No momento, esta página não está disponível em português
Online-payment icon

3D Secure for regulation compliance

Learn what you need to do to stay compliant with authentication regulations and to retain maximum conversion for your online card payment transactions.

What you need to know

Card schemes and regulatory agencies around the world are taking action to make payments safer and more secure for cardholders. For example, the European Commission issued the Revised Payment Services Directive (PSD2) governing electronic payments within Europe. PSD2 includes a mandate that requires banks to perform strong customer authentication (SCA) for online payments.

Most regulations apply to issuing banks and not to you as a merchant, however, you will get the risk of getting lower authorisation rates if an issuing bank evaluates a transaction as non-compliant, and refuses the transaction as a result.

What you need to do

To make sure that your transactions comply with regulations like PSD2 SCA, you need to implement 3D Secure, an authentication protocol developed by EMVCo and supported by major card schemes.

We recommend that you become familiar with guidance from regulatory agencies, card schemes, and with EMVCo specifications. In addition, we as your payment service provider will provide further guidance to help ensure that while you are complying with regulations, you are also maintaining a good online payments experience for your shoppers. For example, we have a comprehensive PSD2 compliance and integration guide where we describe how PSD2 SCA may affect different business models.

The next sections describe the following topics on regulations and online payments authentication in general:

Overview of existing regulations

Here are examples of existing regulations that may apply either to you or to issuing banks if you are conducting business in the following regions:

See PSD2 SCA compliance and implementation guide for more information on actions that you need to take to comply with the EU directive.

  • Australia: AusPayNet regulations require merchants above fraud thresholds to apply SCA by Q4 2019. This applies to merchants with above AUD 50,000 in fraud losses and with fraud-to-sales ratio of 0.2% and above for two consecutive quarters. If you exceed the fraud thresholds, you need to implement 3D Secure 2 by Q4 2019 at the earliest.
  • Brazil: In Brazil, all debit card transactions require authentication from the issuing bank.
  • Europe: The Revised Payment Services Directive (PSD2) requires European banks to use strong customer authentication (SCA) for online banking and online payments transactions within EEA, excluding out-of-scope transactions and exemptions.
  • India: In India, banks are required to perform authentication on all domestic ecommerce transactions.
  • Malaysia: In Malaysia, issuing banks may require authentication on their BINs, otherwise, authorisation rates will be low.

Important dates

The following are dates from regulatory boards and card schemes, specifying when regulations will take effect and when card schemes will stop supporting 3D Secure 1.

2024

  • June 30, 2024: Bancontact (BCMC) stops supporting 3D Secure 1. Transactions will perform authentication with 3D Secure 2 (EMV 3DS).

2023

  • October 13, 2023: American Express and Diners stops supporting 3D Secure 1 in India. Transactions will perform authentication with 3D Secure 2 (EMV 3DS).
  • November 16, 2023: Mastercard stops supporting 3D Secure 1 in India and Bangladesh. Transactions will perform authentication with 3D Secure 2 (EMV 3DS). Mastercard's previous deadline for deprecation was October 3, 2023.
  • November 16, 2023: Visa stops supporting 3D Secure 1 for domestic transactions in India, Bangladesh, Nepal, Bhutan, Maldives, and Sri Lanka. Transactions will perform authentication with 3D Secure 2 (EMV 3DS). Visa's previous deadline for deprecation was October 12, 2023, this has now been updated.

2022

  • October 14, 2022 American Express stops supporting SafeKey 1.0 worldwide, except for India. Transactions will perform authentication via 3D Secure 2 (EMV 3DS).
  • October 14, 2022 Diners and Discover stop supporting ProtectBuy 1.0.2 worldwide. Transactions will perform authentication via ProtectBuy 2.0.
  • October 15, 2022: Visa stops supporting 3D Secure 1, except domestic transactions in India, Maldives, Bangladesh, Bhutan, Nepal, and Sri Lanka.
  • October 18, 2022: JCB stops supporting JSecure 1.0 (3D Secure 1). Transactions will perform authentication via 3D Secure 2 (EMV 3DS).
  • October 18, 2022: Mastercard stops supporting 3D Secure 1 except India and Bangladesh. Transactions will perform authentication via 3D Secure 2 (EMV 3DS).

2021

  • July 1, 2021: Mastercard has increased the price of 3DS1 authentication in the APAC region including Australia, Hong Kong, Malaysia, New Zealand, and Singapore. This is part of Mastercard's program to encourage 3DS2 adoption, which will be offered at no cost for APAC.
  • October 1, 2021: Mastercard no longer generates Attempts transactions from the Mastercard 3DS1 network when the issuer (ACS) is unable to respond to the authentication request. Issuers that still want to support Attempts must generate from their own ACS solution. For additional information on that, check Mastercard's 3DS1 deprecation roadmap article
  • October 16, 2021: Visa continues to support 3DS1 transaction processing, including the 3DS1 Directory Server (DS). However, they no longer support the 3DS1 'Attempts Server', a service which provides an authentication value in the event that the Issuer does not participate in 3DS1. For additional info check Visa's 3DS1 deprecation roadmap article

2020

  • March 14, 2020: PSD2 SCA becomes mandatory in EU. All issuing banks are expected to implement SCA, in the form of 3D Secure.
  • April 18, 2020: Visa applies liability shift for 3D Secure 2 transactions in APAC and CEMEA, regardless of whether the issuer supports 3D Secure 2.
  • August 31, 2020: Visa applies liability shift for 3D Secure 2 transactions in the US, regardless of whether the issuer supports 3D Secure 2.
  • December 29, 2020: Mastercard doubles 3D Secure 1 scheme fees for most European countries. Also read the News update in your Customer Area.

