3-D Secure

Overview

Terminology

What is 3-D Secure?

3-D Secure is an advanced authentication solution implemented to reduce eCommerce fraud by verifying a cardholder’s identity in real time. Each of the major card brands has a 3‑D Secure offering:

  • American Express Safekey®
  • Discover ProtectBuy®
  • Mastercard SecureCode®
  • Visa Secure®

This additional layer of security helps prevent unauthorized use of cards and protects eCommerce merchants and issuers from exposure to fraud.

What is 3-D Secure 2.0?

3-D Secure 2.0 (3DS 2.0) is the new global specification for card payment security developed by EMVCo. It is designed to deliver frictionless payment authentication across a range of devices, including mobile devices. Unlike previous versions of 3DS, it allows for more seamless integration with merchants’ e-commerce customer experiences. 3DS 2.0 is being deployed across Europe starting in September 2019.

The use of 3‑D Secure 2.0 satisfies the PSD2 - PSD2 - In October 2015, the European Parliament adopted the European Commission's proposal to create safer and more innovative European payments, the Revised Directive on Payment Services (PSD2, Directive (EU) 2015/2366). requirement for SCA - SCA - Strong Customer Authentication . For more information on 3‑D Secure 2.0 specification, refer here.

For answers to specific questions related to BlueSnap and 3-D Secure 2.0, PSD2, and SCA, refer to our 3-D Secure 2.0 FAQs page.

3-D Secure 2.0 Fallback workflow

Chargeback liability shift

In addition to preventing unauthorized card use, 3DS can shift liability for fraud chargebacks from the merchant to the card issuer in these situations:

  • Situation 1: Shopper successfully verifies their identity by entering a password.
  • Situation 2: An issuer who perceives the transaction to be low risk authenticates without requiring identity verification from the shopper.

In Situation 2, the shopper never sees a popup window requesting a password during checkout, making the 3DS flow entirely transparent to them.

Chargebacks may still occur

You may still receive fraud chargebacks for transactions authenticated using 3DS. However, these chargebacks are considered invalid and are automatically disputed for merchants enrolled in one of BlueSnap’s chargeback management services.

Back to Top


Out-of-scope transactions and exemptions

The intent of PSD2 is to make SCA a requirement for all online transactions; however, there are some transactions that are considered out of scope and there are some exemptions.

Out-of-Scope Transactions

Anonymous transactions

Transactions through anonymous payment instruments are not subject to the SCA mandate, for example anonymous prepaid cards.

Inter-regional Transactions

Inter‑regional Transactions are usually exempt. An Inter‑regional Transactions is one in which the issuer, the merchant, or the acquirer of the card is not based in Europe. Therefore, accepting payments in Europe from non‑European shoppers is not in the scope of PSD2.

Merchant-Initiated Transaction (MIT)

Most subscription or recurring transactions with a fixed amount (same amount each time) are exempt after the initial transaction; only the initial transaction requires SCA.

Some subscriptions have a variable charge based on usage—these types of transactions are usually considered merchant‑initiated transactions. These are exempt from PSD2 and SCA requirements.

Payments made with saved cards when the customer is not present in the checkout flow may qualify as merchant‑initiated transactions. These payments fall outside the scope of SCA but ultimately the issuing bank must decide if authentication is needed for the transaction.

BlueSnap automatically applies this exemption for applicable transactions.

Mail Order and Telephone Orders (MOTO) transaction

MOTO transactions are exempt from SCA in all cases. MOTO transactions are not considered to be "electronic" payments, so are out of the scope of the regulation.

BlueSnap automatically applies this exemption for applicable transactions.

SCA Exemptions

Low Value Transactions

Transactions under 30 EUR are exempt from SCA. The issuing bank must track the amount of each payment made. If the total amount attempted on a single card without strong authentication in a 24‑hour period is greater than 100 EUR, or for every 5 transactions on a single card, SCA is required.

BlueSnap automatically applies this exemption for applicable transactions.

Transaction Risk Analysis (TRA)

The TRA exemption allows for certain remote transactions to be exempted from SCA provided a robust risk analysis is performed, and the acquirer or PSP meet specific fraud thresholds.

Trusted Beneficiaries

Customers can assign merchants to a list of Trusted Beneficiaries that is maintained by their bank. These trusted merchants are exempt from PSD2 for SCA. This allows customers who regularly shop with a business to shop without providing SCA after the business is added to the list.

Payee-Initiated

Payee-initiated transactions are exempt. A payee‑initiated transaction occurs when the payer’s consent for a direct debit transaction is given in the form of an electronic mandate with the involvement of its PSP. For example, SEPA is a payee‑initiated transaction.

Secure Corporate Payments

Payments made through dedicated corporate processes and protocols (e.g. lodge cards, central travel accounts and virtual cards) which are initiated by business entities, not available to consumers and which already offer high levels of protection from fraud may be exempted from SCA.



Back to Top


Integrations

3-D Secure in the Hosted Pages

BlueSnap's Hosted Pages provide out-of-the-box support for 3DS. To get started, contact Merchant Support to request that BlueSnap enable 3DS for your account. After it has been enabled, you can activate it in your BlueSnap Console by going to Settings > Fraud Settings and selecting Enable 3D Secure.

3-D Secure in the Payment API

BlueSnap's Payment API provides built-in support for 3DS. Complete implementation details are available in this API Guide.

3-D Secure for merchants managing their own subscriptions

If you handle your own subscriptions (that is, you are not using the BlueSnap Subscription Engine or our merchant-managed on-demand subscription feature, contact BlueSnap Merchant Support for personalized information and support to continue your existing subscriptions.



Back to Top


Sandbox testing of 3-D Secure

You may use the following cards, with any random 3-digit CVV code, to test various 3D Secure results.

Expiration Date

The expiration date is the current year plus 3 years. For example, in 2019, the Expiration Date value is 01/2022.

Visa
Mastercard
Authentication Result

4000000000001000

5200000000001005

Successful without challenge




4000000000001091

5200000000001096

Successful with challenge




4000000000001018

5200000000001013

Failed without challenge




4000000000001109

5200000000001104

Failed with challenge




4000000000001059

5200000000001054

Unavailable

3-D Secure


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.