Know More About 3D-Secure Transaction

Know More About 3D-Secure Transaction

The most important thing that merchant needs to know about 3D-secure(3DS) transaction is the liability shift. To make thing clearer, the following diagram shows that for any party that do not have 3D-secure in place will be liable and explore to the risk of unauthorized transaction chargeback.

Merchant with 3D enabledCardholder with 3D enrolledAuthenticationLiability
DisputeCardholder
DisputeIssuer
DisputeIssuer
DisputeMerchant
DisputeMerchant

Razer Merchant Services has the ability to process both 3DS and non-3DS transaction based on merchant’s requirement.

Most of the case, we encourage merchants to opt for 3DS transaction only, especially for those who are selling digital goods (games, virtual products, e-book, downloadable softwares, app, instant top-up or reload services) that dispensed immediately just after payment made.

ECI values summary

ECI Values
Description
Notes
02, 053D enrolled, Chargeback protectionAll payments shall be processed without getting blocked
01, 06Non-3D enrolled, but still has Chargeback protectionWe can recommend to process these, as they have Chargeback protection
00, 07Non-3D enrolled, no Chargeback protectionThere will be no Chargeback Protection if the cardholder failed to authenticate or non-3DS enrolled

ECI Values
Description
05
Authentication
Confirmation
Both cardholder and card issuing bank are 3D enabled. 3D card authentication is successful
06
Attempted
Autentication
Either cardholder or card issuing bank is not 3D enrolled. 3D card authentication is unsuccessful, in sample situation as:
1. Cardholder not participating or enroll 3DS
2. Card issuing bank is not 3D-Secure available (yet or just temporary)
07
Denial
Authentication is unsuccessful or not attempted. The credit card is either a non-3D card or card issuing bank does not handle is as a 3D transaction.

Razer Merchant Services Payment Channels - Mastercard
ECI Values
Description
00
Denial
Authentication is unsuccessful or not attempted. The credit card is either a non-3D card or card issuing bank does not handle it as a 3D transaction
01
Attempted
Autentication
Either cardholder or card issuing bank is not 3D enrolled. 3D card authentication is unsuccessful, in sample situations as:
1. 3D Cardholder not enrolled
2. Card issuing bank is not 3D Secure ready
02
Authentication
Confirmation
Both cardholder and card issuing bank are 3D enabled. 3D card authentication is successful

Razer Merchant Services helps to protect merchants’ interest regardless in both 3DS and non-3DS scenarios. Razer Merchant Services has preventive measurement by scanning on the card based on BIN database whether the card is mandatory for 3DS enrollment and/or whether it’s allowed to transact online (for e-commerce transaction).

Then Razer Merchant Services will send the card information to acquiring bank to process and 3D flag status is obtained to compare with the merchant setting. Once it is detected as a non-3DS transaction, Razer Merchant Services will immediately void the transaction to safe guide merchant from getting any signal to issue or deliver their goods/services.

There are cases that some 3D enrolled cardholder actually can perform a non-3DS transaction. The transaction required cardholder to enter OTP from the SMS but eventually it’s a non-3DS transaction. This could happen when the issuing bank is having problem with their ACS or authorization module. This could be a hidden risk to many online sellers but not Razer Merchant Services merchants.

For merchants that accept non-3DS transaction, Razer Merchant Services helps to increase the acceptance rate up to 98% with instant big data analysis in comparing with traditional rule-based filtering and provide 100% chargeback free coverage for merchants.

Leveraging on the big data available on social media platforms, machine learning technology can actually process more than 80k of data points within a few milliseconds. Thus a very complex decision making process could be made immediately after the buyer clicks on a PAY button and we know the result almost real-time whether to process or to block the transaction.

As we have learnt that 3DS transaction should be fraud-free and chargeback free on unauthorized reason for acquiring parties, but it doesn’t mean that the issuing bank has no fraudulent transaction.

Recently we have successfully detected a few fraudulent 3DS transactions from other countries, which our risk management team thinks that it might be inappropriate implementation of 3DS authorization method at issuing party. There are many ways of implementing 3DS authentication of cardholder.

In Southeast Asia, the common practice is sending OTP SMS to cardholder’s registered mobile number. In other region, there might be different approaches in doing 3DS authentication.

Fraudulent 3DS transaction could easily happen when the issuing party use default cardholder identity related data or fixed password to authenticate 3DS transaction, interception of SMS that contains OTP, MITM attack or leaking of individual data. However, acquiring party and merchant are still safe and is protected when encountering fraudulent 3DS transaction due to liability shift.

Spread the word