3D Secure Flow

What Does 3D Secure Mean?

3D Secure stands for Three Domain Security, because there are three "domains" involved in the process: the Issuer Domain, the Interoperability Domain and the Acquirer Domain.

  • The issuer domain is where the consumer and issuing bank act.
  • The acquirer domain is where the gateway and acquiring bank act.
  • The interoperability domain is where all the "connecting" services act (DS - Directory Server & ACS - Access Control Server).

How Does a Regular Card Payment Work?

In AceHub, in a regular card non 3D Secure authorization process there are four primary parties involved, as listed below:

  • Consumer: the person who is shopping online and has a credit card.
  • AceHub (& merchant): the payment gateway for the merchant where the consumer is making the purchase.
  • Acquiring bank: AceHub's acquiring bank through which we process the card payments.
  • Issuing bank: The bank that issued the consumer's card.

The figure below shows a card non 3D Secure payment process flow:

Regular Card Payment Flow - No 3D Secure

Regular Card Payment Flow - No 3D Secure

Steps

  1. The Consumer enters their card information (card number, expiry date, etc.) on the Merchant's website.
  2. AceHub submits the card information to the Acquiring bank on behalf of the merchant.
  3. The Acquiring bank authorizes the transaction (by communicating with the card network and issuing bank).
  4. The authorization response (either success or failure) is sent back to AceHub.
  5. The transaction response (either success or failure) is sent back to the Consumer via the Merchant's website.

How Does a 3D Secure Card Payment Work?

When using 3D Secure a number of additional steps are added to the card payment flow with the aim of authenticating the Consumer who performs the transaction.

3D Secure with Internal MPI

The figure below shows a simplified 3D Secure with Internal MPI flow in AceHub:

3D Secure Card Payment Flow with Internal MPI

3D Secure Card Payment Flow with Internal MPI

Steps

  1. The Consumer enters their card information (card number, expiry date, etc.) on the Merchant's website.
  2. The Merchant submits a request with the card information to AceHub.
  3. AceHub contacts the MPI. The Directory Server and the Access Control Server are called straightaway to check if the card is enrolled in the 3D Secure program or not.
  4. The MPI responds with the result of the check enrollment call.
  5. When the card is enrolled in the 3D Secure program, AceHub returns to the Merchant all the information required to redirect the Consumer to the issuing bank Access Control Server for authentication.
  6. The Merchant redirects the Consumer to the issuing bank Access Control Server for authentication. Once the authentication page loads, the Consumer authenticates, usually with a one time password sent to their mobile phone by the issuing bank, or a personal PIN.
  7. The Access Control Server posts the Payer Authentication Response back to AceHub through the consumer's browser.
  8. The Payer Authentication Response is sent to the MPI for validation.
  9. The MPI validates the Payer Authentication Response and returns the ECI (Electronic Commerce Indicator), AVV (Authentication Verification Value), and XID (Transaction Identifier).
  10. AceHub submits the card information and the ECI, AVV, and XID fields to the Acquiring bank.
  11. The Acquiring bank authorizes the transaction (by communicating with the card network and issuing bank).
  12. The authorization response (either success or failure) is sent back to AceHub.
  13. AceHub sent back the transaction identifier to the Merchant's website through the consumer's browser.
  14. The Merchant requests Acehub about the transaction result.
  15. The transaction result (either success or failure) is sent back to the Merchant.
  16. The transaction result (either success or failure) is sent back to the Consumer via the Merchant's website.

3D Secure with External MPI

The figure below shows a simplified 3D Secure with External MPI flow in AceHub:

3D Secure Card Payment Flow with External MPI

3D Secure Card Payment Flow with External MPI

Steps

  1. The Consumer enters their card information (card number, expiry date, etc.) on the Merchant's website.
  2. The Merchant directly calls the MPI to check if the card is enrolled in the 3D Secure program, redirects the Consumer to the issuing bank Access Control Server for authentication, and calls the MPI to validate the Payer Authentication Response.
  3. The MPI validates the Payer Authentication Response and returns the ECI (Electronic Commerce Indicator), AVV (Authentication Verification Value), and XID (Transaction Identifier).
  4. The Merchant submits a request to AceHub with the card information and the ECI, AVV, and XID fields.
  5. AceHub submits the card information and the ECI, AVV, and XID fields to the Acquiring bank.
  6. The Acquiring bank authorizes the transaction (by communicating with the card network and issuing bank).
  7. The authorization response (either success or failure) is sent back to AceHub.
  8. The transaction response (either success or failure) is sent back to the Consumer via the Merchant's website.

3D Secure Authentication Page Example

Below you can see the typical format of an authentication page shown to consumers.

3D Secure authentication page

3D Secure authentication page

Authorization vs Authentication

When discussing card transactions the terms authorization and authentication refer to different things.

Authorization is the verification by the issuing bank of the validity of the card details provided, and the consent to the charge based on internal rules (e.g. e-commerce allowed, acquiring country allowed, funds available, etc.).

Authentication refers to the consumer proving to the issuing bank that it is indeed him performing a transaction. The "authentication" occurs in a similar manner to when one logs into a website.

3D Secure Flow


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.


Top