For more information on liability shift rules once you have implemented 3D Secure 2, see 3D Secure 2 chargeback liability shift rules.

Use 3D Secure for compliance

3D Secure is an authentication protocol that provides an additional layer of verification for card-not-present (CNP) transactions. The protocol is compliant with authentication regulations, including the SCA mandate from PSD2.

3D Secure has two available versions:

  • 3D Secure 1 : Card schemes and issuers will stop supporting this version in 2022 and 2023. Shoppers are redirected to the card issuer's site to provide additional authentication data, for example a password or an SMS verification code. The redirection might lead to lower conversion rates due to technical errors during the redirection, or shoppers dropping out of the authentication process.

  • 3D Secure 2 : The card issuer performs the authentication within your website or mobile app using passive, biometric, and two-factor authentication approaches. For more information, refer to 3D Secure 2 authentication flows.

3D Secure chargeback liability shift rules

When you implement 3D Secure 2 authentication, you can avoid the liability for chargebacks in case of fraud (for example, chargeback claim due to lost or stolen card), this is called a liability shift.

The general rule is if a shopper successfully completes a 3D Secure 2 challenge authentication flow, the liability for fraudulent chargebacks shifts from you to the card issuer. In a challenge flow, the issuer requires additional shopper interaction. In some regions, card schemes may grant liability shift after a successful frictionless flow, where the transaction is approved after a passive authentication.

The following tables show the liability shift rules for Visa and Mastercard. Note that the general rule applies to the transaction types, unless specified.

Visa liability shift rules

Region/CountriesPeriodTransaction typeLiability shift applies?
EU

Before 14 March 2020

3D Secure 2 transaction with an issuer that supports 3D Secure 2.

Yes

After 14 March 2020

3D Secure 2 transaction regardless of whether the issuer supports 3D Secure 2.

Yes

Brazil

From 15 August 20193D Secure 2 transaction.Yes

Canada, LATAM

Before 15 August 20193D Secure 2 transaction.No
After 15 August 20193D Secure 2 transaction successfully completed through either frictionless or challenge flow.Yes
APAC, MEABefore 18 April 20203D Secure 2 transaction with an issuer that supports 3D Secure 2.Yes
After 18 April 20203D Secure 2 transaction regardless of whether the issuer supports 3D Secure 2.Yes
USBefore 31 August 20203D Secure 2 transaction with an issuer that supports 3D Secure 2.Yes
After 31 August 20203D Secure 2 transaction regardless of whether the issuer supports 3D Secure 2.Yes
GlobalBefore 17 October 20213D Secure 1 transactionYes
After 17 October 20213D Secure 1 transactionNo

For Visa transactions, the chargeback protection is valid for 90 days.

For US domestic Visa transactions, there are rare cases when the issuer might fail to validate the Cardholder Authentication Verification Value (CAVV) meaning that the transaction does not qualify for a liability shift even though the Electronic Commerce Indicator ECI 05 (3DS authentication was successful) value was provided.

CAVV reuse exceptions for Visa

Travel booking agents usually have multiple merchants related to the same booking. Merchants who split the shipment of a shopper order into multiple authorizations require a Cardholder Authentication Verification Value (CAVV) for each transaction if they want to maintain fraud liability protection or to process the transaction without further authentication.

In these scenarios, Visa rules in Europe allow for a CAVV to be reused up to five times. However, this rule which was due to expire on September 1, 2020 is now extended to September 1, 2022. In case it is been more than 90 days between the original authentication date and when the authorization takes place, then the CAVV will not provide liability protection. To avoid SCA again, a new CAVV can be obtained via 3DS Requestor Initiated (3RI) authentication to refresh the liability protection, if needed.

To support scenarios like multi-shipments or multi-party travel bookings until there is wide support of 3RI authentication in Europe, exceptions allowing a CAVV to be reused up to five times are permitted under the following conditions:

  • Territory: European Economic Area (EEA) transactions only
  • 3D Secure Version and Time:
    • 3D Secure 1.0.2 transactions from September 2, 2019 to September 1, 2022
    • 3D Secure 2.1 transactions from September 2, 2019 to September 1, 2022
    • 3D Secure 2.2 transactions effective immediately to September 1, 2022
  • Transaction Type and Usage:
    • A CAVV obtained via a booking agent can be reused in up to five authorizations by different merchants when related to the same booking.
    • Merchants may use the same CAVV up to five times to enable authorizations for split shipments associated with the same purchase. However, as the transaction has been authenticated, it is allowed to have fraud liability protection for each shipment, but for this, the CAVV must be present in each authorization. For fraud liability protection, the merchant has the option to populate the CAVV.

