Knowledgebase
How does 3D Secure work?
Posted by Jonathan S on 18 Sep 2015 12:50

This article covers how 3D Secure (aka Verified by Visa / MasterCard Secure Code / Amex SafeKey) works by contrasting a regular (non 3D Secured) credit card payment with a 3D Secure credit card payment and providing detail on how international buyers are affected by 3D Secure for payments to PayFast merchants.


How a regular credit card payment works

In a regular credit card (non 3D Secure) authorisation process on PayFast, there are 4 primary parties involved:

  • The cardholder
    • The person shopping online who has the credit card details
  • PayFast (& Merchant)
    • The "gateway" of the online merchant from whom the cardholder is purchasing
  • The acquiring bank
    • PayFast's acquiring bank through which we process credit card payments
  • The issuing bank
    • The bank who issued the cardholder with their credit card

In a regular credit card transaction without 3D Secure, the (simplified) process flow is as follows:

Non 3D Secure payment flow

  1. The card holder enters their card information (16 digit card number, expiry date etc.) on the PayFast engine
  2. PayFast submits the data to our acquiring bank
  3. Our acquiring bank authorises the transaction (by communicating with the credit card network and issuing bank)
  4. The response (success or failure) is passed back up the chain to the card holder

Notably when comparing this process with 3D Secure, there is no communication between the issuing bank and the cardholder. As part of the acquiring bank's authorisation process, the issuing bank looks purely at the card account and authorises or denies the transaction based on "regular" account parameters (card active, funds available, card not expired etc.).


How a 3D Secure transaction works

With 3D Secure, a number of additional steps are added to the credit card process with the aim of authenticating the cardholder performing the transaction.

A (very simplified) 3D Secure process is as follows:

PayFast 3D Secure Process

  1. The card holder enters their card information (16 digit card number, expiry date etc.) on the PayFast engine
  2. PayFast contacts a directory server to ascertain whether the card is enrolled in 3D Secure
  3. The directory server responds with a message indicating that the card is registered
  4. PayFast uses the message to redirect the cardholder to a "3D Secure" page served by the issuing bank
  5. The cardholder authenticates themselves to the issuing bank on the 3D Secure page (One Time PIN, known password etc.)
  6. The result of this authentication is returned to PayFast
  7. PayFast submits the card information and the 3D Secure authentication result to our acquiring bank
  8. Our acquiring bank authorises the transaction (by communicating with the credit card network and issuing bank)
  9. The response (success or failure) is passed back up the chain to the card holder

What does 3D Secure mean?

The term 3D Secure comes from Three Domain Security. This is due to the fact that there are 3 "domains" involved in the 3D Secure process: Issuer Domain, Interoperability Domain and Acquirer Domain.

  • The issuer domain is where the cardholder and issuing bank act.
  • The acquirer domain is where the gateway and acquiring bank act.
  • The interoperability domain is where all the "connecting" services act (Directory Server & ACS).

Authorisation vs Authentication

When discussing credit card transactions, the terms authorisation and authentication are distinct.

Authorisation is the act of the issuer verifying the validity of the card details provided and consenting to the charge based on internal rules (eCommerce allowed, acquiring country allowed, funds available etc.)

Authentication refers to the cardholder providing confirmation to the issuing bank, that it is indeed them performing a transaction. They are "authenticating" themselves in a manner similar to providing a known password to login to a website.

 


 


Help Desk Software by Kayako