3-D Secure 2.0 is an updated specification of 3-D Secure, EMVco's standard for securing e-commerce payments to comply with the Strong Customer Authentication (SCA) mandate in the European Union.
As of December, 31st 2020, international merchants who accept e-commerce or in-app payments must authenticate these payments in compliance with the 3-D Secure 2.0 specification. International merchants who do not use 3-D Secure to authenticate e-commerce payments are subject to declined authorizations and fines assessed by the card brands.
The changes described in this document are currently in development.
Understanding 3-D Secure 2.0
3-D Secure is a protocol developed by the card brands and EMVCo to provide additional cardholder security for e-commerce credit and debit card transactions. The 3-D Secure 2.0 specification was introduced in 2016 to comply with the Strong Customer Authentication (SCA) mandate in the European Union. This update also introduced an improved user experience, better support for mobile payments, and more dynamic authentication methods.
Using 3-D Secure to authenticate transactions reduces the risk of fraud and shifts liability for transaction disputes and chargebacks away from the merchant, to the issuer.
We are currently in the process of certifying the CardPointe Gateway for compliance with the 3-D Secure 2.0 specification. Initially, this feature will only be available for merchants processing on the First Data Rapid Connect platform.
There are two options for integrating 3-D Secure authentication with your application:
Integrate your application directly with the CardPointe Gateway API and a 3-D Secure provider service (for example, CardinalCommerce) to authenticate your cardholders, and pass the required data in your authorization requests. Note that this option may require your application to facilitate transmission of sensitive cardholder data to the service provider, which may increase your scope of PCI compliance. See Integrated Payment Application Changes, below for more information.
Integrate the CardPointe Hosted Payment Page with your application to embed a secure, PCI-compliant checkout page to authenticate your cardholders and accept payments without directly integrating a 3-D Secure service provider. This option may reduce your scope of PCI compliance, as all sensitive cardholder data is handled by the HPP outside of your application. See CardPointe Payment Application Changes for more information.
While 3-D Secure is optional for merchants located in the United States, it is required for merchants located outside of the United States accepting e-commerce or mobile payments from international consumers.
Integrated Payment Application Changes
If you or your merchants use an application that integrates the CardPointe Gateway API to accept international e-commerce payments, you must update your application to become compliant with this mandate.
The changes required to comply with this mandate affect merchants who use an international merchant account (an account with domicility outside of the United States) to accept e-commerce or in-app payments.
New Authorization Request Parameters
To support the requirements to provide the 3-D Secure authentication data for applicable transactions, the CardPointe Gateway API includes the following new parameters.
Your application authenticates the payment with the 3-D Secure service provider (for example, CardinalCommerce). Your application must then parse the following data from the authentication response returned by the provider, and pass these fields in the authorization request to the CardPointe Gateway.
Gateway Authorization Request Field
Cardinal Commerce Authentication Response Field
EMVco 3-D Secure Field Name
Electronic Commerce Indicator (ECI) flag returned from your 3DS provider.
One of the following values:
05 - Fully-authenticated transaction
06 - Attempted authentication transaction
28 for Visa
28-32 for Mastercard
A Base64-encoded Cardholder Authentication Verification Value returned from your 3DS provider.
Required for Mastercard Identity Check transactions.
Unique transaction identifier assigned by the Directory Server (DS) to identify a single transaction.
Required for European web transactions if the transaction meets the criteria for exemption from the Strong Customer Authentication (SCA) mandate.
One of the following values, if applicable:
ivr - The transaction is authorized using a secure IVR system between the merchant and cardholder.
lowrisk - The transaction is considered low-risk. Requires an agreement between the merchant and issuer.
lowvalue - The transaction amount is less than 30 euros (€30) .
trusted - For Visa only, if the merchant has a trusted agreement with the issuer.
Note: Do not include secureexemption for other transactions that do not meet the above criteria; passing this field when not needed or applicable will cause declines. Contact your 3-D Secure provider and integration support for more information.
CardPointe Payment Application Changes
Enhancements to the CardPointe Hosted Payment Page (HPP) are in development to integrate support for 3-D Secure 2.0. The HPP offers merchants the flexibility to redirect cardholders to a secure, PCI-compliant checkout page, or to embed a secure checkout experience within the application, with minimal development work.
Additionally, integrating the HPP can lower your scope of PCI compliance because the sensitive cardholder data required to authenticate your customers is never exposed to your application. Additional details will be available in a future update.
How do I know If I am required to use 3-D Secure?
If you have an international merchant account, based outside of the United States, and you accept e-commerce or in-app payments from international customers, you are required to use 3-D Secure to authenticate your cardholders, to comply with the EU's Strong Customer Authentication mandate.
What is 3-D Secure?
3-D Secure is an e-commerce payment authentication specification developed by EMVco LLC, a joint operation of the payment card brands, to satisfy the Strong Customer Authentication requirement imposed on businesses operating in the European Union.
3-D Secure requires merchants to authenticate a cardholder's identity before accepting a payment from the cardholder using an application or website.
If I already use 3-D Secure 1.0, do I need to update to 2.0?
Yes. Beginning in December 2020, affected merchants will be required to update their payments applications to comply with the 3-D Secure 2.0 specification. The 1.0 specification will be deprecated.
If you are already using 3-D Secure 1.0 with the CardPointe Gateway, you must include an additional field, dsTxnId, to comply with Mastercard's 3-D Secure 2.0 requirements.
Reach out to your 3-D Secure provider for information on upgrading your specific solution.
What will happen if I do not use 3-D Secure 2.0?
If your business case requires you to use 3-D Secure to comply with the EU's Strong Customer Authentication mandate, you must update your application to use 3-D Secure 2.0 by December 31st, 2020. Failure to do so will result in e-commerce transaction declines and penalties assessed by the card brands.