Glossary

Learn 3D Secure industry terms

3 A B C D E F L N O P R S T
3

3-D Secure 1.0

Generally known as 3DS1, 3-D Secure 1.0 is a Visa-designed XML protocol that adds an additional layer of security to online credit card transactions, where customers receive the service as Verified by Visa. Mastercard, JCB, American Express, and Diners Club International have also utilised this protocol with their SecureCode, J/Secure, SafeKey, and ProtectBuy services.

3-D Secure 2.0

The system facilitates the transmission of extensive information during transactions, enabling risk-based decisions. In comparison to 3-D Secure 1.0, the consumer experience will be improved through the exclusion of the initial enrolment process and the requirement for cardholders to memorise static passwords. Additionally, this version of the protocol will support non-payment authentication and native mobile devices.

Often abbreviated as 3DS2, this protocol enables the site owner to personalise the page and provide authentication methods such as biometrics, SMS messages, and passwords. 3DS2 is developed with mobile devices in mind and is more customer-focused than the 3DS1. 

3DS Requestor

A 3Ds requestor is the party that initiates the 3-D Secure 2.0 authentication request to confirm that an account is still available or to verify a cardholder. For instance, the requestor could be a retailer or a digital wallet requesting authentication during the purchase flow.

3DS SDK / Mobile SDK

Embedded software within a merchant's mobile app that facilitates cardholder authentication. When a cardholder initiates an in-app (mobile) transaction, the 3DS SDK notifies the 3DS Core Components to verify the cardholder.

3DS Server

A 3Ds server provides the functional link between the DS and 3DS Requestor Environment flows. It  is accountable for collecting the required data elements for 3-D Secure messages, authenticating the DS, validating the DS, the 3DS SDK, and the 3DS Requestor, as well as protecting the message contents.

A

Access Control Server

The issuer domain (banks) of 3-D Secure protocols includes the Access Control Server (ACS). Each card issuer is required to maintain an ACS utilised for supporting cardholder authentication. A customer can authenticate to the ACS by providing their username and password; the ACS then signs the result as either valid or invalid. This signature is transmitted to the Merchant Plug-in via the customer's browser (MPI). The MPI verifies the ACS signature and decides whether the transaction should proceed.

Due to the need to maintain the confidentiality of the transaction, the cardholder is diverted to the website of the issuing bank during the 3-D Secure process. When the information is given to the bank, the MPI returns the verification to continue rejecting or accepting the user's authenticity. The MPI connects card servers and merchant servers for verification purposes.

Learn more about ACS through 3DS1 and 3DS2.

B

Biometric Authentication

Verification of an individual's identity based on their unique biological characteristics, including facial recognition or voice identification. Biometric authentication systems compare captured biometric data with confirmed authentic database data. For authentication to be validated, both biometric data samples must match.

C

Card-Not-Present Fraud

When a customer manually enters credit card information during a transaction without physically presenting the card to the merchant, it is considered card-not-present (CNP) fraud. This type of fraud typically occurs online when the fraudulent party obtains the cardholder's information without their consent, such as their three-digit security code. Commonly, CNP fraud is committed via phishing.

Card Scheme

Card schemes are payment networks that establish regulations and provide infrastructure to issue cards and process card-based transactions, such as debit and credit card transactions. Issuers (bank or financial institution) and acquirers (merchant or customer) must be part of the same network as the card in order for a payment to be processed.

Chargeback

Chargeback refers to the return of funds used to make a purchase, initiated by the bank or financial institution that issued the funds. It was one of the advantages of 3-D Secure 1.0 in regards to the fact that it reduced the likelihood of chargebacks. If a chargeback occurs, the cardholder's bank will be held responsible.

D

Directory Server

A central repository for storing and operating data, including identity profiles. Directory Server can be used to authenticate and authorise users to ensure safe access to an organisation, internet services, and applications. Directory Server is expandable as it can be integrated within existing systems, and permits the integration of employee, customer, supplier, and associates data.

