3-D Secure and SCA
Understand 3-D Secure and SCA
When making transactions online, protection from fraud is key – for both your customers and you.
To accommodate to this need, the payments industry has established the 3-D Secure authentication protocol (which stands for Three Domain Secure). For any card transaction, your customers must prove themselves to be the rightful card owner.
The current 3-D Secure standard requires your customers to pass the authentication via Strong Customer Authentication (SCA). Thus, your customers have to authenticate themselves with at least TWO out of the following three methods:
- Something they know (i.e. a PIN or password)
- Something they possess (i.e. a card reader or mobile device)
- Something they are (i.e. voice recognition or fingerprint)
Complying to SCA offers two big assets for your customer and you:
- Fraud protection: If a transaction turns out to be fraudulent, neither you nor your customer are liable. Instead, the issuer will compensate for the financial loss.
- Flexibility and enhanced customer experience: In some cases, the authentication process may run in the background, making it imperceptible for your customers. Sometimes it is even possible to skip 3-D Secure altogether. Read our dedicated chapter to learn more.
Exemptions and exclusions
Exclusions – The following use cases are considered out-of-scope.
Transactions through mail orders or telephone orders (MOTO).
Transactions for which your acquirer or your customer’s issuer is located outside of the EEA zone.
Anonymous prepaid cards up to €150 (Article 63).
Our platform detects these exclusions automatically, freeing you from indicating them in your transaction requests.
- Exemptions – To enhance your customers’ payment experience, you can request skipping the authentication process if a transaction meets certain conditions. Read our dedicated chapter to learn more.
Understand 3-D Secure transaction flow
For card payments, your customers have to authenticate themselves as the rightful card owners at one point. A typical payment flow goes like this:
- Your customers finalise an order in your shop and select a card payment method.
- You send a CreateHostedCheckout/CreatePayment request to our platform, including a set of mandatory/recommended/optional 3-D Secure properties.
- Our platform sends you a response with instructions for the next steps of the flow. Depending on the integration mode, differences apply:
a. Hosted Checkout Page: The response contains a redirectUrl to our secure payment page. Once you redirect your customer to this URL and they enter their card number, our platform will automatically cover any 3-D Secure-related steps for you.
b. Hosted Tokenization Page/Server-to-server/Mobile/Client Integration: The response contains a merchantAction object, instructing you to redirect your customers to a specific URL. This URL is your customers' issuer.
- Your customers provide their credit card number and are redirected to their issuer for 3-D Secure authentication.
- Our system receives the 3-D authentication result from the issuer.
- We process the transaction and receive the result from the acquirer.
- We redirect your customer to your returnUrl.
- You request the transaction result from our platform via GetPayment or receive the result via webhooks.