About 3D Secure
The Three-Domain Secure (3D Secure) security protocol, created and branded by Visa and Mastercard as Visa Secure and Mastercard SecureCode respectively, further protects online payments by enabling cardholders to authenticate their purchases.
The 3D name comes from the three domains involved in providing this added security:
-
The acquirer domain (e.g., the merchant)
-
The issuer domain (e.g., Marqeta)
-
The interoperability domain (e.g., the card network)
At the end of this guide, you should understand:
-
What 3D Secure is and why it’s used.
-
The 3D Secure process for authentication.
For more about using 3D Secure with Marqeta, contact your Marqeta representative.
For reference information, see the 3D Secure API reference.
3D Secure authentication
Copy section link
3D Secure adds a layer of security, prior to authorization, to help authenticate online transactions by requiring customers to complete an additional verification with the card issuer. For example, when the merchant initiates 3D Secure at checkout, the cardholder must then enter a one-time passcode received via email or SMS to continue with their purchase.
About 3D Secure 2
Copy section link
In 2019, banks began to phase in support for 3D Secure 2, which makes several improvements to the original 3D Secure protocol, 3D Secure 1. Although 3D Secure 1 provided improved security, 3D Secure 2 provides an improved cardholder experience and is updated for payments made using smartphones.
This new version introduces frictionless authentication, which minimizes the inconveniences cardholders might experience when making a card purchase, while also reducing fraud and providing added security to online transactions. 3D Secure 2 improves the authentication flow by embedding the challenge within the checkout flow without redirecting the cardholder to additional authentication pages.
3D Secure 2 is the primary method for meeting the new strong customer authentication (SCA) regulation in Europe that requires increased security. The SCA regulation requires that transactions be secured using 3D Secure. To do business in Europe, you will need to apply more authentication to transactions. Using 3D Secure provides this additional security without negatively impacting the cardholder experience.
Not all merchants have fully transitioned from 3D Secure 1 to 3D Secure 2. Marqeta supports both 3D Secure 1 and 3D Secure 2 for Visa.
Liability shift
Copy section link
If an online payment is successfully authenticated via 3D Secure, the merchant is not liable for subsequent fraud-related chargebacks on that transaction. If a transaction is disputed by the cardholder as fraudulent, liability shifts from the merchant to the card issuer.
However, if a cardholder disputes a transaction for a reason other than fraud, liability remains with the merchant. For these cases, you should plan how to avoid and manage disputes.
There are rare cases when transactions authenticated by 3D Secure do not shift liability to the issuer, such as if an account experiences excessive levels of fraud.
Transactions that have been authenticated using 3D Secure cannot be disputed as fraudulent; however, the issuer may investigate a transaction by requesting additional information.
Exemptions
Copy section link
An exemption allows a transaction to take place without conforming to the SCA two-factor authentication requirement. You can take advantage of exemptions allowed under the Revised Payment Services Directive (PSD2). Transactions that qualify for an exemption enable a frictionless experience for cardholders while remaining vigilant for fraud risk. Exemptions may be granted in cases such as low-value transactions, low-risk transactions, those involving secure corporate payments, or those with merchants on the allow list. Be aware that exemptions present the following considerations:
-
You are responsible for any fraud-related chargebacks on exempt transactions.
-
You likely will not be able to dispute chargeback claims on exempt transactions.
The cardholder can likely claim full reimbursement from their payment service provider if there was no SCA measure in place and if the cardholder did not act fraudulently.
The key details of the SCA exemptions were defined in the Official Journal of the European Union on March 13, 2018 and in PSD2 Directive 2015/2366 of the European Parliament and of the Council of November 25, 2015.
3D Secure policies
Copy section link
The following 3D Secure policies are available:
-
Challenge All
-
Delegated Decisioning
-
Automated Decisioning
Challenge All
Copy section link
You can choose to apply strong customer authentication (SCA), also known as a challenge for every 3D Secure authentication request by a requestor or merchant. This is the most regulation-compliant and most risk-free option, but the most restrictive. This option is best suited if all 3DS authentication requests need to be challenged and Delegated Decisioning or Automated Decisioning is not used to make a decision.
Delegated Decisioning
Copy section link
If you want to fully control 3D Secure authentication decision-making as well as the related monitoring, reporting, and audit requirements, you can choose the Delegated Decisioning option. This option provides complete control over 3D Secure decisioning and delegates all 3D Secure decision-making to your systems. Delegated Decisioning allows you to exempt low-risk authentication requests using risk rules that are tailored to your system and regions of operation. This option requires you to implement the web interfaces that call Marqeta’s systems in order to delegate the 3D Secure authentication decision-making to you. You then integrate with Marqeta’s systems and set up the required configurations for your program.
