3D Secure
3-D Secure (3DS) is a protocol designed to be an additional security layer for online transactions. During the checkout process, customers are required to complete an extra authentication step to verify the cardholder's identity, which reduces fraud and meets regulatory requirements.
How it works
3DS allows the merchant to challenge its customers by asking them to perform an action that only cardholders are able to complete. Based on different mechanisms, the challenge can have different formats:
- Fingerprint - The cardholder goes through a frictionless flow where Revolut sends information about the device being used. This might be enough for the issuing bank to approve the payment.
- One-time password (OTP) - The cardholder is asked to provide a one-time password sent to their phone, which is registered with their bank account. This is the usual format of the challenge.
- Bank application verification - The cardholder is asked to verify the transaction using their card bank application. This is a more modern and common format.
Benefits
Payments that are successfully authenticated using 3DS are covered by a liability shift, which means that the liability of the payment in case of fraud is with the issuing bank and not with you as a merchant.
In case of a chargeback for a payment where 3DS was used, by default the cardholder's bank is responsible and liable to refund this amount to the cardholder.
As a merchant, using 3DS for payment authentication does not mean that you are immune to any disputed payments.
Implementation with Revolut SDK
When a customer initiates a card payment, Revolut performs a 3D Secure (3DS) challenge if it's required.
On the client side, you don't need to implement additional changes to allow these challenges. The Revolut Merchant Web SDK takes care of every stage:
- Sends all the relevant information to the 3DS server.
- Handles the frictionless flow when possible.
- Renders the Access Control Server (ACS) URL in case a full challenge is requested.
- Handles the response from the 3DS server to complete the challenge and have an authenticated transaction.
PSD2 and Strong Customer Authentication
The Payments Services Directive (PSD2) regulations stipulate that merchants must be compliant with the Strong Customer Authentication (SCA) procedures from 1st January 2021. The Financial Conduct Authority FCA has extended the deadline for the UK to 14th September 2021.
To ensure your safety as a merchant and to protect cardholders from having their stolen cards being used without their knowledge, Revolut performs a 3DS challenge when needed when a card payment is being made. This also ensures that you don't have to worry about being compliant with PSD2, Revolut takes care of it for you.