Updated February 10th, 2021


3-D Secure 2.0 is an updated specification of 3-D Secure, EMVco's standard for securing e-commerce payments to comply with the Strong Customer Authentication (SCA) mandate in the European Union. 

As of December, 31st 2020, international merchants who accept e-commerce or in-app payments must authenticate these payments in compliance with the 3-D Secure 2.0 specification. International merchants who do not use 3-D Secure to authenticate e-commerce payments are subject to declined authorizations and fines assessed by the card brands.

The changes described in this document are currently in development.

Understanding 3-D Secure 2.0

3-D Secure is a protocol developed by the card brands and EMVCo to provide additional cardholder security for e-commerce credit and debit card transactions. The 3-D Secure 2.0 specification was introduced in 2016 to comply with the Strong Customer Authentication (SCA) mandate in the European Union. This update also introduced an improved user experience, better support for mobile payments, and more dynamic authentication methods. 

Using 3-D Secure to authenticate transactions reduces the risk of fraud and shifts liability for transaction disputes and chargebacks away from the merchant, to the issuer.

See https://3dsecure2.com/ for more information on 3-D Secure 2.0 as well as frequently asked questions.

The changes described in this document are currently in development for First Data/Fiserv Processing platforms.

As of January 23rd 2021, these updates are available on the First Data Rapid Connect platform for integrators using the CardPointe Gateway API and Oracle EBS integration to accept card-not-present payments.

To take advantage of this feature, you must integrate your application with a 3-D Secure provider service (for example, CardinalCommerce) to develop the challenge flow and user interface required to authenticate your cardholders and capture the required 3-D Secure data to pass to the CardPointe Gateway in your authorization requests. Note that this option may require your application to facilitate transmission of sensitive cardholder data to the service provider, which may increase your scope of PCI compliance. See Integrated Payment Application Changes, below for more information.

The CardPointe Gateway does not provide a mechanism for cardholder authentication.

While 3-D Secure is optional for merchants located in the United States, it is required for merchants located outside of the United States accepting e-commerce or mobile payments from international consumers. 

Integrated Payment Application Changes

If you or your merchants use an application that integrates the CardPointe Gateway API to accept international e-commerce payments, you must update your application to become compliant with this mandate.

The changes required to comply with this mandate affect merchants who use an international merchant account (an account with domicility outside of the United States) to accept e-commerce or in-app payments.

New Authorization Request Parameters

Your application authenticates the payment with the 3-D Secure service provider (for example, CardinalCommerce). Your application must then parse the data returned by your 3-D Secure provider, and pass the following fields in the authorization request to the CardPointe Gateway.

In addition to the following 3DS-specific parameters, the authorization request must also include cvv2 parameter containing the CVV value for the card. 

Request Field

Cardinal Commerce
Response Field

EMVco 3-D Secure
Field Name 


2Electronic Commerce Indicator (ECI) flag returned from your 3DS provider.

One of the following values:
  • 05 - Fully-authenticated transaction
  • 06 - Attempted authentication transaction
securevalueCAVVauthenticationValue28 for Visa

28-32 for Mastercard

A Base64-encoded Cardholder Authentication Verification Value returned from your 3DS provider.

For example:


Required for Mastercard Identity Check transactions.

Unique transaction identifier assigned by the Directory Server (DS) to identify a single transaction.

secureexemptionN/AN/A8Required for European web transactions if the transaction meets the criteria for exemption from the Strong Customer Authentication (SCA) mandate.

One of the following values, if applicable:

  • ivr - The transaction is authorized using a secure IVR system between the merchant and cardholder.
  • lowrisk - The transaction is considered low-risk. Requires an agreement between the merchant and issuer. 
  • lowvalue - The transaction amount is less than 30 euros (€30) .
  • trusted - For Visa only, if the merchant has a trusted agreement with the issuer.

Do not include secureexemption for other transactions that do not meet the above criteria; passing this field when not needed or applicable will cause declines. Contact your 3-D Secure provider and integration support for more information.


How do I know If I am required to use 3-D Secure?

If you have an international merchant account, based outside of the United States, and you accept e-commerce or in-app payments from international customers, you are required to use 3-D Secure to authenticate your cardholders, to comply with the EU's Strong Customer Authentication mandate.

What is 3-D Secure?

3-D Secure is an e-commerce payment authentication specification developed by EMVco LLC, a joint operation of the payment card brands, to satisfy the Strong Customer Authentication requirement imposed on businesses operating in the European Union.

3-D Secure requires merchants to authenticate a cardholder's identity before accepting a payment from the cardholder using an application or website.

You can read more about 3-D Secure at the following page: https://www.emvco.com/emv-technologies/3d-secure/.

If I already use 3-D Secure 1.0, do I need to update to 2.0?

Yes. Beginning in December 2020, affected merchants will be required to update their payments applications to comply with the 3-D Secure 2.0 specification. The 1.0 specification will be deprecated.

If you are already using 3-D Secure 1.0 with the CardPointe Gateway, you must include an additional field, dsTxnId, to comply with Mastercard's 3-D Secure 2.0 requirements.

Reach out to your 3-D Secure provider for information on upgrading your specific solution.

What will happen if I do not use 3-D Secure 2.0?

If your business case requires you to use 3-D Secure to comply with the EU's Strong Customer Authentication mandate, you must update your application to use 3-D Secure 2.0 by December 31st, 2020. Failure to do so will result in e-commerce transaction declines and penalties assessed by the card brands.