In this article, we will answer the question of “What is 3D Secure,” and share the details of 3D Secure (“3DS”), which falls within the gray area for end-users and merchants. While discussing the concept of “security,” which requires highly sensitive communication, it’s important to remember that the online world is significantly more secure than the offline world.
What is 3D Secure?
To examine the basic principles of 3D-Secure, we should answer this question: What is 3D Secure? This method is a system developed by Visa under the name “Verified by Visa”, and later joined by MasterCard with “SecureCode”, collectively referred to as 3D-Secure.
The 3D-Secure system is a platform that furthers security for online payments, regulating the responsibilities among merchants, banks, and cardholders. Unlike the regular payment process that we are familiar with (where the user enters their card details, and the payment is processed), in the case of 3D-Secure method, after entering the card information, the user is directed to their bank’s screen during the payment (via browser redirection). After that, the user is prompted to enter a one-time SMS password and/or CVC2 information received on their registered mobile phone. Since the user is asked for an SMS password and/or CVC2 information, the cardholder’s identity can be verified, and this also helps prevent unauthorized usage of the card by individuals other than the rightful owner.
Advantages and Disadvantages of 3D-Secure Method
After we answer what is 3D Secure, While 3D-Secure introduces additional security measures from the end-user perspective, contrary to common belief, it primarily safeguards the merchant rather than the end-user.
Additionally, when end users make purchases with the 3D-Secure method, especially on websites they do not fully trust, they feel secure because they can see the 3DS screens from the bank, where they enter the SMS password and/or CVC2 code.
From the perspective of merchants, the 3D-Secure system prevents the use of stolen cards online and guarantees that the person conducting the transaction is the actual cardholder. As a result, merchants are exempt from potential chargeback notifications.
When it comes to the disadvantages for both end-users and merchants, the elongation of transaction processing time and steps, the absence of registered banks/users for 3DS, incorrect entry of the user’s 3DS password or CVC2 code, delayed receipt of SMS passwords, users’ abandoning the process, browser redirection issues, and more can result in revenue loss for merchants. Therefore, the success rate of regular payments (successful payment count / total incoming payment count) generally ranges around 80-85%, whereas, for 3DS transactions, this rate is at the level of 65-75%.
Should I Offer a 3D-Secure Option to My Customers? Should I Use a 3D-Secure System?
As an online platform that receives payments online, it’s essential to offer the 3DS option to customers to overcome the psychological barrier of end-users and gain their trust. Furthermore, suppose you intend to accept payments with debit cards and prepaid cards. In that case, the 3DS option becomes essential because regular and installment payments can only be made with debit and prepaid cards with 3DS. Therefore, in order to recognize these cards and enforce the 3DS option, you need to transmit them to the bank as single payments.
Moreover, suppose you are dealing with high-risk scenarios such as accessible cash-out opportunities, products/services enabling fraud activities, or high-cost item categories (Online products, prepaid credits, gold, phones, electronics, airplane tickets, etc.). In that case, it’s imperative to mandate the use of 3DS.
What are the 3D-Secure Models, and Which One Should I Choose?
As an online platform that receives payments online, when integrating 3D-Secure, you will generally encounter three alternative models. As we will explain the reasons in the later part of our article, we want to emphasize that you must use the 3D Model among these alternatives.
Craftgate offers triple-handshake (triple verification, merchant – Craftgate – bank) and it definitely only works with the 3D model. This way, you will avoid problems such as pending orders, money withdrawn orders, or duplicate money withdrawals. For more information, you can see our Create 3D Secure Payment page.
3D Model
Once the user enters their card information on the merchant’s platform and selects the 3DS option, the payment request is sent to 3DGate and forwarded to ACS (Access Control Server) through the browser. The user is presented with a screen at the top, where they can enter an SMS password and/or CVC2 number. From this point onward, when the user enters the SMS password and proceeds, the transaction status information (mdstatus value) is communicated to the merchant’s success or fail URL through browser redirection, without any funds being withdrawn.
