Search docs

Are you looking for test card numbers?

Would you like to contact support?

Start searching Adyen's documentation...

  Documentation

3D Secure for regulation compliance

Learn what you need to do to stay compliant with authentication regulations and to retain maximum conversion for your online card payment transactions.

What you need to know

Card schemes and regulatory agencies around the world are taking action to make payments safer and more secure for cardholders. For example, the European Commission issued the Revised Payment Services Directive (PSD2) governing electronic payments within Europe. PSD2 includes a mandate that requires banks to perform strong customer authentication (SCA) for online payments.

Most regulations apply to issuing banks and not to you as a merchant, however, you will get the risk of getting lower authorisation rates if an issuing bank evaluates a transaction as non-compliant, and refuses the transaction as a result.

What you need to do

To make sure that your transactions comply with regulations like PSD2 SCA, you need to implement 3D Secure, an authentication protocol developed by EMVCo and supported by major card schemes.

We recommend that you become familiar with guidance from regulatory agencies, card schemes, and with EMVCo specifications. In addition, we as your payment service provider will provide further guidance to help ensure that while you are complying with regulations, you are also maintaining a good online payments experience for your shoppers. For example, we have a comprehensive PSD2 compliance and integration guide where we describe how PSD2 SCA may affect different business models.

The next sections describe the following topics on regulations and online payments authentication in general:

Overview of existing regulations

Here are examples of existing regulations that may apply either to you or to issuing banks if you are conducting business in the following regions:

See PSD2 SCA compliance and implementation guide for more information on actions that you need to take to comply with the EU directive.

  • Australia: AusPayNet regulations requires merchants above fraud thresholds to apply 3D Secure 2 by Q2 2019. This applies to merchants with above AUD 50,000 in fraud losses and with fraud-to-sales ratio of 0.2% and above for two consecutive quarters. If you exceed the fraud thresholds, you need to implement 3D Secure 2 by Q4 2019 at the earliest.
  • Brazil: In Brazil, all debit card transactions require authentication from the issuing bank.
  • Europe: The Revised Payment Services Directive (PSD2) requires European banks to use strong customer authentication (SCA) for online banking and online payments transactions within EEA, excluding out-of-scope transactions and exemptions.
  • India: In India, banks are required to perform authentication on all domestic ecommerce transactions.
  • Malaysia: In Malaysia, issuing banks may require authentication on their BINs, otherwise, authorisation rates will be low.

This list is not complete as regulations change across the world. For full information on regulations for a region or specific country, contact your account manager.

Important dates

The following are dates from regulatory boards and card schemes, specifying when regulations will take effect and when card schemes will start supporting the new version of 3D Secure.

  • April 2019: Major card schemes start granting liability shift for 3D Secure 2 transactions. Early adopter issuing banks in Europe are expected to start supporting 3D Secure 2.
  • 12 April 2019: Visa applies 3D Secure 2 liability shift rules in Europe.
  • 15 August 2019: Visa applies liability shift rules in US, Canada, and Latin America.
  • 14 September 2019: PSD2 SCA becomes mandatory in EU. All issuing banks are expected to implement SCA, in the form of 3D Secure.
  • October 2019: Mastercard applies liability shift rules in APAC, LATAM, MEA, North America, and in countries with regulations (Nigeria, South Africa, India, Singapore, Bangladesh, and Malaysia).
  • 18 April 2020: Visa applies liability shift rules in APAC and CEMEA.
  • December 2020: This is currently the scheduled end-of-support date for 3D Secure 1 as communicated by card schemes.

For more information on liability shift rules once you have implemented 3D Secure 2, see 3D Secure 2 chargeback liability shift rules.

Use 3D Secure for compliance

3D Secure is an authentication protocol that provides an additional layer of verification for card-not-present (CNP) transactions. The protocol is compliant with authentication regulations, including the SCA mandate from PSD2.

3D Secure has two available versions:

  • 3D Secure 1 : Before a payment is authenticated, shoppers are redirected to the card issuer's site to provide additional authentication data such as a password or an SMS verification code. The redirection introduced in 3D Secure 1 might lead to lower conversion rates due to technical errors during the redirection or due to shoppers dropping out of the authentication process.
  • 3D Secure 2 : Unlike the previous version where shoppers are redirected to another site, in 3D Secure 2 the card issuer performs the authentication within your app or payment form. The shopper's identity may be verified using passive, biometric, and two-factor authentication approaches.

Guidance for implementing 3D Secure

We recommend that you implement both 3D Secure 1 and 3D Secure 2. If you are already using 3D Secure 1, implement 3D Secure 2 and keep your 3D Secure 1 integration working until the card schemes' end-of-support schedule for 3D Secure 1 between 2020 and 2021. We also recommend that you work with a provider like Adyen that provides a 3D Secure 1 fallback mechanism.

