3 Domain Secure (3DS) — The Triple Shield of the Transaction

Backspace Tech
6 min readDec 15, 2023

--

Ever heard of 3DS?

No?

Don’t worry, most haven’t. But this little superhero is your best friend when it comes to the secured transaction!

Think of it like the invisible shield deflecting the evil arrows of online fraud.

Grab your virtual shopping cart and get ready for a wild ride! 3DS awaits…

3DS?

3 Domain Secure aka 3DS, is a security protocol jointly developed by Visa and MasterCard to bolster the security of online transactions involving credit and debit cards. Its mandatory implementation in the European Union (EU) is dictated by the Payment Services Directive 2 (PSD2) to counteract card-not-present fraud. Referred to as payer authentication, this protocol is universally applicable across major card networks, including but not limited to MasterCard, Visa, and Diner’s.

Purpose of 3DS

The creation of 3DS was driven by the following objectives:

  • Empowering cardholders to authenticate their identity, thus thwarting payment fraud.
  • Impeding unauthorized transactions.
  • Reducing the frequency of chargebacks.

Elements of 3DS authentication:

The acronym 3DS signifies the involvement of three key parties involved in every 3D Secure transaction:

  • Issuer domain — the environment of the issuing bank whose card is used in the transaction.
  • Acquirer domain — the realm of the merchant’s bank accepting card payments.
  • Interoperability domain — the system facilitating the 3DS process by acting as a bridge between the Issuer and acquirer domain.

Now the 3DS process unfolds!

  • The cardholder inputs his/her credit or debit card details.
  • Following the entry of card data, the system verifies whether the card is registered with the 3DS authentication protocol. If registered, the process proceeds to the next step or else the transaction is likely to get declined.
  • Upon confirming the 3DS enrolment, the cardholder is directed to the 3DS page provided by the card provider/issuer.
  • Following this, the cardholder is prompted to provide their unique password or a one-time authentication code, either sent to their email address or confirmed phone number on the provider’s website.
  • Upon successful authentication, the cardholder is redirected back to the merchant’s website for payment confirmation.
  • The acquirer approves the transaction, and once the cardholder returns to the merchant’s site, a confirmation of a successful payment is received by the cardholder.

Advantages of 3DS 1.0

  • The primary benefit of 3DS resides in its ability to shield both the cardholder and the merchant from potential threats of payment fraud.
  • By doubling the number of checkpoints for each average transaction, 3DS significantly elevates the difficulty level for any attempts at transactional hacking.
  • The 3DS protocol ensures a precise shift in payment liability.
  • The heightened security features inherent in 3DS establish clear accountability. Specifically, in instances of fraudulent activities by the cardholder, the issuing party assumes liability, while responsibility is attributed to the acquiring entity if the merchant is found involved in malpractice.
  • With the reduction in fraud and hacking, coupled with the imposition of appropriate payment liability, the incidence of disputes and chargebacks diminishes. This decrease in disputes and chargebacks consequently results in proportional mitigation of fees associated with dispute resolution and chargeback processes.

We witnessed the benefits of 3DS 1.0! Yet certain loopholes paved the way for the evolution into 3DS 2.0.

Let us know the loopholes in 3DS 1.0!

Limited Visibility of Authentication Page:

Users faced issues with the inability to view the 3DS authentication page on their devices, leading to potential usability challenges.

Perceived as a Security Threat:

Users, unable to view the authentication page, tended to perceive it as a security threat, creating concerns about the legitimacy of the transaction process.

Compatibility Challenges on Mobile Browsers:

The authentication process encountered compatibility issues on mobile browsers, compromising the seamless execution of transactions for users on these platforms.

Negative User Perception of Extra Step:

Users expressed dissatisfaction with the perceived unnecessary nature of the extra authentication step, leading to irritation and an increased likelihood of abandoning the purchase.

Issues with Authorization Page Loading Speeds:

Slow loading speeds of the authorization page resulted in user frustration, impacting the efficiency and overall satisfaction of the online transaction process.

