How to Implement & Optimize 3D-Secure: Webinar Q&A

During our How to Implement & Optimize 3D-Secure webinar, we received a lot of insightful questions from the audience (watch it here). To make sure everyone benefits from the discussion, we’ve compiled the top questions along with our answers below. Also, if you’re looking for a deeper understanding of 3D-Secure and how to make the most of it, check out our in-depth guide on implementation and optimization.

Does each bank have its own directory server?

Each card network, such as Visa and Mastercard, has a directory server. As part of the 3DS flow, the card network’s directory server communicates with the issuing bank through the bank’s Access Control Server (ACS).

Does the 3DS flow require a payment, or is it just for card data authentication? We’re about to use Evervault Relay, where you encrypt the PAN, and we later use it for recurring and/or single payments as a saved card. Is 3DS something we must run at the time of encryption, or for every payment?

You can leverage Non-payment Authentications (NPA) when adding cards without needing to take a payment. Every payment authorization needs a 3DS ECI and UCAF/cryptogram to take advantage of the liability shift, and these recurring payments can be performed using 3DS Requestor-Initiated (3RI) authentications.

You mentioned that 3DS is possible for recurring payments. Does that mean it’s handled via API?

Recurring payments can be authenticated using Merchant-Initiated Transactions (MIT). In this case, the merchant can initiate a 3DS authentication on the backend without customer involvement. Typically, the customer completes 3DS authentication for the first payment, and the merchant can reference this initial authentication for subsequent MITs.

How does liability shift work with Merchant-Initiated Transactions (MIT) if they are processed on the backend?

Merchants can generate the necessary authentication data without customer involvement. Alternatively, they can reference a previous authentication where the customer completed 3DS.

In the event of a server failure, is there a central 3DS server to keep things running, or is each business responsible for maintaining its own 3DS infrastructure?

Businesses that accept payments and use 3DS typically rely on a 3DS Server vendor rather than managing their own infrastructure. In case of a server failure, the impact depends on how the service handles it. This could result in downtime where payments cannot be processed, or the system could fall back to direct authorization without 3DS.

If the 3DS servers go down, would Mastercard and Visa step in to process transactions for issuers?

Mastercard and Visa do not step in if a 3DS server goes down. However, they may provide a fallback in cases where the ACS cannot authenticate the transaction.

Does Evervault offer 3DS via backend API integration, or does it have to be implemented on the front end of an eCommerce website via JavaScript?

For Customer-Initiated Transactions (CIT), Evervault requires both backend and frontend integration. The frontend component is necessary to collect browser details and display the authentication frame when additional verification is required. However, for Merchant-Initiated Transactions (MIT), 3DS can be completed entirely on the backend, as frontend interaction is not required.

How does 3DS handle transaction approvals when a cardholder uses a dynamic CVV for an online transaction?

The CVV is not necessarily required in the 3DS process. Authentication can still be performed using the card number and expiration date. For example, CVV is not a required field for Evervault’s 3DS solution. A dynamic CVV can serve as an additional fraud prevention layer alongside 3DS.

Does 3RI stand for something?

3RI stands for 3DS-Requestor Initiated, where the requestor (typically the merchant) initiates the 3DS authentication instead of the cardholder.

Are issuers responsible for initiating the 3DS process?

The merchant typically initiates the 3DS process. In most cases, this occurs when a cardholder makes a transaction on the merchant’s website. For 3RI transactions, the merchant initiates authentication for recurring payments, where the cardholder is not directly involved.

What happens when a 3RI request is denied?

The transaction can proceed to authorization, but liability shift will not apply.

How is fingerprint authentication gathered if the cardholder is not present?

In the case of 3RI, the fingerprinting step is not performed.

Why do some acquirers in Africa generally not accept external authentications?

This is typically due to technical limitations in their integration. However, payment service providers (PSPs) like Stitch, which integrate with acquirers, can enable external authentication.

Hope we were able to give some more clarity on 3D-Secure. If you’d like to learn how to integrate 3D-Secure into your product, check out our page below!