3D Secure

Topics covered on this page

3-D Secure adds another level of protection to merchants and cardholders. With the service enabled, the chances of fraud are reduced significantly, as each transaction is authenticated with a second-factor authentication provided by the card issuing bank (OTP or SMS token).

3-D Secure is mandatory for certain business types. Our fraud analysts will determine whether enabling the service on your account is necessary based on your business’s risk profile.

3-D Secure Authentication user view

3-D Secure is advantageous for merchants offering the following services:

  • Travel website
  • Game money, digital money, prepaid cards
  • Digital goods such as music, movies and software
  • Rental services or sales of high-priced products
  • Any online content where fraud and chargebacks occur frequently

When to consider enabling 3-D Secure?

  • Business has lost many chargebacks and is unable to provide proof of delivery
  • Experienced many cases of fraud
  • Business does not require recurring payment and would like to have more protection against fraud

The only disadvantage of enabling 3-D Secure is that cardholders will be redirected to a bank page for every purchase. Thus, merchants will not be able to process automatic/recurring payments. However, the Customer API can be used so that cardholders do not have to re-enter their card details every time. All they’ve got to do is authenticate with 3-D Secure whenever a payment is made.

3-D Secure Redirection Flow

Learn more on how to implement 3-D Secure.

You can easily identify charges blocked by our fraud system on the dashboard; the status will be marked failed fraud check.

3D Secure 2

3D Secure 2 (3DS2) is the updated version of 3D Secure 1 (3DS1). 3DS1 was obsoleted in Oct 2022, and you (the merchant) must use 3DS2 for card transactions.

What are the features of 3DS2?

3D Secure 2 (3DS2) features frictionless authentication (See How does 3DS2 work for an explanation) and mobile in-app flows to authenticate transactions using innovative enhancements such as fingerprints and facial recognition.

How does 3DS2 work?

3DS2 analyzes many data points and is an advanced layer of fraud protection. The cardholder enters their card details at checkout. At this point, your 3DS service provider sends an authentication request with the data to the cardholder’s bank. This data includes cardholder and device information such as device ID, MAC address, geo-location, and previous transactions.

The bank’s 3DS service provider assesses the transaction risk, and the transaction then proceeds in one of two ways:

  1. If the data is enough for the bank to trust that the genuine cardholder is making the purchase, the transaction goes through the frictionless flow, and the authentication is completed without any additional input from the cardholder. In this case, the cardholder will not receive any OTP to authorize the transaction.

    Note: With frictionless flow, you still benefit from the same liability shift precisely as you do for transactions that pass through the challenge flow. The bank accepts liability in case of payment disputes.

  2. If the bank needs further proof, the system challenges the cardholder to verify their identity using an OTP, facial recognition, or a fingerprint to authenticate payment.

The following diagram illustrates the 3DS2 flow:

sequenceDiagram participant ch as Cardholder participant ms as Merchant App/Omise SDK participant mc as Merchant server participant om as Omise API participant ac as Bank ch-->>ms: Submit credit card data ms->>om: Token request om->>ms: Token response ms->>mc: Charge request (merchant's endpoint) mc->>om: Charge request om->>mc: Charge response mc->>ms: Return authorize_uri ms->>om: Authentication request with authorize_uri om->>ac: Authentication request ac->>om: Authentication response om->>ms: Authentication response alt Is 3DS v1 ms->>om: Redirect to Omise API om->>ac: Redirect to the bank site ch-->>ac: Submit authentication data ac->>om: Return result om->>ms: Redirect back to the merchant app ms->>ch: Show authentication result else Is 3DS v2 [Frictionless authentication] ms->>ch: Show authentication result else Is 3DS v2 [Challenge authentication] loop Send challenge request until challenge authentication is completed ch-->>ms: Submit authentication data ms->>ac: Challenge request ac->>ms: Challenge response end ms->>ch: Show authentication result end
Omise uses cookies to improve your overall site experience and collect information on your visits and browsing behavior. By continuing to browse our website, you agree to our Privacy Policy. Learn more