In Europe, the industry expectation is that some issuing banks will continue to use 3D Secure 1 as a compliant form of SCA, even after 14 September 2019 (when PSD2 SCA becomes mandatory). Some of these banks may refuse authorisations if you do not use 3D Secure 1. See PSD2 SCA compliance guide for more information.

3D Secure chargeback liability shift rules

When you implement 3D Secure 2 authentication, you can avoid the liability for chargebacks in case of fraud (for example, chargeback claim due to lost or stolen card), this is called a liability shift.

The general rule is if a shopper successfully completes a 3D Secure 2 challenge authentication flow, the liability for fraudulent chargebacks shifts from you to the card issuer. In a challenge flow, the issuer requires additional shopper interaction. In some regions, card schemes may grant liability shift after a successful frictionless flow, where the transaction is approved after a passive authentication.

The following tables show the liability shift rules for Visa and Mastercard. Note that the general rule applies to the transaction types, unless specified.

Visa liability shift rules

Region/Countries Period Transaction type Liability shift applies?
EU

From April 2019 onwards

3D Secure 2 transaction.

Yes

PSD2 SCA out-of-scope transactions.

No
3D Secure 2 transactions where merchant or acquirer requests for a PSD2 exemption and the issuer grants an exemption. No
From September 2019 onwards 3D Secure 2 transactions where issuing bank applies a PSD2 exemption without the merchant or acquirer requesting for it. For example, issuer TRA. Yes
Brazil From 15 August 2019 3D Secure 2 transaction. Yes

US, Canada, LATAM

Before 15 August 2019 3D Secure 2 transaction. No
After 15 August 2019 3D Secure 2 transaction successfully completed through either frictionless or challenge flow. Yes
APAC, MEA Before 18 April 2020 3D Secure 2 transaction. No
After 18 April 2020 3D Secure 2 transaction successfully completed through either frictionless or challenge flow. Yes

For Visa transactions, the chargeback protection is valid for 90 days.

Mastercard liability shift rules

Region/Countries Period Transaction type Liability shift applies?
Brazil From October 2018 onwards 3D Secure 2 transaction. Yes
EU

Between April to September 2019

3D Secure 2 transaction with an issuer that supports 3D Secure 2.

Yes

3D Secure 2 transaction with an issuer that does not support 3D Secure 2.

Yes, but only if the issuer is unable to respond to a 3D Secure 2 call due to technical reasons.

From April 2019 onwards PSD2 SCA out-of-scope transactions. No
3D Secure 2 transactions where merchant or acquirer requests for a PSD2 exemption and the issuer grants an exemption. No
From September 2019 onwards 3D Secure 2 transaction. Yes
3D Secure 2 transactions where issuing bank applies a PSD2 exemption without the merchant or acquirer requesting for it. For example, issuer TRA. Yes

Countries with existing regulations that require 3D Secure implementation:

  • Nigeria
  • South Africa
  • India
  • Singapore
  • Bangladesh
  • Malaysia
Before October 2019 3D Secure 2 transaction. No
After October 2019 3D Secure 2 transaction successfully completed through either frictionless or challenge flow. Yes

Non-EU regions and countries not listed in the previous row:

  • APAC
  • LATAM
  • MEA
  • North America
Before October 2019 3D Secure 2 transaction. No
After October 2019

3D Secure 2 transaction successfully completed through either frictionless or challenge flow.

Yes

For Mastercard transactions, the chargeback protection is valid for 30 days. Starting from 2020, Mastercard will extend liability shift validity to 90 days.

Your options for implementing 3D Secure 2

Learn how you can support 3D Secure 2 depending on your existing integration with Adyen.

Your Adyen integration What you need to do to support 3D Secure 2
Online payments API Add 3D Secure 2 Components on your frontend or client and include 3D Secure 2 parameters in your existing API calls.
Quick integration Checkout SDKs

For mobile, make sure you are on the following versions:

For Web SDK, no action required. 3D Secure 2 will be supported in all existing versions through a redirect.

Plugins for Magento 1 and 2, SFCC, or SAP Commerce (Hybris)

3D Secure 2 will be natively supported in new versions that will be released by June 2019. Check back on this page or watch for our releases on our Github pages for Magento 1, Magento 2, Salesforce Commerce Cloud, or SAP Commerce (Hybris).

Hosted Payment Pages (HPP) 3D Secure 2 will be natively supported through a redirect. However, we strongly recommend to move your implementation to our online payments API with the 3D Secure 2 Component for a better user experience.
Classic integration or CSE Use our helper functions for web and the Classic integration 3D Secure 2 SDKs for mobile.

If you are a new merchant, also check out our 3D Secure 1 implementation.

For guidelines on using 3D Secure 2 with your current business model, see PSD2 SCA compliance and implementation guide.

Next steps