Automated Decisioning
Copy section link
This is Marqeta’s solution that enables you to configure and implement a 3D Secure authentication decision-making policy without having to build or host your own. Based on the rules you set up using the Automated Decisioning service, the system decides whether to apply a challenge to an incoming transaction authentication request or to exempt it. Automated Decisioning allows you to take advantage of the various exemptions that are allowed as part of the Payments Services Directive 2 (PSD2), automatically determining whether a transaction qualifies for an exemption or not to maximize the frictionless experience for your customers while balancing that against the risk of fraud. Under this option, you also get access to an API for downloading authentication and transaction data that you can use to satisfy the necessary monitoring, reporting, and audit requirements (for details, refer to the regulation).
Authentication
Copy section link
There are two options available for authenticating your cardholders when it has been determined that an SCA (challenge) is required. Both of these options are available regardless of the 3D Secure policy that you choose; however, each option has different integration and configuration requirements:
-
Advanced Authentication
-
Marqeta’s default OTP
Both of these options are available, regardless of the 3D Secure policy that you choose; however, each option has unique integration and configuration requirements.
Advanced Authentication
Copy section link
Using this option, you can choose to implement your own customized method of cardholder authentication. This can be whatever method you choose and is managed by you. In-app and biometric authentication mechanisms to authenticate cardholders fall under this option. Advanced Authentication requires an integration with Marqeta’s access control server (ACS) so that the ACS can call your system to prompt you when you need to perform the authentication with your cardholder and a call-out from you to Marqeta with the authentication result.
Marqeta’s default OTP
Copy section link
This is the default authentication option if you do not want to use your own authentication mechanism. This option does not require an integration with Marqeta’s ACS, but does require some configuration. Marqeta’s default authentication option uses a One-Time Passcode (OTP) generated and delivered by Marqeta to the cardholder via an on-file phone number or email address.
Tip
Ensure the cardholder has a valid SMS-enabled telephone number or email address on file. By default, one-time passcodes are sent to the cardholder via SMS; if a telephone number is not available, it is sent through email.
Authentication lifecycle
Copy section link
In the payments ecosystem, authorization occurs after the completion of 3D Secure authentication. The merchant uses the authentication data captured as part of the 3D Secure process to submit an authorization for approval. For more on authorization transactions, see About Transactions.
OTP authentication lifecycle
Copy section link
When a cardholder attempts to make an online payment to a merchant supporting OTP authentication, the following process occurs:
-
The merchant initiates an authentication request by sending the request to the card network.
-
The card network routes the authentication request to the Marqeta platform.
-
The Marqeta platform prompts the cardholder, via an iFrame exposed in the merchant’s checkout experience, to enter a one-time passcode that Marqeta sends via SMS or email.
-
The Marqeta platform captures the authentication results.
-
The Marqeta platform sends an authentication response to both the card network and the merchant; authentication is complete.
Advanced Authentication lifecycle
Copy section link
When a cardholder attempts to make an online payment to a merchant supporting Advanced Authentication, the following process occurs:
-
The merchant initiates an authentication request by sending the request to the card network.
-
The card network routes the authentication request to the Marqeta platform.
-
Depending on the 3D Secure configuration chosen, Strong Customer Authentication (a challenge) requirement is determined for the request.
-
Depending on the 3D Secure configuration, Marqeta prompts the cardholder, via an iFrame exposed in the merchant’s checkout experience, and prompts you to perform authentication with the cardholder using your chosen method.
-
Marqeta sends a request for you authenticate the cardholder using your
/three-ds/authentication
endpoint. You respond with"ok" (200)
to Marqeta’s request within three seconds, authenticate the cardholder, and then return the verification result to Marqeta using the following asynchronous endpoint within the time frame sent in initial request:https://authentication-acs.marqeta.com/v3/three-ds/authentication-result
. The Marqeta platform captures the authentication results. -
The Marqeta platform sends an authentication response to the card network; authentication is complete.
The following provides a detailed view of the Advanced Authentication process:
Authentication results
Copy section link
On the Marqeta platform, the cardholder_authentication_data
object, which may be embedded in the transaction
object, stores the authentication data from 3D Secure.
If the transaction is funded through the Just-in-Time (JIT) Funding mechanism, cardholder_authentication_data
is contained in the jit_funding
object.
For a full description of the transaction data contained in the cardholder_authentication_data
object, see Transaction Data for JIT Funding Decisions.
Monitoring, reporting, and audit liability
Copy section link
In order to claim any of the allowed SCA exemptions, the PSD2 regulation mandates certain monitoring, reporting, and auditing requirements. Marqeta does not own any liability or responsibility in regard to satisfying the requirements of monitoring, reporting, or audits under PSD2 or when any SCA exemptions are claimed.
Marqeta is an issuer processor. For 3D Secure, the transaction authentication requests are limited to remote (i.e., card not present) e-commerce transactions only. The fraud rate and other reporting requirements, however, apply at the issuer level and across all payment transactions, i.e., both remote and non-remote.
Marqeta cannot provide a holistic view of fraud rates and other data for the issuer bank, who may have many programs for which they have issued cards. It is your responsibility—or the responsibility of your issuer bank—whether you are using your own systems to make 3D Secure SCA decisions or are using the Automated Decisioning self-serve solution to manage this (depending on whether you or the issuing bank are the BIN sponsor and on the agreement between you and your bank).