Risk-management icon

Dynamic 3D Secure

Set up rules to determine which card payments are routed through 3D Secure authentication.

When you support 3D Secure 2 in your website or mobile app, and send in a payment request, Adyen will determine whether the payment is routed through 3D Secure authentication.

To ensure that you stay compliant, we will always apply 3D Secure if this is required by authentication regulations such as PSD2 or other market specific regulations. To mitigate any effects on conversion, we will not trigger 3D Secure for out-of-scope transactions, or when the issuing bank does not enforce 3D Secure. For transactions within the scope of PSD2, we will also handle requesting exemptions.

You can set the default Dynamic 3D Secure rule setting to Prefer not or Always. When set to Prefer not, Adyen can still decide to send the payment through 3D Secure to ensure compliance with regulations, or to improve conversion. When set to Always, we will honor this setting.

On top of this, if you want to have more control over which transactions are processed with 3D Secure, for example if certain transactions are high-risk for your business, you can either:

Default 3D Secure rules

Choose from the following possible default 3D Secure rules that you can set up on your account. Depending on your configured rule, we will perform the following actions:

  • Always: Use 3D Secure whenever possible. With this rule, there will still be transactions that don't go through 3D Secure authentication, for example, when the issuer doesn't support 3D Secure yet, or when the card isn't enrolled.
  • Prefer not: Do not apply 3D Secure authentication, unless the issuing bank requires it to complete the authorisation. We recommended that you use this setting if your first priority is to prevent 3D Secure as much as possible.

When you create a new company account or merchant account, the default setting is Prefer not.

Configuring Dynamic 3D Secure rules

There are few things to keep in mind when configuring Dynamic 3D Secure:

  • Rules are maintained at the merchant level. They will only affect payments for a specific merchant.
  • Rules trigger in order, from first to last.
  • System-wide rules (for example, that all Maestro payments must use 3D Secure) will override the Dynamic 3D Secure rules.
  • Wherever possible, create several simple rules instead of combining many logic points into a single rule.
  • The sub-components of the rules must contain an AND statement. If you want to use an OR statement, create a new rule.
  • If no rules are triggered, and 3D Secure is available, the transaction will use 3D Secure.

To be able to change the Dynamic 3D Secure rules, you need to have the following roles:

  • Merchant change risk settings
  • Management Dynamic 3D Secure Rules

To configure the rules:

  1. Go to Customer Area > Risk > Dynamic 3D Secure.

  2. Select Create new rule to make a new rule or select the name of the rule if you want to modify an existing rule.

  3. Configure the criteria shown in the next table.

    You can combine criteria to create nested rules. For example, you may decide to use 3D Secure for every transaction where the issuing card is from Mexico, has a risk score greater than 70, and a transaction value above USD 100.

    Criteria

    Description

    Issuer country

    The country where the card was issued.

    Shopper country

    The country of the shopper, based on the IP address submitted with the payment.

    Payment method

    The card type (for example, American Express, Visa Platinum, etc. For more information, see PaymentMethodVariant).

    Device type

    The type of device that submitted the transaction. You can indicate mobile, desktop, or tablet devices.

    The transaction must have device data submitted with it for this feature to work.

    Amount

    The transaction value. When you configure this for a specific currency, the rule will automatically convert to other currencies. For example, a EUR 20 rule will automatically trigger for the equivalent amount in GBP.

    Risk score

    Allows the targeting of 3D Secure for only transactions that meet certain risk score thresholds.

    If a transaction's pre-authorisation fraud score is 100 or more, the transaction is refused with the refusal reason FRAUD and, thus, will not use 3D Secure.

    BIN and BIN Range

    The first six digits on a credit card. This identifies the Issuing bank of the card. For more information, read Bank Identification Number (BIN).You can target a set or range of BINs, to use 3D Secure only for transactions from certain issuing banks.

    Risk check

    Each risk rule that you select will trigger 3D Secure. Only select risk rules that trigger before authorization.
    By default, this only applies if the rule has a positive fraud score. If you also want rules with a negative fraud score to trigger 3D Secure, check the Trigger on TRUST risk result checkbox.

  4. For each condition met, assign actions to use or drop 3D Secure authentication:

    • Use 3DS: If the condition is met, choose to apply any of the default 3D Secure rules.
    • Drop 3DS: If the condition is met, choose to Never drop 3D Secure authentication or to drop 3D Secure depending on the transaction status:

      • If 3DS directory lookup response U: Drop 3D Secure when authentication is unavailable.
      • If 3DS authentication response N: Drop 3D Secure when authentication has been denied.
      • If 3DS authentication response U: Drop 3D Secure when the card issuer is unavailable.
  5. Once you have created your rule, add a name for the rule and select Save. If you have updated an existing rule, also select Save.

  6. 3D Secure rules use a priority logic to decide whether to action 3D Secure. Move your most important rule to the top of the order list and select Save.

To see how to configure Dynamic 3D Secure rules, you can also watch a video here:

Rule configuration examples

Scenario 1

You are making a zero-value auth request to obtain or store shopper details or when submitting a BIN or a card for verification.

Depending on the default 3D Secure rules, the following applies to your zero-value auth transaction:

  1. Always: 3D Secure is always used.
  2. Prefer not: 3D Secure is not used, unless other dynamic 3D Secure rules override the default rule.

You can create a custom rule to enforce not using 3D Secure for all zero-value auth transactions. To do so:

  1. Log in to your Customer Area.
  2. Go to Risk > Dynamic 3D Secure, and then select Create new rule.
  3. On the Add rule page, enter a name for your rule. For example, No 3DS for zero-value auth.
  4. In the Amount section, select Equal, enter 000 (minor units) in the next field, and then select the currency, if needed.
  5. In the Use 3DS section, select Prefer not, and then select Save.
  6. After the rule has been created, drag it to the top of the list to ensure that it is always triggered first.

Scenario 2

You are experiencing significant fraud in transactions above USD 200 in the US and EUR 250 in Germany. You decide to explicitly focus on applying authentication for high-risk transactions in these regions, and apply 3D Secure only for issuing banks that require it.

The rules you should set up are:

  1. Always use 3D Secure when transaction >= USD 200 AND risk score >50 AND issuing country = United States.
  2. Always use 3D Secure when transaction >= EUR 250 AND risk score >50 AND issuing country = Germany.
  3. Prefer not 3D Secure authentication for all other transactions (default rule).

The last rule ensures that transactions with less than the specified amounts will still trigger 3D Secure if the issuing bank requires 3DS. In this scenario, issuing banks in Germany are increasingly expected to require 3DS as part of PSD2 regulations.

Scenario 3

You are planning on expanding your business in the United States. You have previously used 3D Secure in the UK (where conversion rates are high), and you want to avoid using 3D Secure in the United States. All your traffic is from the UK and US.

Rules you should set up:

  1. Prefer not 3D authentication Secure when issuing country = United States
  2. Always use 3D Secure for all other transactions (default rule).

Only a Prefer not rule is needed since the default action is for transactions to use 3D Secure. With this setup, all UK transactions will use 3D Secure.

See also