3D Secure

Reduce fraud and increase security for online transactions

3D Secure is an online payment security protocol designed to reduce fraud and provide an additional layer of authentication for online transactions. When a customer makes an online purchase, 3D Secure requires them to complete an additional verification step with the card issuer, typically through a password, biometric authentication, or a one-time passcode sent over SMS.

Pricing

3D Secure production usage is covered by the Platform plan.

You can use Sandbox apps to try it for free and test the full 3D Secure Authentication process without using live data. Once you're ready to transition to processing real authentications, please contact our support team at support@evervault.com.

The benefits of 3D Secure


Implementing 3D Secure for online payments provides several benefits for both merchants and customers, enhancing overall transaction security and achieving regulatory compliance.

  • Reduced fraud

    By requiring an additional authentication step, 3D Secure significantly decreases the risk of unauthorized transactions. This added security measure helps to ensure that the person using the card online is the legitimate cardholder.

  • Liability shift

    One of the key advantages for merchants using 3D Secure is the liability shift. If a transaction is authenticated using 3D Secure and later turns out to be fraudulent, the liability for the chargeback shifts from the merchant to the card issuer. This can result in substantial cost savings and reduced chargeback rates for merchants.

  • Regulatory compliance

    With the increasing emphasis on online transaction security and regulations such as PSD2/SCA in Europe, implementing 3D Secure helps merchants comply with these regulations and avoid potential fines and penalties.

How 3D Secure works


3D Secure consists of several steps involving merchants, card networks, and card issuers to allow customers to be authenticated during online purchases. At a high level, a standard challenge flow looks like this.

  1. Payment initiation

    When a customer initiates an online purchase and enters their card details on the merchant's website, the merchant recognizes that the card is enrolled in 3D Secure and triggers the authentication process.

  2. Issuer challenge

    The customer is redirected to a web page hosted by their card issuer where the customer is asked to authenticate themselves. This can be done through various methods, such as entering a static password, a one-time password (OTP) sent over SMS, or using biometric authentication (e.g., fingerprint or facial recognition).

  3. Process payment

    If the authentication is successful, the merchant processes the authenticated transaction and the customer is redirected back to the merchant's website with a confirmation of their purchase. If the authentication fails or isn't completed, the transaction is typically declined, and the customer is informed of the failure.

3DS supports frictionless authentications as well, which require no interaction from the customer. A frictionless flow is initiated when the issuer determines that a transaction is low-risk, eliminating the need for additional verification steps. Frictionless authentications aren't always possible, but they provide a much smoother customer experience because there's no challenge displayed to the customer, meaning there's no action for them to take.

3DS with Evervault


Although the 3DS protocol is known for being difficult to work with, we built our solution from scratch (and we run our own 3DS server). We did this to make our API straightforward to use. We don't wrap other solutions, and our API isn't just a one-to-one mapping of the 3DS protocol. We manage a lot of the complexity for you, and surface just the parts you need to configure and control 3DS the way you want to. Completing a 3DS authentication with Evervault takes three steps:

  1. Create the session
  2. Run the session on your frontend
  3. Retrieve and forward authentication credentials as needed

That last step is an important differentiator. Because our solution is standalone, you can use 3DS authentications with any downstream partner. This is especially important for integrating with multiple payment service providers (PSPs). You could integrate with each PSP and use their 3DS solutions, but there are some issues with that. You're limited on the configuration side to whatever the PSPs allow, and it makes for an inconsistent customer experience because each 3DS implementation is different. Evervault lets you configure your own 3DS flows, and then share the results with any PSP, and customers always see the same interface.

Get started with 3D Secure


To start, you need to create a Sandbox app. Sandbox apps allow you to test 3D Secure without affecting live data. When you're ready to go live, contact our support team to enable 3D Secure on your production app.

Configuring acquirers

Acquirer details aren't required when testing in Sandbox mode. However, you must configure acquirer details before moving to production.

1. Create a 3DS session


Use the create session endpoint by providing the card (in encrypted form using our card collection, as a network token, or in plaintext), merchant, and payment details. Do this from your backend and then pass the session ID to your client code.

3DS Requestor Initiated (3RI) transactions


Merchant-initiated transactions (MIT) are commonly used to charge customers for subscriptions, installment payments, etc. 3RIs are a form of MIT that include a 3DS authentication without the cardholder being present (flows are frictionless and either succeed or fail, there's no challenge involved). These 3RIs are often used instead of standard MITs because they can improve acceptance rates and may still result in liability shift (moving chargeback liability from you to the issuer).

To use 3RIs, you still complete initial 3DS sessions with customers. You keep track of the session ID, and then you use it later to create a 3RI which carries over the authentication. To create a 3RI transaction, set the:

2. Run the session on your frontend


After creating the session, use our client-side SDKs to complete the authentication flow on your frontend. If for some reason you can't use our SDKs, you can try using a redirect but Evervault doesn't generally recommend this (redirects add friction to the customer experience).

Install the SDK


Our JavaScript SDK is distributed from our CDN, and can be installed by placing this script tag in the head of your HTML file. The SDK must be loaded directly from our CDN and cannot be bundled with your application or self hosted.

Once the SDK is installed, initialize it using your Team ID and App ID. You can find these in the Evervault Dashboard.

You can also install Evervault via the @evervault/js package on npm. This package is a light wrapper which handles loading the SDK from our CDN and also provides TypeScript definitions.

Frequently Asked Questions

Start the authentication


The ThreeDSecure component can be initiated using the evervault.ui.threeDSecure method by passing the session ID obtained in the previous step. After you initialize the ThreeDSecure component, call the .mount() method to open the 3DS modal in the customer's browser to start the authentication process. The success event will be fired after the authentication process completes. The failure event will be fired if the authentication process fails (e.g., the customer failed to authenticate). These callbacks occur regardless of whether there was a challenge or if the flow was frictionless.

