3-D Secure
Can I deactivate 3-D Secure ?
No, it is not possible to deactivate the 3-D Secure authentication, you would no longer be compliant with the PSD2 regulation which imposes strong customer authentication, and you would expose yourself to authorisation refusals (called “Soft Decline”, field acquirerResponseCode set to A1) for unauthenticated transactions from the issuer.
However, in order to improve the user experience of your customer during the payment process, you can request an exemption (see Strong authentication exemptions).
How can I check that 3-D Secure is working properly ?
The holderAuthentStatus field gives the result of the 3D-Secure authentication. The main values are :
- SUCCESS : successful carrier authentication
- FAILURE : carrier authentication failed
- ERROR : technical problem during authentication
- CANCEL : the holder has abandoned during authentication
- ATTEMPT : the holder did not have to authenticate himself These fields are visible in the automatic response, in the transaction logs (from version TAB20_V3) and via the Sips Office Extranet.
When 3-D Secure v1 stops ?
14 October 2022 for Mastercard and 15 October for Visa.
What happens to duplicate transactions ?
Duplicates are not subject to strong authentication because the cardholder is not present. However, they must be chained to an “original” CIT, using a chaining identifier (or grouping identifier) to comply with PSD2 (see MIT/CIT chaining). If you do not, you may be refused permission.
What happens if I don't chain a recurring transaction (MIT) ?
You risk refusal of authorisation from the issuer.
If my recurring transaction (MIT) is chained, does it benefit from the payment guarantee ?
No, recurring transactions, even when chained, do not benefit from the payment guarantee. Exception for a recurring transaction of the multiple payment on delivery type on the CB network respecting specific criteria (see Calculation of the transfer of responsibility for a MIT).
What do I need to do to apply for a TRA exemption ?
If your risk analysis shows that the risk of fraud is low enough to require frictionless authentication, then to take advantage of this feature, you should ask your acquirer for authorisation, who will tell you how to use this exemption (maximum amount, rules to be applied in the event of changes over time, etc.), and ask your usual contact to activate the “Acquirer’s TRA” option on your shop. In your payment request, value the fraudData.challengeMode3DS field with the value NO_CHALLENGE_TRA_ACQ.
How can I manage chaining if I don't have a STI ?
If the first transaction (the CIT) does not have an STI, then it must be duplicated without chaining (thus without valuing the initialSchemeTransactionIdentifier field, then use the STI that will be recovered in this duplication to perform the chaining of the next MITs (see Unknown STI).
How should I value the authentAmount field ?
The authentAmount field is the amount to be authenticated, which may be different from the amount to be authorised. It is used either in the case of multiple payment on delivery or in the case of payment in instalments and must be valued with the total amount of the order (see Multiple payment on delivery ou Payment in instalments) ; either in the case of subscription payment via duplication or via Wallet and must be valued with the average amount of the subscription (see Subscription payment via duplication ou Subscription payment via wallet).
Can I disengage the 3-D Secure, for example by using the MOTO mode ?
No. 3-D Secure exists in the so-called INTERNET mode, where the cardholder is present. The MOTO mode is a mode where the cardholder is not present and therefore 3-D Secure does not apply. It is not possible to switch from one mode to the other. You are either in MOTO mode without 3-D Secure or in INTERNET mode with 3-D Secure.
Lifetime of the chaining identifier
At present, there is no validity period for the chain identifier. It will no longer be valid when the validity date of the card is exceeded. A new CIT will then have to be generated with the new card/validity date to obtain a new chain identifier to be used for future MIT transactions.
Implementation of chaining on MOTO transactions
As with INTERNET transactions, MOTO transactions each have a transaction identifier (STI) which must then be communicated in the MIT to ensure chaining.