How to Implement 3-D Secure for a Checkout Engine

December 29, 2022
·
5 min read
·

3-D Secure (3DS) is an extra security step for online transactions. After customers enter their payment details (e.g. card number, expiration date, and CVC), their bank requests confirmation of the transaction. The transfer of funds to the merchant's bank account is only completed after confirmation.

The 3-D Secure (3DS) system is designed to protect customers' money from unverified transactions. Additionally, it shifts the liability for any fraud or illegal use of customers' payment information to their issuer bank. This means that the bank, not the service processing the payment information, will be responsible for compensating any damages.

In this article, we'll provide an in-depth description of the 3-D Secure system and guide you through the steps needed to implement it.

3-D Secure 2.0 and conversion rate

Considering security and conversion rate separately, it's understandable to worry about the latter. 3-D Secure is an extra step before purchase, and customers may abandon the checkout process, resulting in a lower conversion rate. To address this, 3-D Secure 2.0 was released in 2016.

3DS 2.0 is less intrusive than its predecessor, only requiring an additional confirmation step when the transaction risk level is high. Otherwise, the transaction will be approved without any extra steps.

The customer's issuer bank verifies and assesses the transaction's risk, so your system doesn't need to do it manually. In cases of high risk, the card issuer decides how to request confirmation, such as a one-time password sent via SMS, email, or Push notification in the bank's mobile application. In addition to transaction details, some issuers can use device fingerprinting for improved risk-level verification.

You don't need to be concerned about a lower conversion rate. With 3-D Secure 2.0, the issuer will only request confirmation when the transaction's risk is high. In this case, this confirmation is the safest and most cost-effective way to verify the transaction.

3-D Secure provider

3DS is a complex system with multiple components and legal and security requirements. As a business, you want to build a product quickly and easily. It may be reasonable to choose an existing 3DS solution instead of implementing the 3DS functionality from scratch. For example, if you're selling online with a popular platform like Shopify or Magento, you can easily enable 3DS on the checkout settings.

If you're developing a custom software-as-a-service (SaaS) application, several 3DS solutions are available. For instance, you can integrate 3DS with just a few lines of code using Stripe Checkout or Checkout.com.

If you're creating a custom checkout system, you'll need a more granular solution than an all-in-one like Stripe or Checkout.com. In this case, there are various solutions you can integrate into your system, such as PAAY. Pick the one that best meets your needs.

Integrating 3-D Secure

Suppose you've chosen the 3DS provider, and your team is ready to implement it. But how does it work? Firstly, you may find it helpful to familiarize yourself with our guide for creating a custom checkout system, which describes all the required components in detail, including the 3DS provider: How to build a custom checkout system from scratch.

For now, it's enough to understand the following components:

  • Your API: the system created by your development team, where all the checkout logic is implemented, including processing the payment information.
  • Payment gateway: the component that works with transactions.
  • Card issuer: the bank that issued the customer's card.
  • 3-D Secure provider: the hero of our article.

As you can see, the 3-D Secure logic consists of two steps:

  1. Requesting a 3DS validation. Your API sends the customer's payment information to the 3DS provider, which then forwards it to the card issuer. The card issuer may request an additional transaction confirmation (in case of a high-risk transaction) and sends the validation data back to the 3DS provider.
  2. Processing a transaction. Your API requests the 3DS validation result from the 3DS provider and then sends that information, along with the payment info, to the payment gateway for processing.

In this way, your checkout system delegates the handling of 3DS operations to the 3DS provider of your choice.

Conclusion

You can see that 3-D Secure is a powerful tool that allows you to increase the security of your checkout system and shift the responsibility for transactions to the customer's card issuer. Although it may appear simple, integrating 3DS into your system may present many challenges. If you have any questions or need consultation, please contact us at hi@softcery.com.

Elijah Atamas

CEO, Softcery
© 2023 Softcery. All rights reserved.