How does 3D Secure work?

How does 3D Secure work?

To explain how 3D Secure (aka Visa Secure / MasterCard Secure Code / Amex SafeKey) works we will compare a regular, non 3D Secure credit card payment with a 3D Secure credit card payment.

Non 3D Secure Payment

There are 4 primary parties involved in a regular credit card transaction:

  • The cardholder - The person shopping online who has the credit card details
  • PayFast (& Merchant) - The "gateway" of the online merchant from whom the cardholder is purchasing
  • The acquiring bank - PayFast's acquiring bank through which we process credit card payments
  • The issuing bank - The bank who issued the cardholder with their credit card

In a regular credit card transaction without 3D Secure, the (simplified) process flow is as follows:

  1. The card holder enters their card information (16 digit card number, expiry date etc.) on PayFast
  2. PayFast submits the data to our acquiring bank
  3. Our acquiring bank authorises the transaction (by communicating with the credit card network and issuing bank)
  4. The response (success or failure) is passed back up the chain to the card holder

3D Secure Payment

With 3D Secure, a number of additional steps are added to the credit card process with the aim of authenticating the cardholder performing the transaction.

A (very simplified) 3D Secure process is as follows:

  1. The card holder enters their card information (16 digit card number, expiry date etc.) on PayFast
  2. PayFast contacts a directory server to see whether the card is enrolled in 3D Secure
  3. The directory server responds with a message indicating that the card is registered
  4. PayFast uses the message to redirect the cardholder to a "3D Secure" page served by the issuing bank
  5. The cardholder authenticates themselves to the issuing bank on the 3D Secure page by entering a OTP (One Time Pin) or known password etc.
  6. The result of this authentication is returned to PayFast
  7. PayFast submits the card information and the 3D Secure authentication result to our acquiring bank
  8. Our acquiring bank authorises the transaction (by communicating with the credit card network and issuing bank)
  9. The response (success or failure) is passed back up the chain to the card holder

Note:

When discussing credit card transactions, the terms authorisation and authentication are distinct.

Authorisation is the act of the issuer verifying the validity of the card details provided and consenting to the charge based on internal rules (eCommerce allowed, acquiring country allowed, funds available etc.)

Authentication refers to the cardholder providing confirmation to the issuing bank, that it is indeed them performing a transaction. They are "authenticating" themselves in a manner similar to providing a known password to login to a website.

    • Related Articles

    • Is PayFast secure?

      Absolutely! And often more so than many other payment methods! PayFast is PCI DSS Level 1 Service Provider (the highest level). PayFast is developed with the same demands on security and performance as web sites used for banking services and share ...
    • How do I register for 3D Secure?

      Registering for 3D Secure before checkout: Registering for 3D Secure during checkout: The links to the various banks to activate 3D Secure are below: Absa Capitec  FNB (PDF document) Nedbank - your Nedbank card is automatically registered for 3D ...
    • Does PayFast use 3D Secure (Verified by Visa / Mastercard SecureCode)?

      Yes, we make use of 3D Secure for credit card transactions. PASA has mandated that 3D Secure is implemented on all online credit card transactions (known as CNP or card not present), as of February 28, 2014.
    • What does 3D Secure mean?

      The term 3D Secure comes from Three Domain Security. This is due to the fact that there are 3 "domains" involved in the 3D Secure process: Issuer Domain, Interoperability Domain and Acquirer Domain. The issuer domain is where the cardholder and ...
    • How secure is it paying with Instant EFT by PayFast?

      Instant EFT by PayFast is a fast, convenient, secure and easy way to do an electronic funds transfer (EFT) to pay online. As the name suggests, any payments made via Instant EFT are instant, with immediate verification and notification of payments. ...