Learn more about the JavaScript SDK.

Frequently Asked Questions

3. Retrieve and forward authentication credentials


After completing the authentication, you can retrieve information about the session as needed. To process the transaction and ensure liability is shifted, pass the raw Electronic Commerce Indicator (ECI) and 3DS cryptogram to your payment gateway or PSP.

In some cases, downstream partners might also require one or more of these IDs:

These values are specific to the 3DS protocol, and not Evervault. They're sometimes requested in addition to the ECI and cryptogram, but not every provider requires them.

Configuring acquirer details


Acquirer details aren't required in Sandbox mode but you do need them to use 3DS in production. Evervault automatically passes this information in when 3DS sessions are created, although you can pass values in manually yourself.

You can configure acquirers in the dashboard or with the API, and you can set up default acquirers for each card network (Visa, Mastercard, etc.). When creating a 3DS session, Evervault uses the appropriate acquirer configuration based on the card network. Configurations are specific to each app, so you need to configure these for your staging and production apps separately.

Acquirer info request template


If you need to obtain acquirer information from one of your partners (e.g., PSPs), you can use the template message below to request it. It covers everything you need to configure acquirers within Evervault.

Provide acquirer details per request


Alternatively, you can provide acquirer details when creating each 3DS session by including the acquirer object in your API request. This approach is useful if you work with multiple acquirers or need to specify different acquirer details for different transactions. However, supplying acquirer details per request adds complexity to your integration. You'll likely need to perform a BIN lookup to identify the card network, so that you can then decide which acquirer BIN or MID values to provide for each transaction.

How Evervault resolves acquirer details


When you create a 3DS session, Evervault follows this process to determine which acquirer configuration to use:

  1. If your request includes an acquirer object, those details are used.
  2. If your request includes an ID of an acquirer configuration in the acquirer field, that configuration is used.
  3. If no acquirer details are provided in the request, Evervault uses the default acquirer configuration for the card's network, if available.
  4. If no acquirer details can be resolved, session creation fails.

Testing your implementation


Provided you are using a Sandbox app, you can use specific test cards to simulate various real-life scenarios. These cards can be used in conjunction with any valid expiry date or CVC.

NumberBrand

3D Secure challenge flow

The following test cards will result in a 3D Secure challenge being shown.

4242 4242 4242 4242

Visa

5555 5555 5555 4444

Mastercard

3714 4963 5398 431

American Express

6011 1111 1111 1117

Discover

3622 720627 1667

Diners Club

Successful frictionless flow

The following test cards will result in a successful frictionless authentication, with no challenge shown.

4111 1101 1663 8870

Visa

5555 5501 3065 9057

Mastercard

3782 8224 6310 005

American Express

6011 0009 3838 5477

Discover

3622 720638 3827

Diners Club

Failed frictionless flow

The payment will fail frictionless authentication and a challenge will not be shown.

4111 1117 3897 3695

Visa

5555 5504 8784 7545

Mastercard

3782 8224 6310 013

American Express

6011 0009 3838 3100

Discover

3622 720638 3835

Diners Club

Attempted authentication

In some rare occasions a 3DS transaction cannot be authenticated by the ACS. In these scenarios, the Card Network stands in and accepts the liability shift (without a challenge being shown).

4111 1101 4848 6405

Visa

5555 5588 2481 5604

Mastercard

3782 8224 6310 021

American Express

6011 0009 3838 7572

Discover

3622 720638 3850

Diners Club

Alternative configurations


These alternative configurations mostly relate to using redirects and the failOnChallenge flag. Both have somewhat niche use cases but can be useful in the right situations.

Using failOnChallenge


3DS supports frictionless and challenge flows. Frictionless authentication requires no interaction from the customer (and maintains liability shift). The frictionless flow automatically occurs when the issuer determines that a transaction is low-risk, eliminating the need for additional verification steps. This is a much smoother customer experience.

In challenge flows, customers are required to complete an authentication step to verify their identity. This is higher friction and usually requires a password, biometric authentication, etc.

The issuer decides on the flow, but Evervault provides an additional flag that can reduce friction when a challenge is requested. When you create 3DS sessions, you can set failOnChallenge to true. If a challenge is requested, Evervault automatically fails the 3DS session which prevents the challenge from ever being shown to the customer. This isn't technically a frictionless flow in terms of 3DS, but it does allow you to skip the challenge.

EU transactions

The challenge flow is required for EU transactions and as a result frictionless-only 3D Secure isn't supported by banks in the EU.

Using a page redirect


The 3D Secure challenge can also be loaded directly—either through a full page redirect or served within an <iframe> or mobile web view. In this scenario, fingerprinting and challenge windows are presented directly in the user's browser. Once the 3D Secure authentication has been finalized (with either a success, a failure, or an error) the page is redirected back to a callback URL of your choice.

Once the 3D Secure session has been finalized, the page will redirect back to the URL provided in the redirect parameter with status and session appended to the URL parameters. More details about the 3D Secure Session can be retrieved from our API.

URL Parameters
  • team

    The Team ID found in the Evervault Dashboard.

  • app

    The App ID found in the Evervault Dashboard.

  • session

    The 3D Secure session ID.

  • redirect

    The URL to redirect to once the 3D Secure session has been completed. Additional URL parameters will be appended to this URL. Deep links are also supported for mobile implementations.

    For example, if you provided 'https://3ds-redirect.testmerchant.com' as the redirect, the user's browser would redirect to 'https://3ds-redirect.testmerchant.com/?status=success&session=tds_abc123'. Status can be success, failure, or error