Overview
3-D Secure 2.0 is an updated specification of 3-D Secure, EMVco's standard for securing e-commerce payments to comply with the Strong Customer Authentication (SCA) mandate in the European Union.
As of December, 31st 2020, international merchants who accept e-commerce or in-app payments must authenticate these payments in compliance with the 3-D Secure 2.0 specification. International merchants who do not use 3-D Secure to authenticate e-commerce payments are subject to declined authorizations and fines assessed by the card brands.
The changes described in this document are currently in development.
Understanding 3-D Secure 2.0
3-D Secure is a protocol developed by the card brands and EMVCo to provide additional cardholder security for e-commerce credit and debit card transactions. The 3-D Secure 2.0 specification was introduced in 2016 to comply with the Strong Customer Authentication (SCA) mandate in the European Union. This update also introduced an improved user experience, better support for mobile payments, and more dynamic authentication methods.
Using 3-D Secure to authenticate transactions reduces the risk of fraud and shifts liability for transaction disputes and chargebacks away from the merchant, to the issuer.
See https://3dsecure2.com/ for more information on 3-D Secure 2.0 as well as frequently asked questions.
The changes described in this document are currently in development for First Data/Fiserv Processing platforms.
As of January 23rd 2021, these updates are available on the First Data Rapid Connect platform for integrators using the CardPointe Gateway API and Oracle EBS integration to accept card-not-present payments.
To take advantage of this feature, you must integrate your application with a 3-D Secure provider service (for example, CardinalCommerce) to develop the challenge flow and user interface required to authenticate your cardholders and capture the required 3-D Secure data to pass to the CardPointe Gateway in your authorization requests. Note that this option may require your application to facilitate transmission of sensitive cardholder data to the service provider, which may increase your scope of PCI compliance. See Integrated Payment Application Changes, below for more information.
The CardPointe Gateway does not provide a mechanism for cardholder authentication.
While 3-D Secure is optional for merchants located in the United States, it is required for merchants located outside of the United States accepting e-commerce or mobile payments from international consumers.
Integrated Payment Application Changes
If you or your merchants use an application that integrates the CardPointe Gateway API to accept international e-commerce payments, you must update your application to become compliant with this mandate.
The changes required to comply with this mandate affect merchants who use an international merchant account (an account with domicility outside of the United States) to accept e-commerce or in-app payments.
New Authorization Request Parameters
Your application authenticates the payment with the 3-D Secure service provider (for example, CardinalCommerce). Your application must then parse the data returned by your 3-D Secure provider, and pass the following fields in the authorization request to the CardPointe Gateway.
In addition to the following 3DS-specific parameters, the authorization request must also include cvv2 parameter containing the CVV value for the card.
| Gateway Authorization Request Field | Cardinal Commerce | EMVco 3-D Secure Field Name | Length | Description |
|---|---|---|---|---|
| secureflag | ECIFlag | eci | 2 | Electronic Commerce Indicator (ECI) flag returned from your 3DS provider. One of the following values:
|
| securevalue | CAVV | authenticationValue | 28 for Visa 28-32 for Mastercard | A Base64-encoded Cardholder Authentication Verification Value returned from your 3DS provider. "securevalue":"=asju1ljfl86bAAAAAACm9zU6aqY=" |
| securedstid | DSTransactionId | dsTransID | 36 | Required for Mastercard Identity Check transactions. Unique transaction identifier assigned by the Directory Server (DS) to identify a single transaction. |
| secureexemption | N/A | N/A | 8 | Required for European web transactions if the transaction meets the criteria for exemption from the Strong Customer Authentication (SCA) mandate. One of the following values, if applicable:
|
Do not include secureexemption for other transactions that do not meet the above criteria; passing this field when not needed or applicable will cause declines. Contact your 3-D Secure provider and integration support for more information.