5 minute read

April 21, 2020

About 3D Secure

The Three-Domain Secure (3D Secure) security protocol, created and branded by Visa and Mastercard as Visa Secure and Mastercard SecureCode respectively, further protects online payments by enabling cardholders to authenticate their purchases.

The 3D name comes from the three domains involved in providing this added security:

  • The acquirer domain (e.g., merchant)

  • The issuer domain (e.g., Marqeta)

  • The interoperability domain (e.g., the card network)

The 3D Secure feature is currently in beta and subject to change. It also requires additional activation steps. To request it for your program, contact your Marqeta representative.

At the end of this guide, you should understand:

  • What 3D Secure is and why it’s used.

  • The 3D Secure process for authentication.

For more about using 3D Secure with Marqeta, contact your Marqeta representative.

3D Secure authentication

3D Secure adds a layer of security, prior to authorization, to help authenticate online transactions by requiring customers to complete an additional verification with the card issuer. For example, when the merchant initiates 3D Secure at checkout, the cardholder must then enter a one-time passcode received via email or SMS to continue with their purchase.

Ensure the cardholder has a valid SMS-enabled telephone number or email address on file. By default, one-time passcodes are sent to the cardholder via SMS; if a telephone number is not available, it is sent through email.

About 3D Secure 2

In 2019, banks began to phase in support 3D Secure 2, which makes several improvements to 3D Secure 1. Although the original 3D Secure protocol, 3D Secure 1, provided improved security, 3D Secure 2 provides an improved cardholder experience and is updated for payments using smartphones.

This new version introduces frictionless authentication, reducing the inconveniences that cardholders may experience when making a card purchase, while also reducing fraud and providing added security to online transactions. 3D Secure 2 improves the authentication flow by embedding the challenge within the checkout flow without redirecting the cardholder to additional authentication pages.

3D Secure 2 is the primary method for meeting the new Strong Customer Authentication (SCA) regulation in Europe that requires increased security. The SCA regulation requires that transactions be secured using 3D Secure. To do business in Europe, you will need to apply more authentication to transactions. Using 3D Secure provides this additional security without negatively impacting the cardholder experience.

Liability shift

If an online payment is successfully authenticated utilizing 3D Secure, the merchant is not liable for subsequent fraud-related chargebacks on that transaction. If a transaction is disputed by the cardholder as fraudulent, liability shits from the merchant to the card issuer.

However, if a cardholder disputes a transaction for a reason other than fraud, liability remains with the merchant. For these cases, you should plan how to avoid and manage disputes.

There are rare cases when transactions authenticated by 3D Secure do not shift liability to the issuer, such as if an account experiences excessive levels of fraud.

Transactions that have been authenticated using 3D Secure cannot be disputed as fraudulent; however, the issuer may investigate a transaction by requesting additional information.

About exemptions

An exemption allows a transaction to take place without conforming to the SCA two-factor authentication requirement. You can take advantage of exemptions that are allowed as a part of the PSD2 directive, that automatically determine whether a transaction qualifies for an exemption, enabling frictionless transactions for cardholders while balancing that with fraud risk. These exemptions may be granted in cases such as low-value transactions, low-risk transactions, those involving secure corporate payments, or those with white-lsted merchants. Be aware that exemptions present the following considerations:

  • You are responsible for any fraud-related chargebacks on exempt transactions.

  • You likely will not be able to dispute chargeback claims on exemptions transactions.

The cardholder can likely claim full reimbursement from their payment service provider if there was no SCA measure in place and if the cardholder did not act fraudulently.

Authentication lifecycle

In the payments ecosystem, authorization occurs after the completion of 3D Secure authentication. The merchant uses the authentication data captured as part of the 3D Secure process to submit an authorization for approval. For more on authorization transactions, see About Transactions.

Authentication lifecycle

Is this helpful?

When a cardholder attempts to make an online payment to a merchant supporting 3D Secure, the following process occurs:

  1. The merchant initiates an authentication request by sending the request to the card network.

  2. The card network routes the authentication request to the Marqeta platform.

  3. The Marqeta platform prompts the cardholder, via an iFrame exposed in the merchant’s checkout experience, to enter a one-time passcode received via SMS or email.

  4. The Marqeta platform captures the authentication results.

  5. The Marqeta platform sends an authentication response to both the card network and the merchant; authentication is complete.

Authentication results

On the Marqeta platform, the cardholder_authentication_data object, which may be embedded in the transaction object, stores the authentication data from 3D Secure. If the transaction is funded through the Just-in-Time (JIT) Funding mechanism, cardholder_authentication_data is contained in the jit_funding object. For a full description of the transaction data contained in the cardholder_authentication_data object, see Transaction Data for JIT Funding Decisions.

Have any feedback on this page?

If you feel we can do anything better, please let our team know.

We strive for the best possible developer experience.