3D Secure (3DS) is an authentication protocol for online card payments developed by major card networks. It reduces the risk of fraud by ensuring the card is used by its true holder through multi-factor authentication.

This protocol involves the following actors:

  • The cardholder - The end user initiating the online payment by card.
  • The merchant - In the case of Mangopay, the through which the funds are transiting.
  • The issuer - The bank or PSP of the cardholder who determines whether or not to authorize the payment based on the information received.

Benefits

The 3DS2 protocol benefits all the actors of an online transaction. It contributes to:

  • A safer, smoother online payment experience for the cardholder, resulting in less checkout abandonment.
  • Reduced risk of fraud and instances of false decline which strengthens the end user’s confidence in the platform. When SCA is applied, the platform may also benefit from a liability shift to the card issuer in case of a fraudulent transaction.
  • A better process to determine the legitimacy of the transaction for the issuer, which means higher approval rates and fewer fraudulent transactions.

The second version (3DS2) facilitates strong customer authentication (SCA) to meet the regulatory technical standards of the European Union’s revised Payments Services Directive (PSD2).

Scope

SCA applies to online payments in Europe. The following conditions must be met:

  • - This means that the user is online when the payment is made (as opposed to an ).
  • Within Europe - The and are both in the , the UK, or Switzerland.

At Mangopay, this means with cards from major networks (CB, Visa, Mastercard, Maestro, AMEX, etc.) that meet these conditions, as well as card validations.

Endpoint

Direct card pay-in

Endpoint

Recurring pay-in (CIT)

Endpoint

Preauthorization

Endpoint

Deposit Preauthorization

Endpoint

Card validation

Out of scope

SCA doesn’t apply in some cases:

  • Merchant-initiated transactions (MIT), for example during recurring card payments
  • Anonymous transactions, for example with anonymous cards
  • Mail-order and telephone-order (MOTO) transactions

MOTO transactions

Platforms can process MOTO transactions with Mangopay by setting the PaymentCategory parameter to TelephoneOrder (otherwise ECommerce by default). The feature requires activation by Mangopay and is available on the following endpoints:

Caution - Liability with platform for MOTO transactions

Because SCA does not apply to MOTO transactions, they are inherently less secure and liability is always with the platform in case of chargeback.

How does it work?

When the platform’s app or website starts processing the payment, the following flows can be triggered:

Challenge flow

is required: the platform redirects the end user to the payment page for SCA. This step is mandatory for the payment to succeed.

Frictionless flow

Based on the data sent by the platform, the card issuer identifies the transaction as low risk and does not require SCA. Such cases are called exemptions.

SCA is triggered when:

  • The platform defines the SecureMode parameter of the pay-in to FORCE.
  • Mangopay automatically switches the SecureMode parameter to FORCE. This may be because the transaction amount exceeds the platform’s or due to Mangopay’s analysis of the fraud risk.
  • The issuer applies SCA, regardless of the SecureMode value or if the parameter is not present.

Caution - The issuer decides when SCA is applied

Regardless of the requested flow, the final decision to apply SCA or not rests with the . In other words, you can set the SecureMode parameter to FORCE and end up being exempted from SCA, or request for an exemption and still have SCA applied.

For more information about how to handle 3DS, see:

How to

Learn how to process a card payment

SCA exemptions

Acquirers may request exemptions to for some . These exemptions are based on the transactional data collected thanks to 3DS2. Issuers can then either:

  • Challenge the transaction and force SCA or,
  • Allow a frictionless flow for the end user.

Note - No exemption for recurring pay-ins (CIT)

Strong customer authentication is always applicable for CITs when making a recurring pay-in.

Exemptions:

  • Are not automatic, but requested and justified with sufficient information.
  • Are always requested by acquirers and issuers, not the platform.
  • Can only be requested once per transaction.

The following transaction types may be exempted from SCA if accepted by the issuer:

Low-amount transactions

Transactions under €30 may be exempted from SCA until they reach one of the following limits:

  • More than 5 consecutive transactions
  • More than €100 in cumulated transactions These limits have no timeframe and transactions with any payment service provider (PSP) count towards the limits.

Note: Amounts considered as low can vary depending on the bank, currency, and Mangopay’s internal rules to ensure a smooth and secure experience.

Low-risk transactions

Transaction risk analysis (TRA) tools of PSPs allow the regulatory technical standards to define reference fraud rates under which certain transaction amounts may be exempted. Are considered low risk:

  • Transactions < €100 with a PSP fraud rate ≤ 0.13%
  • Transactions €100-250 with a PSP fraud rate ≤ 0.06%
  • Transactions €250-500 with a PSP fraud rate ≤ 0.0.1%

Was this page helpful?

How toCard fingerprint