3D Secure 2.0

Authentication

3D Secure 2.0 (3DS2) is an authentication protocol that card schemes use to verify cardholder identity for online credit and debit card payments. Under the PSD2, MultiSafepay is required to apply it to all Europe-based card payments, and we enable it by default for non-EU payments as well.

3DS2 provides an extra layer of security and helps reduce fraud-related chargebacks. If a transaction is successfully authenticated using 3DS2, the issuer is responsible for fraud-related chargeback costs instead of you.

How it works

  1. The cardholder enters their payment details and is redirected to the card scheme to authenticate using their branded version of 3DS2:
    • American Express Safekey
    • Mastercard SecureCode
    • Verified by Visa
  2. MultiSafepay shares contextual information from the customer's device (fingerprint) with the issuer for a risk assessment, e.g.:
    • Transaction value
    • New or existing customer
    • Customer's location or transaction history
  3. The issuer decides whether to request additional authentication:
    • Frictionless flow: The transaction appears legitimate and is authorized without further user-side authentication. You are not liable for fraud-related chargebacks.
    • Challenge flow: The transaction appears risky, and the cardholder is asked to provide additional authentication, e.g., password, SMS code, and fingerprint.

Direct card payments

When you collect cardholder data, you also need to collect other contextual information from the customer's device (fingerprint). This is only relevant for direct card orders and not for payment components or payment pages, where MultiSafepay collects the fingerprint on your behalf.

See also Cardholder data.

Exemptions

To help you optimize conversion and manage risk, MultiSafepay supports exemptions from 3DS2 and strong customer authentication (SCA).

⚠️

Warning

Exemptions remove an important layer of security and increase the risk of fraud.
You are then liable for any fraud-related chargebacks.

Low value payments

We will soon support exemptions for low value payments (LVP) under 30 EUR.

Secure corporate payments

SCA authentication is not required for corporate card payments made with commercial cards.

Transaction risk analysis

MultiSafepay can conduct a transaction risk analysis (TRA) for specific transactions for amounts up to EUR 500. The issuer may soft decline the exemption, in which case the customer is automatically redirected to authenticate.

Out of scope

Mail Order/Telephone Order (MOTO)

For MOTO payments, the customer gives you their card details by phone or email.
3DS2 authentication is not required.

Recurring payments

For recurring payments, 3DS2 or SCA authentication is required only for the initial payment transaction.

Solutions

Disabling 3DS2

MultiSafepay can disable 3DS2 for all your card payments.

Dynamic 3D

Dynamic 3D is a MultiSafepay solution that lets you set rules to disable 3DS2 per transaction, e.g. based on amount, or card/customer/IP country.

  • Scope: Non-EU cards only
  • Pricing: MultiSafepay applies a different fee to non-3DS2 transactions. We may also charge a fee to implement Dynamic 3D. To confirm pricing, email [email protected]
  • Activation: Provide the following required information by email to [email protected]
    • State why you want to use Dynamic 3D.
    • Provide evidence of significant volumes of non-EU card payments.
    • Specify which sites under your account this applies to.
    • Demonstrate excellent processing performance, especially for chargebacks.
    • Confirm that you understand the increased risk of chargebacks and accept liability for non-payment after shipment, and the pricing structure.

Flexible 3D

Flexible 3D is a MultiSafepay solution that lets you enable and disable 3DS2 per transaction via our API.

  • Scope: Non-EU cards only
  • Prerequisites: You must be certified to handle cardholder data.
  • Activation: Email [email protected]
  • Integration: See API reference – Create order > Card order. Set the type parameter to direct. Include the customer fingerprint data.


💬

Support

Email [email protected]

Top of page