If the transaction arrives at the success URL and the status information indicates that the user’s details are correct (mdstatus==1), you can proceed to the final checks (e.g., session timeout, product availability, price changes, stock availability, etc.) for the transaction to withdraw funds. Once these checks are completed, you can finalize the payment process through API calls at the millisecond level without browser redirection, ensuring the completion of the payment.
Up until this point, the processes work asynchronously. In other words, there will be a considerable time gap from when the user leaves the merchant’s website until they return after seeing the bank’s ACS URL in their browser. Consequently, during this time, the user’s session might expire, the product’s stock could be depleted, or the product might become out of stock. The most significant advantage of this model is that it transitions from the asynchronous phase to the synchronous phase, allowing you to perform necessary checks before withdrawing funds. In other words, it provides a handshake mechanism.
3D-PAY Model
Everything remains the same until the SMS password is entered on the bank’s ACS screen. The only difference from the other model is that, in this case, as soon as the user enters this information, the funds are immediately withdrawn. Then a browser redirection is performed to the merchant’s success URL.
While it might be easier to execute, this approach has potential challenges. Issues such as the loss of internet connectivity after the price has been withdrawn, the product being out of stock at the merchant, changes in the product price, or depletion of stock can prevent the order from being created.
In such a scenario, even though the user has been charged, the lack of corresponding service could lead to dissatisfaction among users, your customer service team, and your technical and accounting departments. They would also have to undertake manual tasks to rectify the situation.
3D-PAY-OOS (3D-PAY-HOSTING) Model
This model is more suitable for smaller companies without an extensive software team. In this model, the entire payment page is hosted by the bank. As a result, there is no need for a card payment page application at the merchant’s platform end, and it operates similarly to the 3D-PAY Model.
What is 3D-Secure Full Authentication, and Should I Prefer It?
Full authentication is an indication that everything complies with the rules. It occurs when the user correctly enters the SMS password received on their mobile phone into the 3DS screen by redirecting the mdstatus value to 1 on the merchant’s success url. In this manner, 3D-Secure payments are completed through full authentication. For instance, if you use the 3D Model and prefer full authentication – which is the ideal combination – you will have successfully received FULL-3DS payments. This enables you to reject potential chargeback requests from banks.
After the user enters their card information on the merchant’s payment page and selects the 3DS option, sometimes the transaction can be directly redirected to the merchant’s fail url or success URL by ACS without showing the screen where the SMS password is asked. In both cases, you cannot perform full authentication since mdstatus will have a value other than 1. If the mdstatus value that lands on your success URL is 2, 3, or 4, you can proceed with the transaction as if it were a 3DS transaction and collect the payment. This way, you will have conducted a half-authentication. For example, if you use the 3D Model and opt for half-authentication, you will successfully receive HALF-3DS payments. In this case, you will be in the gray area for any chargeback request.
According to your agreement with the bank, you can also utilize half-authentication if necessary.
All mdstatus values are as follows:
- [SUCCESS_URL] [FULL] mdStatus = 1: Full authentication
- [SUCCESS_URL] [HALF] mdStatus = 2: Cardholder or card issuer not registered in the system
- [SUCCESS_URL] [HALF] mdStatus = 3: Card issuer not registered in the system
- [SUCCESS_URL] [HALF] mdStatus = 4: Verification attempt, the cardholder has chosen to enroll in the system later
- [FAIL_URL] – mdStatus = 5: Authentication cannot be performed
- [FAIL_URL] – mdStatus = 6: 3D Secure error
- [FAIL_URL] – mdStatus = 7: System error
- [FAIL_URL] – mdStatus = 8: Unknown card number
- [FAIL_URL] – mdStatus = 0: 3D Secure signature is invalid, authentication cannot be performed, the SMS password is incorrect, or the user has clicked the cancel button.
