Start a conversation

How does 3D Secure work?

To explain how 3D Secure (aka Verified by Visa / MasterCard Secure Code / Amex SafeKey) works we will compare a regular, non 3D Secure credit card payment with a 3D Secure credit card payment.

Non 3D Secure Payment

There are 4 primary parties involved in a regular credit card transaction:

  • The cardholder - The person shopping online who has the credit card details
  • PayFast (& Merchant) - The "gateway" of the online merchant from whom the cardholder is purchasing
  • The acquiring bank - PayFast's acquiring bank through which we process credit card payments
  • The issuing bank - The bank who issued the cardholder with their credit card

In a regular credit card transaction without 3D Secure, the (simplified) process flow is as follows:

  1. The card holder enters their card information (16 digit card number, expiry date etc.) on PayFast
  2. PayFast submits the data to our acquiring bank
  3. Our acquiring bank authorises the transaction (by communicating with the credit card network and issuing bank)
  4. The response (success or failure) is passed back up the chain to the card holder

3D Secure Payment

With 3D Secure, a number of additional steps are added to the credit card process with the aim of authenticating the cardholder performing the transaction.

A (very simplified) 3D Secure process is as follows:

  1. The card holder enters their card information (16 digit card number, expiry date etc.) on PayFast
  2. PayFast contacts a directory server to see whether the card is enrolled in 3D Secure
  3. The directory server responds with a message indicating that the card is registered
  4. PayFast uses the message to redirect the cardholder to a "3D Secure" page served by the issuing bank
  5. The cardholder authenticates themselves to the issuing bank on the 3D Secure page by entering a OTP (One Time Pin) or known password etc.
  6. The result of this authentication is returned to PayFast
  7. PayFast submits the card information and the 3D Secure authentication result to our acquiring bank
  8. Our acquiring bank authorises the transaction (by communicating with the credit card network and issuing bank)
  9. The response (success or failure) is passed back up the chain to the card holder

Note:

When discussing credit card transactions, the terms authorisation and authentication are distinct.

Authorisation is the act of the issuer verifying the validity of the card details provided and consenting to the charge based on internal rules (eCommerce allowed, acquiring country allowed, funds available etc.)

Authentication refers to the cardholder providing confirmation to the issuing bank, that it is indeed them performing a transaction. They are "authenticating" themselves in a manner similar to providing a known password to login to a website.

Choose files or drag and drop files
Helpful?
Yes
No