• France
status page
Demo shops
assistance
FAQContact support
Search
Categories
Tags
Europe (English)
France
Spain
Europe (English)
India
Homepage
Use cases
Create a payment
Create an installment payment
Create a multi-card (split) payment
Create a payment by Alias (Token)
Create a payment link
Create a recurring payment
Manage subscriptions
Manage your transactions (refund, cancel...)
Analyze your reports
API docs
Embedded Form
REST API
Hosted payment
Mobile payment
File exchange
SDD mandates by REST API
Snippets
Payment methods
Plugins
Marketplace
Guides
Merchant Back Office
Back Office Expert
Functional guides

EMV 3D Secure

The EMV 3D Secure protocol allows the buyer to authenticate themselves with the card issuer during an online payment.

Authentication can be carried out:

  • Without cardholder interaction ("frictionless" authentication), where the cardholder is not explicitly asked to authenticate him or herself during the payment.
  • With cardholder interaction (strong authentication or "challenge").

In the case of strong authentication, different authentication methods are implemented depending on the bank, such as:

  • authentication by mobile application. The buyer receives a notification on his smartphone and authenticates himself via his bank's mobile application by entering a secret code or using his biometric data. He confirms the payment from the application, then returns to the merchant site.
  • authentication by security code. The buyer receives a single-use code sent by SMS. He fills in this code on the authentication page to authenticate himself.

The protocol also provides for buyer authentication with the data of the device used during the payment.

For this, during the authentication phase, a script is executed to obtain the fingerprint of the equipment ("fingerprint" or "3DS method").

Schematic diagram of authentication

Operating principle of the PCI/Charge/Authenticate service

The general principle applies to EMV 3D Secure authentication.

Notes

  • The received instruction can be of "CHALLENGE" or "FINGERPRINT" type.
  • The authentication page can be displayed in a visible or invisible iFrame.
  • an authorization request can be sent to the acquirer if the authentication status is "SUCCESS", "ATTEMPT" or "NOT_ENROLLED". Other cases should result in a rejected payment.
Jobs
Legal
GDPR
25.20-1.11