When you are paying in a shop with a credit or debit card, you will be asked to insert your card into the terminal and enter your PIN. This PIN is stored on the chip on your card and the terminal will compare the PIN entered with the PIN stored. This way it proves that it is the cardholder who is making the payment and not someone who has ‘found’ the card. This is why it is so important that you NEVER share your PIN with anyone.
If you are buying online, you obviously cannot insert your card into a terminal. Instead, a system called 3D Secure was developed. It was started by Visa as ‘Verified by Visa’ but was adopted by most other schemes: Mastercard (‘SecureCode’), Discover (‘ProtectBuy’), JCB International (‘J/Secure’), and American Express (‘SafeKey’).
How it works
When you enter your card number, in the background a message is sent by the gateway* to a server hosted by the relevant scheme. This server keeps a database of all issuers who participate in 3D Secure and the website they host to support it. If the issuer is not participating, the server will respond with an ‘Authentication Attempted’ message (see below). If the issuer is participating, the server will return the website address.
The gateway* will now redirect the cardholder from the merchant website to the website address provided. This is the website that the issuer has nominated for the 3DS process. In many cases, the issuer has outsourced this to a third party. This is why you often see a name you don’t recognise, for example, Arcot.
When the cardholder is redirected, information is also posted to the website in the background, which allows the website to recognise the cardholder, and to know how much and to whom the payment is for. Because the issuer knows the cardholder’s phone number (it is their customer after all) it will send a PIN to this number. The cardholder enters this number on the website. This allows the issuer to compare the two and know that it is their cardholder who is looking to make a payment.
The result of this comparison is sent back to the requesting gateway*.
The merchant can now decide if they want to proceed to authorisation or not.
*Depending on the integration method chosen by the merchant, this can be a message sent by the merchant via the gateway, or the process can be fully handled by the gateway. Merchants cannot send a message directly.
To Proceed or Not to Proceed.
Depending on the outcome, the merchant is liable for a fraudulent chargeback or not.
The below table gives an overview of possible outcomes, what it means for you, and recommended action.