GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Winning the high-stakes holiday shuffle


Industry Update

New ROAM CEO focusing company

Happy complicated first birthday, Durbin

Visa, MasterCard settlement has support

A window into Global Payments

Trade Association News


What you need to know before launching a new product

Marc Beauchamp
Performance Training Systems Inc.

A rewards app that 'burns'

Selling Prepaid

Prepaid in brief

MasterCard reloads with Western Union

How to drive a positive customer experience – and silence critics


Is there a kiosk in your pocket?

Patti Murphy
ProScribes Inc.


Street SmartsSM:
Formal sales training or OJT?

Jeff Fortney
Clearent LLC

Fraud alert: Threat level rises

Nicholas Cucci
Network Merchants Inc.

Shifting to insight-selling

Dale S. Laszig
Castles Technology Co. Ltd.

Tighten merchant inventory control, boost the bottom line

Rick Berry
ABC Mobile Pay Inc.

Implementing 3-D Secure

Chandan Mukherjee
PayCube Inc.

Company Profile

Washington Bancard Merchant Services LLC

New Products

Next-gen POS doubles as fundraiser

V8 by Dejavoo Systems
Unified Payments LLC

E2EE protection for EMV, too

SAFE-T Suite
Elavon Inc.


Strategic honesty



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

October 22, 2012  •  Issue 12:10:02

previous next

Implementing 3-D Secure

By Chandan Mukherjee

To address the growing security concerns associated with online transactions, Visa Inc. introduced 3-D Secure, which allows issuers to validate cardholders during purchase transactions on e-commerce sites. Today, 3-D Secure is available for Visa, MasterCard Worldwide, American Express Co. and JCB International Co. Ltd. transactions. Each card brand has given it a different name; hence, you see names like Verified by Visa, MasterCard SecureCode, J/Secure or SafeKey.

3-D Secure basics

The basic concept of 3-D Secure is to authenticate a cardholder performing a transaction at an e-commerce site before an authorization transaction is sent. An authentication process is different than an authorization process. Authentication focuses on establishing the identity of the cardholder doing the transaction. This step precedes the authorization process that validates the payment transaction.

The authentication is driven by the activities done in tandem by the acquirer, issuer and interoperability domains. Issuer domain

The issuer domain consists of the card issuers, cardholders and the access control server (ACS) providers. ACS providers can be issuers, too. An issuer must establish an ACS that will respond to any 3-D Secure authentication request. This server must allow for validation of the bank identification number ranges that are eligible for 3-D Secure authentication.

Furthermore, cardholders must be enrolled in the 3-D Secure program and establish a secret code or password with the issuer to ensure proper authentication. This password will be required to authenticate the cardholder during purchase transactions. A cardholder need enroll only once. A cardholder may enroll at the issuer's website or during the initial checkout process.

Acquirer domain

The acquirer domain consists of merchants, gateways and acquiring processors. In this domain, merchants, gateways and acquirers all have to participate in the 3-D Secure program to allow for added cardholder authentication.

The merchant is responsible for the e-commerce website and its checkout flow. The merchant also operates the merchant-side software component that will allow for control of the 3-D Secure transaction flow. This software is generally called a merchant plug-in (MPI).

If a gateway is in the transaction flow or hosting the shopping cart functionality for a merchant's website, the gateway must establish the MPI for the merchant.

Acquirers are responsible for signing up merchants for the 3-D Secure program and for allowing transactions to pass through. Generally, card networks require authorization transactions to carry a response code from the authentication transaction under 3-D Secure message exchange.

Interoperability domain

The interoperability domain is responsible for connecting the acquiring domain to the issuer domain. Typically, this is provided by the card company networks, which also publish the specifications for connectivity and message exchange between the acquirer and the issuer domain.

A basic message exchange consists of the following:

Basic flow for authentication under 3-D Secure

Following is a description of the 3-D Secure authentication process, which is also illustrated in a chart accompanying this article. First, the MPI is required to obtain card ranges from the interoperability domain's directory and must be able to cache this information. The cache is generally refreshed at least once every day, more often if needed. This allows for checking that the card range is a 3-D Secure service participant without having to call the interoperability domain every time.

The merchant provides the website for e-commerce transactions, accepts the card number information from the customer and initiates the 3-D Secure process. If a gateway is providing the MPI, the gateway obtains the card number and other customer details. At this time, the MPI initiates a verify enrollment process with the interoperability domain to verify whether the cardholder is enrolled in the 3-D Secure service. The interoperability domain initiates a request with the appropriate issuer ACS for validation of the cardholder information.

If the cardholder is indeed enrolled at the issuer ACS, the ACS returns a positive response to the interoperability domain, and the same is then returned to the MPI, including the ACS URL for the MPI to continue transacting. Then the MPI initiates a payer authentication request to the issuer ACS using the URL obtained in the previous step.

The ACS now responds with an HTML page for the gateway or merchant to display that will accept the password from the cardholder. If the cardholder password is accepted, the control of the website is returned to MPI. Furthermore, the ACS now sends a payer authentication transaction message to record in the transaction history for the cardholder. The MPI notifies the merchant's or gateway's payment subsystems of the results. If the authentication has been confirmed, the payment subsystems proceed with the authorization request.

If the card range is not enrolled in 3-D Secure or if the cardholder is not enrolled in the 3-D Secure program, the payment subsystem may still proceed with the regular authorization request outside the 3-D Secure authentication process. But if the authentication fails for a cardholder who is enrolled in 3-D Secure, the payment authorization request must not be sent.

The case for 3-D Secure

Implementing 3-D Secure reduces the scope of fraud drastically. And the networks provide incentives for implementing such technologies, including favorable interchange rates and liability protection.

The technology has existed for a long time and has stabilized in the marketplace. Cardholders are also quite aware of the risks of using credit cards online. Since most of the gateways cater to e-commerce clients, they should strongly consider implementing 3-D Secure technology as part of their offering.

3D secure implementation flow

Chandan Mukherjee is the co-founder of PayCube Inc., a San Francisco Bay Area-based payment consulting and IT services company providing custom software solutions and custom gateways for acquirers, ISOs, retailers and varied organizations in the world of payments and consumer transactions, including prepaid and gift card program, loyalty and promotion, payment start-up, POS solution, mobile payment and e-commerce players. PayCube uses a blend of on-site and offshore delivery capabilities, with a staff of retail and payments-focused software engineers, systems architects, project managers, tech leads and systems analysts. For more information, email, call 510-545-6854 or visit

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios