Enhancing Online Payment Security with 3DS (3D Secure) protocol 2.0

What is 3D Secure Service?

3D Secure (3-domain secure) is a protocol designed to be an additional security layer for online credit and debit card transactions. It involves three domains:

1. Issuer Domain: The bank or entity that issued the card to the cardholder.
2. Acquirer Domain: The merchant and the bank or entity that processes the merchant's payments.
3. Interoperability Domain: The infrastructure provided by the card network (like Visa, Mastercard, etc.) that supports the 3D Secure protocol.

The 3D Secure service is an intermediary that facilitates the authentication of the cardholder by the issuer bank during an online transaction. It ensures that the transaction is legitimate and that the person making the transaction is the authorized cardholder.

Why Do We Need 3D Secure Service?

1. Enhanced Security: Adds an additional layer of verification, reducing fraud and unauthorized transactions.
2. Cardholder Authentication: Confirms the identity of the cardholder using methods such as OTP, passwords, or biometric verification.
3. Liability Shift: Typically, when a transaction is authenticated via 3D Secure, the liability for chargebacks due to fraud shifts from the merchant to the card issuer.
4. Customer Confidence: Boosts customer confidence in online transactions, leading to increased e-commerce activity.

Sequence Diagram for 3D Secure Payment Flow Architecture

This flow demonstrates how 3D Secure services provided by card networks and third-party providers work in conjunction with acquirer, issuer banks and payment gateways to secure online transactions.

Why the Issuer Bank Doesn't Provide 3D Secure Services?

1. Standardization and Interoperability: The 3D Secure service provided by card networks ensures standardization and interoperability across various issuers, acquirers, and merchants worldwide.
2. Scalability: A centralized 3D Secure service can handle the volume and complexity of global transactions more efficiently.
3. Focus on Core Functions: Issuer banks can focus on their core functions such as customer service, credit risk management, and compliance, while the 3D Secure service manages the authentication process.
4. Regulatory Compliance: Card networks and specialized third-party providers are often better equipped to stay up-to-date with regulatory changes and ensure compliance across different jurisdictions.

3DS Providers

1. Visa (Verified by Visa): Visa's 3D Secure service, Verified by Visa, helps ensure that payments are made by the rightful owner of the Visa account.
2. Mastercard (Mastercard SecureCode): Mastercard SecureCode adds a layer of security by requiring a code to authenticate the cardholder before the transaction can be completed.
3. American Express (SafeKey): SafeKey is American Express's version of 3D Secure, offering similar protections and authentication mechanisms.
4. EMVCo: A consortium of major card networks (Visa, Mastercard, JCB, American Express, China UnionPay, and Discover) that manages the development and implementation of 3D Secure standards.