Implementation

IMPORTANT
The implementation of 3DS2 will be done consecutively and may last until 2021.

  • Fallback to 3DS1

    While waiting for the deployment of 3DS2 for all companies, the following procedure will be applied:
    1. The payment gateway initiates the process of 3D Secure v2 authentication.
    2. If the card is 3D Secure v2 enrolled, the 3D Secure v2 process continues.
    3. If the card is not enrolled in 3D Secure v2 or if an error prevents 3D Secure v2 authentication, then the payment gateway continues to authenticate the cardholder in 3D Secure v1 mode.
  • Merchant enrollment

    No impact on merchants who are already 3DS1-enrolled. The payment gateway is responsible for 3DS2 enrollments on different Directory Servers (DS).

    As for companies that are not yet 3DS1-enrolled, the payment gateway will enroll them to 3DS1 and 3DS2.

  • Impact of implementation on the merchant website

    Little impact. Without any modifications, your current implementation is compatible with 3DS2, even if you display the payment page in an iframe.

    When all operators are operational, it will be possible to transmit complementary details to increase the chances of frictionless during payments (see corresponding chapter Increasing the chances of a frictionless payment).

  • Selective 3D Secure

    With 3DS2, it will no longer be possible to disable 3DS. However, the merchant can request an exemption in his or her payment request (this is referred to as “merchant preferences”).

    Merchants who use the vads_threeds_mpi field for disabling 3D Secure v1 will have to update their implementation in order to take into account the newly available options:

    IMPORTANT
    The new values will only become available after 3DS2 is enabled for your MID.

    As of September 2020, issuers can refuse the transaction if 3D Secure authentication has not been performed.

    This behavior is called “Soft Decline”.

    To reduce the number of rejected payments, the payment gateway automatically makes a new payment attempt with 3D Secure authentication, when possible.

    Value Description
    missing or empty or 0 Management of cardholder authentication delegated to the payment gateway (domain configuration, provider, store).
    • 3DS1: Forced 3DS1 authentication.
    • 3DS2: The gateway sends the CHALLENGE REQUESTED value to the issuer.
    1 Deprecated.
    2
    • 3DS1: Disabled 3DS1 authentication. Requires the “Selective 3DS1” option.

      By using this value, you expose yourself to “Soft decline” refusals.

    • 3DS2: Allows to request authentication without interaction (frictionless). Requires the “Frictionless 3DS2” option.
      • For payments made in euro, if the amount is lower than €30, a request for frictionless is transmitted to the DS. If the request for frictionless is accepted by the issuer, the merchant loses the payment guarantee.

      • For payments made in euros, if the amount is greater than €30, the value transmitted by the merchant is ignored and the management of cardholder authentication is delegated to the gateway.

      • For payments made in a currency other than euro, a request for frictionless is transmitted to the DS.

    If the store does not have the “Frictionless 3DS2” option, the value transmitted by the merchant is ignored and the management of cardholder authentication is delegated to the gateway.

    3
    • 3DS1: Forced 3DS1 authentication.
    • 3DS2: CHALLENGE REQUESTED: 3DS Requestor Preference Allows to request strong authentication for the transaction.
    4
    • 3DS1: Forced 3DS1 authentication.
    • 3DS2: CHALLENGE REQUESTED: mandate Allows to indicate that, due to regulatory reasons, strong authentication is required for the transaction.
    5
    • 3DS1: Forced 3DS1 authentication.
    • 3DS2: NO PREFERENCE: Allows to indicate to the DS that the merchant does not have a preference. If the issuer decides to perform an authentication without interaction (frictionless), the payment will be guaranteed.
  • Management of transactions with amounts over €30 and a merchant preference

    If the merchant requests an authentication without interaction (frictionless) in their payment request, the gateway modifies this value and transmits the value CHALLENGE_REQUESTED to the DS.

  • Creation of a token

    A strong authentication will always be required during token creation, regardless of the merchant’s choice.

  • Installment and recurring payments

    A strong authentication will always be required for the first installment, regardless of the merchant’s choice.

  • IPN

    A field has been added to the IPN in order to transmit the used authentication type (vads_threeds_auth_type) (FRICTIONLESS or CHALLENGE) to the merchant.