The 3-D Secure process provides enhanced security when performing an authenticated transaction as well as a shift of liability in the event of fraudulent transactions. Authentication should strengthen your existing anti-fraud strategy and help protect your business, but bear in mind that the coverage of authentication programs is currently limited to Internet transactions.
Restriction: This means that authentication programs do not cover fax, mail or phone orders (MO/TO), nor do they cover all card types. The additional security benefits and liability shift of authenticated transactions are currently only supported by Visa and MasterCard.
3-D Secure transaction workflow
Proceed as follows to carry out a transaction.
- The merchant calls the HiPay Enterprise API with an authentication_indicator value of 1 or 2 (or the Fraud Protection Service (FPS) asks for 3-D Secure). Please note that in case of an authentication_indicator value of 0, 3-D Secure is not triggered.
- To complete the purchase, the cardholder clicks on the Pay button after filling in payment card details on the payment page: this activates the Merchant Plug-In (MPI) and initiates a transaction.
- The MPI identifies the card number and sends it to the Directory Server to determine if the card is in a participating card range.
- If the issuer is participating for the card range, the Directory Server sends a Verify Enrollment Request message to the issuer’s Access Control Server (ACS) to determine if authentication is available for the account number.
- The ACS returns a Verify Enrollment Response to the Directory Server.
- If authentication is available for this card number, the response then provides the URL of the ACS where the cardholder can be authenticated. If the payment is on a hosted payment page, the redirection to the ACS will be done automatically.
- If authentication is not available, the HiPay server then receives a Cardholder Not Enrolled or Unable to Authenticate message and proceeds depending on the authentication_indicator value:
- 1: Proceeds with standard transaction processing (skip to step 13).
- 2: The transaction is refused.
- The Directory Server forwards the ACS response to the MPI.
- The MPI sends an Authentication Request message to the cardholder’s browser for routing to the ACS.
- The cardholder’s browser passes the Authentication Request to the ACS.
- The ACS authenticates the cardholder.
- The ACS creates, digitally signs and sends an Authentication Response to HiPay via the cardholder’s browser. The ACS also sends a transaction record to the Authentication History Server for storage.
- The browser routes the Authentication Response back to the MPI.
- The MPI validates the digital signature in the response, verifying that it is from a valid participating issuer.
- HiPay formats and sends its acquirer an Authorization Request message, which includes information from the issuer’s Authentication Response — including the CVV and the ECI. The acquirer passes the Authorization Request to the card network and the transaction completes through standard processing.
- HiPay sends a notification with the transaction status and 3-D Secure authentication result. Please refer to the Authentication Results section.
The following table lists the enrollment messages and statuses.
Is 3-D Secure available?
The card is enrolled in the 3-D Secure program and the payer is eligible for authentication processing.
Cardholder Not Enrolled
The card is not enrolled in the 3-D Secure program. Chargeback Liability Shift: If the cardholder later disputes the purchase, the issuer may not submit a chargeback to the merchant.
Unable to Authenticate
The card associations were unable to verify if the cardholder is enrolled in the 3-D Secure program. Merchants can choose to accept the card nonetheless and process the purchase as non-authenticated when submitting the authorization. Chargeback Liability Shift: The acquirer/merchant retains liability if the cardholder later disputes making the purchase.
Any error message here
An error occurred during the enrollment verification process. Chargeback Liability Shift: The card can be accepted for authorization processing, yet the merchant may not claim a liability shift on this transaction in case of a dispute with the cardholder.
The following table lists the authentication messages and statuses.
The cardholder was successfully authenticated. The issuer has authenticated the cardholder by verifying the identity information or password.
Authentication could not be performed but a proof of authentication attempt was provided.
Authentication Could Not Be Performed
The issuer is not able to complete the authentication request due to a technical error or another problem. Possible reasons include: invalid type of card such as a commercial card or any anonymous prepaid card. Unable to establish a TLS session with the cardholder’s browser.
The cardholder did not complete authentication and the card should not be accepted for payment. The following are reasons of failing an authentication: the cardholder fails to correctly enter the authentication information; the cardholder cancels the authentication process. An authentication failure may be a possible indication of a fraudulent user. The authorization request should not be submitted.
Any error message here
An error occurred during the authentication process. The authorization request should not be submitted.