Mastercard liability shift rules

Region/CountriesPeriodTransaction typeLiability shift applies?
BrazilFrom October 2018 onwards3D Secure 2 transaction.Yes
EU

Between April to September 2019

3D Secure 2 transaction with an issuer that supports 3D Secure 2.

Yes

3D Secure 2 transaction with an issuer that does not support 3D Secure 2.

Yes, but only if the issuer is unable to respond to a 3D Secure 2 call due to technical reasons.

From April 2019 onwardsPSD2 SCA out-of-scope transactions that were not authenticated with 3D Secure 2.No
3D Secure 2 transactions where merchant or acquirer requests for a PSD2 exemption and the issuer grants an exemption.No
From September 2019 onwards3D Secure 2 transaction.Yes
3D Secure 2 transactions where issuing bank applies a PSD2 exemption without the merchant or acquirer requesting for it. For example, issuer TRA.Yes

Countries with existing regulations that require 3D Secure implementation:

  • Nigeria

  • South Africa

  • India

  • Singapore

  • Bangladesh

  • Malaysia

Before October 20193D Secure 2 transaction.No
After October 20193D Secure 2 transaction successfully completed through either frictionless or challenge flow.Yes

Non-EU regions and countries not listed in the previous row:

  • APAC

  • LATAM

  • MEA

  • North America

Before October 20193D Secure 2 transaction.No
After October 2019

3D Secure 2 transaction successfully completed through either frictionless or challenge flow.

Yes

On October 1, 2021, Mastercard will no longer generate Attempts transactions from the Mastercard 3DS 1.0 network when the issuer (ACS) is unable to respond to the authentication request. In that sense, Liability Protection will no longer apply on Attempted authentications where the issuer does not participate. Liability Protection on authenticated transactions (ECI 05) will end on October 14th 2022 because Mastercard will no longer process any 3DS 1.0 transactions as part of the 3DS1 sunset roadmap.

For Mastercard transactions, the chargeback protection is valid for 30 days. Starting from 2020, Mastercard will extend liability shift validity to 90 days.

Implementing 3D Secure 2 with your existing Adyen integration

If you are using our Checkout SDKs, HPP, Plugins, or API with 3D Secure 1 integration, you don't have change anything. You can already support 3D Secure 2 authentication through the same redirect page.

If you have an existing integration with us with a 3D Secure 1 implementation, you can already support 3D Secure 2. Similar to a 3D Secure 1 flow, you will need to redirect the shopper to the URL returned in the API response. If a transaction requires 3D Secure 2 authentication, we will provide a redirect URL which will take your shopper to our hosted page to complete the 3D Secure 2 authentication flow.

In the table below we discuss in detail how we will handle 3D Secure 2 across different integrations, and what you can do to improve the shopper experience should you choose to implement native 3D Secure 2 authentication.

Your existing Adyen integrationWhat you need to do to support 3D Secure 2
Online payments API, with existing 3D Secure 1 integration.Do nothing. 3D Secure 2 will be supported through a redirect.

However, if you want a better shopper experience, add 3D Secure 2 Components or useDrop-in on your client-side implementation.
Quick integration Checkout SDKs Do nothing. 3D Secure 2 will be supported in Web, iOS, and Android SDKs through a redirect.

However, if you want a better shopper experience with native 3D Secure 2 authentication, switch to our Web, iOS, and Android Drop-in solution available from versions 3.0.0 and later.

If you want to continue using the mobile SDKs, you can upgrade to the following versions which support 3D Secure 2:
Plugins for Magento 1 and 2, PrestaShop, SFCC, or SAP Commerce (Hybris)Upgrade to the following plugin versions to support native 3D Secure 2 authentication:

If you choose to continue using an older version of our plugins, we will support 3D Secure 2 through a redirect.

Hosted Payment Pages (HPP)Do nothing. 3D Secure 2 will be supported through a redirect.

However, we strongly recommend to move your implementation to our online payments API with the 3D Secure 2 Component for a better user experience.
Classic integration or CSE, with existing 3D Secure 1 integration.Do nothing. 3D Secure 2 will be supported through a redirect.

However, if you want a better shopper experience with native 3D Secure 2 authentication, use our helper functions for web and the Classic integration 3D Secure 2 SDKs for mobile.
Online payments API, without a 3D Secure 1 integration.Integrate 3D Secure redirect authentication to support both versions of 3D Secure or a combination of 3D Secure 2 native authentication and a 3D Secure 1 fallback.
Classic integration or CSE, without a 3D Secure 1 integration.Integrate 3D Secure classic API redirect authentication to support both versions of 3D Secure or a combination of 3D Secure 2 native authentication and a 3D Secure 1 fallback.

For guidelines on using 3D Secure with your current business model, see PSD2 SCA compliance and implementation guide.

See also

Próximas etapas