The 3D Secure system is a scheme implemented by the card schemes (primarily Visa, who call it Verified By Visa or VbV and MasterCard, who call it MasterCard SecureCode).

The basic concept of the system is to tie the financial authorisation process with an online authentication. This authentication is based on a 3 domain model (that is the 3D in the name). The three domains are: Acquirer Domain (the commerce), the Issuer Domain (the bank issuer of the credit card) and finally the Interoperability Domain (Worldwide credit card and support).

The transaction is effectively broken into 2 messages. During the initial message the card number is checked to see if it enrolled on the card-issuing organisation’s (usually a bank) 3D Secure scheme. If the card is enrolled on the scheme, the transaction is “paused” & the message ends, informing the
merchant’s website (and so the customer) that they must authenticate their card. This happens by the customer being redirected to their card-issuing organisation’s website & validating their card directly with them. They are the redirected back to the merchant’s website which passes the authentication
payment response generated by the card-issuer’s website during the authentication process back to the payment gateway with the second message of the transaction. The gateway then verifies the authentication payment response with the card-issuer directly & depending on the results of this the transaction is resumed or rejected.

Listed below are the steps that a 3D Secure transaction takes and a diagram below:

1) The cardholder navigates to the merchant’s website, & fills in their credit card details into the merchant’s payment form (this form may reside on the merchant’s servers or on the payment processing servers).

2) The credit card information is submitted to the payment gateway by the merchant’s
payment form (using a CardDetailsTransaction message).

3) The payment gateway contacts the Directory Server to query whether this credit card is enrolled (or needs to be enrolled) in the 3D Secure scheme.

4) The Directory Server passes the enrolment status information back to the payment gateway, which in turn either continues processing the transaction as normal (if the card is not enrolled), or it passes the URL of the cardholder’s bank’s Access Control Server (ACSURL) and additional data from which a Payment Request string (PaREQ) back to the merchant’s payment form. This will be done using the CardDetailsTransactionResponse message.

5) The customer is then redirected by the payment form to their bank’s Access Control Server & they are greeted with the last 4 digits of their credit card & the identification text they specified when registering their card for 3D Secure. The customer validates their card details using their 3D Secure password, which is validated by their bank’s Access Control Server

6) The Access Control Server then initiates a redirect of the customer’s browser back to a secure processing page on the merchant’s website (TermUrl), which forwards the payment response string (PaRES) from the Access Control Server to the payment gateway using a ThreeDSecureAuthentication message.

7) Depending on the contents of the payment response (PaRES), the transaction is either declined immediately (following a 3D Secure Authentication failure) or the transaction is then submitted to the bank for authorisation. The results of the transaction are then passed back to the merchant’s system using a ThreeDSecureAuthenticationResponse which displays the payment result to the customer.