What is 3D Secure 2?
3D Secure 2, also referred to as "3DS" or "Payer Authentication" is a security protocol that adds a layer of authentication in the online card-not-present authorisation process to verify a cardholder's identity.
The purpose of 3DS is to protect a merchant and cardholder against fraud and unauthorised use when the cardholder is not physically present. This is done by requesting additional parameters when collecting the credit card details, including a device fingerprint, and sending this to the card issuer for analysis. The card issuer can then make a decision based on the risk to approve the transaction or require an OTP (one time password) be sent to the cardholder to verify that they initiated the transaction and not a bad actor.
You may have already seen this system in action where your card issuer sent you a one-time password to your phone or email and required you to enter this password before approving a transaction.
How is 3D secure being implemented?
Beginning November 2021 we require certain cardholders to utilise the new process of payer authentication when storing a card in our platform. This new security feature is automatic, and merchants are not required to do anything to receive the benefits.
Payments processed through hosted pages, which includes Payment Requests, Payment Portal, and Xero Invoice Pay Now, will be assessed for their risk, and payer authentication prompted where required.
This new technology also allows us to perform non-payment authentication when storing cards for future use such as with recurring direct debit transactions. When a cardholder first enters their card into our system, we can perform the payer authentication immediately and then safely store the card for future processing. This is only required once, and after the successful payer authentication takes place; subsequent scheduled debits will take place without requiring any additional cardholder intervention.
How will I know if a card payment used 3D Secure 2?
If a card payment is approved with 3D Secure 2 you will see the new 3DS symbol in the payment's receipt. Seeing this symbol gives you confidence that we used payer authentication to verify the cardholder. When a transaction is processed using this system merchants will generally receive a liability shift in favour of the merchant thus reducing chargebacks related to fraud.
Changes to Virtual Terminal
3D Secure 2 cannot be utilised in Virtual Terminal as it is required to run directly on the cardholder's device. As such, we encourage merchants to utilise Payment Requests to receive the benefits of this new security feature. Payment Requests send a customer a link via SMS/email requesting them to enter their card information. As this occurs on the cardholder's device we can safely authenticate the cardholder and process the payment instantly, greatly reducing the risk of fraud related chargebacks and minimise delays in settlements.
You will still be able to use Virtual Terminal for circumstances where Payment Requests are not suitable. The amount you can process without requiring a payment request/payer authentication is based on several factors including the amount of the payment, your history with us and whether you have processed an amount on a card which has been previously authenticated.
If you intend on storing a card for future charges we encourage merchants to send their customers a $1.00 payment request which allows us to safely and securely store the card and verify the cardholder. Once complete you will have the advantage of knowing the cardholder is legitimate and we allow higher amounts to be processed against these types of cards.
Changes to API & iFrame
We are progressively rolling out the new 3D Secure 2 protections to every aspect of our platform including API tokenisation and our secure card collection and tokenisation iFrame.
If you are interested in implementing 3D Secure 2 in your application please contact support to organise a meeting with an implementation specialist.
For more information visit 3dsecure2.com