E

EMVCo

Originally known as EMV, this international standard for credit and debit card payments is based on chip card technology. It was named after the card schemes that founded it, namely Europay, MasterCard, and Visa. EMVCo, a collaboration of financial institutions including Visa, Mastercard, American Express, China Union Pay, JCB, Discover/Diners Club International, and Rupay, now regulates the standard. Additionally, they are the creators of EMV Three-Domain Secure (3DS). The mission of EMVCo is to promote global interoperability and ensure the safety of all online payment transactions.

F

Frictionless Flow

Instated through risk-based authentication performed in the ACS, this feature enables issuers to approve a payment without interacting with the cardholder. As the customer confirms an online purchase, all of their shopping details, including device data, item purchased, and value, are sent to the ACS in order to verify the cardholder's identity using risk-based elements. Since this procedure occurs invisibly, it is considered frictionless.  Customers are guided to the order confirmation page without being informed that their transaction has been screened.

L

Liability Shift

When the liability for chargeback loss is transferred back to the bank from the merchant. This typically occurs during eCommerce transactions in which the cardholder denies making a purchase, as well as fraudulent transactions.

N

Non-Payment User authentication

A category of 3DS messages that can be used to verify identity outside of the payment ecosystem, allowing wallet providers and issuers to streamline the provisioning and activation of cardholders in a secure manner. Discover more about 3DS2 non-payment authentication.

O

One Time Passwords

One-time passwords is a system that provides a mechanism for logging on to a network or service with a password that is unique and valid for only one login session or transaction. This protects online bank accounts, enterprise networks, and other systems that contain sensitive information, from certain types of identity fraud by making sure that a stored username and password cannot be used more than once.

Out Of Band Authentication

Out of band (OOB) authentication is the protection authentication mechanism that requires two distinct signals from two distinct separate channels or networks. In a business environment, an OOB satisfies security requirements by generating a request for secondary verification.

P

Payment Gateway

An online service that authorises the transfer of funds between sellers and buyers in an online marketplace. It encourages transactions by transferring data between payment portals, such as a website and a bank.

Payment Service Directive 2 (PSD2)

A type of payment service directive. Since banks are no longer the only entity with access to their customers' data. PSD2 permits bank customers to grant third parties access to their account information and the authority to manage their finances. For instance, Facebook could be used to make payments directly from customers' bank accounts.

R

Risk-Based Authentication

An authentication and authorisation technology that uses a variety of user-provided factors. This includes evaluating the user's behaviour, devices, and other variables to determine if they pose a threat. If the user fails to meet a set standard, they will be urged to provide additional verification information. This could be the answer to a security question or a biometric element. Explore the topic of risk-based authentication.

S

Strong Customer Authentication (SCA)

Using biometrics to validate card-not-present digital transactions is a new European legal mandate designed to make online payments more secure. With the PSD2 (Revised Payment Service Directive) regulations, the user will be required to provide more information than just the card number and CVC verification code at the time of payment. SCA uses three distinct types of information to confirm user identities:

   1. Information the user knows, such as a password or PIN
   2. Something the user owns, such as a card or mobile phone
   3. Something the user is, such as fingerprints or facial recognition

T

Transaction/Cart Abandonment

The act of a potential eCommerce customer abandoning their purchases/shopping cart during the payment phase of the checkout process. This typically occurs when a customer forgets the additional 3-D Secure verification requirement or when the page does not display correctly on a mobile device.

Two Factor Authentication (2FA)

A type of multi-factor authentication that verifies the claimed identities of users. The method authenticates the transaction using two of the three factors:

   1. Information the user knows, such as a password or PIN
   2. Something the user owns, such as a card or mobile phone
   3. Something the user is, such as fingerprints or facial recognition

Copyright © 2021 GPayments Pty Ltd. All rights reserved.
Privacy Policy / Cookies
/ Company Policy