Difficulty in Authenticity Verification:

Users faced challenges in identifying the authenticity of popup windows associated with the authentication process, fostering suspicion, and contributing to transaction abandonment.

3DS 2.0

With the advanced 3D Secure 2.0 protocol, the age-old dilemma between boosting conversions and minimizing fraud risks finds a resolution. The core objective of 3D Secure 2.0 lies in fostering superior information exchange among the transaction stakeholders. Departing from the static passwords of version 1.0, 3D Secure 2.0 employs token-based and biometric authentication methods like facial or voice recognition, streamlining the payment process.

Cardholders benefit from a smoother checkout experience with 3D Secure 2.0, featuring reduced waiting times, fewer password requirements, and a more streamlined purchase completion process.

Notably, 3D Secure 2.0 goes beyond its predecessor by accommodating non-browser-based payment methods, including wearables, in-app purchases, mobile payments, and digital wallets.

A key enhancement lies in the improved risk assessment capability of 3DS 2.0. In a transaction approval or decline scenario, over 100 data points are transmitted to issuing banks, a substantial increase compared to the previous protocol. This heightened data analysis significantly augments fraud prevention capabilities, making 3D Secure 2.0 a formidable technology for securing online transactions.

The Transmission

We saw that 3DS adds an additional step to the cardholder’s checkout process, requiring identification through unique passwords, or authentication codes sent via email or SMS.

But, do you know how these elements are transmitted?

This transmission process is done through,

  • Access control server (ACS) — exists within the issuing bank’s domain.
  • Merchant plug-in (MPI) — exists within the acquiring bank’s domain.
  • Directory Server — exists in the interoperability domain, which is deployed by card schemes, and acts as a glue between the acquiring and issuing domains.

Let us know the functionalities of these transmitters!

ACS

Issuing banks utilize the ACS to fulfill their cardholder authentication needs.

  • During the 3DS process, redirection of cardholders ensures that they are directed to the issuing bank, a measure taken to preserve the security and confidentiality of their identifying details.
  • Subsequently, customers undertake identity verification by furnishing information, such as their account password or a code sent to their email or phone, to the ACS.
  • The ACS, in turn, compares this provided information with the data accessible to the issuing bank, allowing it to indicate whether the customer has successfully confirmed their identity or not.

Directory server

  • Deployed by card networks, this server holds the key to connect the merchants with the correct issuing bank for user authentication.
  • When a merchant attempts to authenticate a card, they send a message to the Directory Server.
  • This server, armed with a directory of all BIN (Bank Identification Number) ranges and their corresponding issuing banks identifies the relevant bank based on the card number.
  • It then seamlessly forwards the message to the correct issuing bank, which then proceeds with the user authentication process.

MPI

MPI houses merchants, payment gateways, and acquiring banks. To initiate the authentication process, these entities must deploy the MPI. It identifies the cardholder's card details and contacts the right bank to verify its participation in 3D Secure. If the cardholder is enrolled, the MPI connects the cardholder directly to their bank’s secure verification page for identity confirmation.

Global Landscape:

Beyond the European Union, specific banks, payment, and financial institutions in nations such as India, Australia, Canada, and several countries across the Middle East, Africa, North America, and Latin America also follow the 3DS protocol.

Conclusion:

Over the past few weeks, we explored all about the European Payment’s regulation [Payment Services Directive (PSD)], the crucial mandate [Strong Customer Authentication (SCA)], and now, the security protocol (3DS).

However, our exploration is not confined to Europe alone! We will be exploring global payment regulations, landscape, and much more in the coming future!

Until then, happy reading!

To know more about the payment ecosystem, chargeback, and dispute nuances through delightful bytes of information, follow us on LinkedIn, Twitter, Facebook, and Threads.

--

--

Backspace Tech

Backspace Tech offers Fintech-as-a-Service to automate,simplify, and disrupt the payment industry by handling chargeback requests through a plug-and-play model.