3D Secure deep dive—How it works for CNP transactions
How 3DS works
In a 3DS flow, cardholders need to verify their identity with the card issuer during card-not-present payments for ecommerce transactions. The card issuer may require the customer to enter a password linked to the card or a one-time passcode (OTP) received on their mobile device, or complete the payment through a frictionless flow. The method of 3DS authentication depends on the card issuer. Additionally, with 3DS, liability shifts from the merchant to the issuer when the issuing bank successfully authenticates a transaction.
3DS authentication services are available for merchant self-hosted checkout, integrating with Clover iframe and Ecommerce APIs, Clover hosted checkout, Clover Online Ordering (OLO), and Clover retail merchants.
Regional compliance
3DS helps secure electronic payments as per the PSD2 Strong Customer Authentication (SCA) regulatory requirement in Europe. 3DS authentication is optional in North America, but Clover strongly recommends enabling this service to reduce chargebacks.
3DS pricing
3D Secure is priced for merchants at 4¢ in the local currency (USD or CAD) per transaction. The fee is included in the monthly billing for the Clover App Market sent by Clover Billing.
3DS payments transaction flow
3DS payment transaction flow includes the following steps:
- The cardholder makes a purchase and enters card details for payment.
- The merchant's 3D secure service provider sends the transaction data and an authentication request to the card issuer.
- The card issuer's financial institution determines the transaction flow, whether it is a challenge authentication flow or a frictionless flow.
- The card issuer sends the authentication result to the merchant.
- The merchant then submits the transaction for authorization, including the authentication result.
3DS payment flow
3DS results and liability shift
The 3D Secure (3DS) liability shift is a rule that protects merchants from fraudulent transactions. When the 3DS liability shift applies, the liability for fraudulent chargebacks shifts from the business to the card issuer, such as a financial institution (FI) or bank.
When a Clover merchant with 3DS services enabled initiates a transaction, the cardholder's issuing FI or bank authenticates the cardholder. If the authentication is successful, the liability shifts from the merchant to the issuer. The merchant proceeds with authorizing the payment, and the card issuer becomes liable for any fraudulent-type disputes that the customer may file. This implies that in cases of disputes or chargebacks related to fraud, such as a customer denying their involvement or authorization of the transaction, the merchant is generally not held accountable.
IMPORTANT
- Liability shift protection does not cover all 3DS authenticated transactions. The responsibility of issuing a liability shift lies with the card issuer and network.
- Liability shift protection applies only to chargebacks related to fraud and friendly fraud and does not cover non-fraudulent customer claims.
The fraud checks are applied even with the liability shift for 3DS authenticated transactions. The merchant should always take additional steps to check the customer's identity and reduce the fraud risks by applying risk rules, such as velocity checks, IP restrictions, safelists, CVV/CV2 matching, and the address verification service (AVS). For more information, see how to use fraud prevention tools.
3DS terminology
| Term | Description |
|---|---|
| Card-not-present fraud | Card-not-present (CNP) fraud occurs when the customer manually enters credit card information without physically presenting the card to the merchant during a transaction. This type of fraud usually occurs in online or ecommerce transactions, where the cardholder's information, for example, their three-digit security code, is used without the cardholder's knowledge or consent. |
| Chargeback | Chargeback is a process that lets customers dispute a transaction made using their credit or debit card and request a refund from their card issuer. In chargeback, the card issuer reverses the transaction, that is, withdraws the funds that were previously deposited into the merchant's bank account and returns them to the customer's account. Merchants need to manage chargebacks effectively to prevent administrative and financial costs and maintain customer satisfaction. Note: 3DS shifts the liability of any chargebacks due to fraud or disputes from the merchant to the issuer. |
| Clover 3DS | When Clover sends 3DS data in an Ecommerce API charge request, and the 3DS authentication is done by a Fiserv 3DS authentication services provider, the source of the 3DS authentication in the charge request is CLOVER. See Add 3-D Secure authentication when creating a charge. |
| Non-Clover 3DS | When Clover sends 3DS data in an Ecommerce API charge request, and the 3DS authentication is sent to an external authentication services provider, the source of the 3DS authentication in the charge request is NON_CLOVER. |
| Challenge flow | For card-not-present (CNP) payments, challenge flow indicates that the financial institution (FI) or issuer requires more evidence to verify the legitimacy of the transaction. In the challenge flow, the customer must provide extra information to authenticate the payment, such as a password or a one-time code that the card issuer sends to their mobile device. |
| Frictionless flow | For card-not-present (CNP) payments, frictionless flow refers to a seamless process where the financial institution (FI) or issuer can verify the legitimacy of a transaction without requiring additional input from the cardholder. This behind-the-scenes verification lets customers complete their purchases without any noticeable interruptions or authentication steps. |
| Liability shift | Liability shift indicates the transfer of responsibility for chargeback losses from the merchant to the financial institution (FI). As issuers are responsible for authenticating transactions, 3DS enables the transfer of liability for any chargebacks resulting from fraud or disputes from the merchant to the issuer. However, if a transaction is not authenticated, the liability stays with the merchant. This shift in liability is beneficial for merchants as it helps reduce the costs associated with chargebacks. Important: Liability shift protection applies only to chargebacks related to fraud and does not cover non-fraudulent customer claims. For more information, see 3DS results and liability shift. |
3DS as offered by card issuers
All major card issuers offer 3D Secure by a different brand name. Merchants and cardholders can recognize the offering as follows:
| Card issuer | 3DS |
|---|---|
| American Express® | SafeKey™ |
| Discover® | ProtectBuy® |
| Diners Club® | ProtectBuy® |
| Mastercard® | SecureCode™ |
| Visa® | Verified by Visa™ |
Click to learn about the minimum data requirements for Visa Secure authentication requests🚧 IMPORTANT: As per article ID: AI13666, effective August 12, 2024, Visa requires information from three data fields for all tokenized Visa Secure EMV® 3-D Secure (3DS) payment transactions. The three required data fields in authentication request messages are: - Browser Internet Protocol (IP) address or the device IP address for in-app transactions - Cardholder name - Cardholder email address or phone number, or both |
Related topics
Updated 17 days ago