3D Secure¶
3D Secure 1.x¶
3D Secure is an option to enhance security and prevent fraud. This is done by checking 3D Secure enrolment status of card holders and performing 3D Secure authentication of enrolled cards. Merchants must decide on whether they want this option activated, or in some cases this is also required by the acquiring bank. If 3D Secure is used, the merchant must decide on a configuration profile that specifies how restrictive the liability shift rules are applied. Currently there are two profiles available:
Profile "Accept all cards"¶
This means that Worldline will process all cards. If the card is enrolled in 3D Secure, 3D Secure verification will be performed. If not, the card will be processed in any case.
Basic flow: Worldline checks if 3DS authentication is required for the card. If it is, Worldline redirects the consumer to the ACS (Access Control Server). Else, the payment continues directly with card processing.
In case the consumer is redirected to the ACS, Worldline awaits the response and depending on the response it performs the following actions:
- If authentication is successful it will continue with 3DS processing.
- If authentication is not required it will continue without 3DS.
- If the authentication was not successful, the merchant informs the CardHolder that the purchase was declined.
Profile "Only accept cards that are enrolled in 3D Secure"¶
This means that when a consumer enters a card number, Worldline will check if the card is enrolled in 3D Secure. If it is, the consumer will be redirected to the issuing bank and the transaction will proceed as normal. If the consumer is not enrolled in 3D Secure, Worldline will decline the transaction.
Basic flow: Worldline checks if 3DS authentication is required for the card. If it is, Worldline redirects the consumer to the ACS (Access Control Server). Else, the transaction is declined.
In case the consumer is redirected to the ACS, Worldline awaits the response and depending on the response it performs the following actions:
- If authentication is successful it will continue with 3DS processing.
- If the authentication was not successful, the merchant informs the CardHolder that the purchase was declined.
Please note that the configuration for these profiles is done by Worldline on behalf of the merchant.
3D Secure 2.x¶
The 3D-Secure authentication protocol is based on a three-domain model where the Acquirer Domain and Issuer Domain are connected by the Interoperability Domain for the purpose of authenticating a Cardholder during an electronic commerce (e-commerce) transaction or to provide identity verification and account confirmation. EMVCo specifies protocol and core functions of 3-D Secure 2.0. EMVCo is an organization overseen by American Express, Discover, JCB, MasterCard, UnionPay, and Visa. Worldline clients who implement 3-D Secure benefit by reducing the chargeback risk of transactions and in most cases also shifts the liability for chargeback's from themselves to the issuing banks.
Please refer section Request Parameters specific to 3D Secure for parameters to facilitate 3DS processing.
PaymentPage templates to support 3DS 2.x¶
In order to support 3DS 2.x, add the below two templates in the PaymentPageTemplate zip file (please refer Example_templates.zip/Templates/template folder in the PaymentPage Start Kit).
- continue_auth.template
- complete_auth.template
Authentication Statuses¶
Below are the statuses shown in case of PaymentPage:
| Authentication Statuses | Description |
|---|---|
| SUCCESSFUL | Status indicates that the authentication is successful |
| ATTEMPTED | Status indicates that the authentication is attempted. Partially successful |
| TRY_AGAIN | Status indicates that the authentication is not successful |
Strong Customer Authentication¶
If Merchant is enabled for 3DSecure and Strong Customer Authentication is also required, then it will be redirected to 3DSecure Authentication.
Merchant is enabled for 3DSecure and Strong Customer Authentication is not required, then depending on the value for request parameter 'SCA' (It specifies whether Strong Customer Authentication is required or not).
-
When parameter SCA is set to 'enforced', then the transaction will continue with the 3DSecure Authentication.
-
When parameter SCA is either set to 'optional' or not set to any value, then the transaction will continue with the normal payment flow. If Worldline gets an answer code indicating that Strong Customer Authentication is required in the response, then the transaction will automatically get redirected to 3DSecure Authentication.
Additional PaymentPage Configurations¶
On unsuccessful authentication like -Attempt ,Unavailable and Not authenticated, PaymentPage provides some additional configuration to continues payment.
Based on the Merchant configurations/request parameters, following actions can be performed:
Property name: PaymentAuthenticationLevel
Please refer below table for detail configuration for payment flow.
| Values | Y | A | N | U | R |
|---|---|---|---|---|---|
| Proceed when SCA Successful | - | No Payment | No Payment | No Payment | No Payment |
| Proceed when SCA Attempted | - | Payment | No Payment | No Payment | No Payment |
| Proceed without SCA (Not recommended) | - | Payment | No Payment | Payment (Send Auth Result in Payment Request) | No Payment |
Please note that the configurations for these profiles is done by Worldline on behalf of the merchant.