded by Visa and Mastercard as Visa Secure and Mastercard SecureCode respectively, further protects online payments by enabling cardholders to authenticate their purchases.

The 3-D name comes from the three domains involved in providing this added security:

  • The acquirer domain (e.g., merchant)

  • The issuer domain (e.g., Marqeta)

  • The interoperability domain (e.g., the card network)

The 3-D Secure feature is currently in beta and subject to change. It also requires additional activation steps. To request it for your program, contact your Marqeta representative.

At the end of this guide, you should understand:

  • What 3-D Secure is and why it’s used.

  • The 3-D Secure process for authentication.

3-D Secure authentication

3-D Secure adds a layer of security, prior to authorization, to help authenticate online transactions. For example, when the merchant initiates 3-D Secure at checkout, the cardholder must then enter a one-time passcode received via email or SMS to continue with their purchase.

Ensure the cardholder has a valid SMS-enabled telephone number or email address on file. By default, one-time passcodes are sent to the cardholder via SMS; if a telephone number is not available, it is sent through email.

Liability shift

If an online payment is successfully authenticated utilizing 3-D Secure, the merchant is not liable for subsequent fraud-related chargebacks on that transaction.

Authentication lifecycle

In the payments ecosystem, authorization occurs after the completion of 3-D Secure authentication. The merchant uses the authentication data captured as part of the 3-D Secure process to submit an authorization for approval. For more on authorization transactions, see About Transactions.

Authentication lifecycle

Is this helpful?

When a cardholder attempts to make an online payment to a merchant supporting 3-D Secure, the following process occurs:

  1. The merchant initiates an authentication request by sending the request to the card network.

  2. The card network routes the authentication request to the Marqeta platform.

  3. The Marqeta platform prompts the cardholder, via an iFrame exposed in the merchant’s checkout experience, to enter a one-time passcode received via SMS or email.

  4. The Marqeta platform captures the authentication results.

  5. The Marqeta platform sends an authentication response to both the card network and the merchant; authentication is complete.

Authentication results

On the Marqeta platform, the cardholder_authentication_data object, which may be embedded in the transaction object, stores the authentication data from 3-D Secure. If the transaction is funded through the Just-in-Time (JIT) Funding mechanism, cardholder_authentication_data is contained in the jit_funding object. For a full description of the transaction data contained in the cardholder_authentication_data object, see Transaction Data for JIT Funding Decisions.

Have any feedback on this page?

If you feel we can do anything better, please let our team know.

We strive for the best possible developer experience.