Last updated

3D Secure (3DS)

3DS is a security protocol that helps prevent fraud in online credit and debit card transactions. 3D stands for the three domains that interact using the protocol: the merchant or acquirer domain, the issuer domain, and the interoperability domain.

How 3DS works

When a customer makes a purchase online, the merchant's website sends a request to the cardholder's bank to authenticate the transaction. The bank then sends a request to the cardholder to verify their identity. The cardholder can verify their identity by entering a password, a one-time code, or using biometric authentication.

If the cardholder successfully authenticates the transaction, the bank sends a response back to the merchant, and the transaction is completed. If the cardholder fails to authenticate the transaction, the transaction is declined.

Benefits of 3DS

3DS provides the following benefits for merchants and cardholders:

  • Reduce fraud: Prevent unauthorized transactions and reduce the risk of fraud.
  • Chargeback protection and liability: Shift liability for chargebacks from the merchant to the cardholder's bank, reducing the financial risk for merchants.
  • Increase approval rates: Increase approval rates for transactions by providing an additional layer of security.
  • Enhance customer trust: Help build trust with customers by providing an extra layer of security for online transactions, and provides peace of mind when making online purchases.
  • Regulatory compliance: Comply with regulations and industry standards for online transactions, reducing the risk of fines and penalties.
  • Global acceptance: 3DS is widely accepted by banks and card networks around the world.
  • Reduced fraud-related costs: Reduce fraud-related costs for merchants by preventing unauthorized transactions.

Configure 3D Secure

To use the Rebilly 3DS provider (, you must obtain the following merchant information from your acquirer:

  • Acquirer Merchant Identification Number (MID) for both Visa and Mastercard.
  • Acquirer Bank Identification Number (BIN) for Visa (automatic enrollment).
  • Acquirer BIN for Mastercard (manual enrollment).
  • Merchant name.
  • Merchant country.
  • Merchant URL.

Mastercard enrollment must be initiated by the acquirer, and the acquirer must enroll the specific acquirerBIN and acquirerMerchantID into their system. Enrollment is completed by the acquirer using the Mastercard Connect ISSM tool. If required, Rebilly can provide all PCI DSS and PCI 3DS certification documentation. For assistance, contact Rebilly support.

To configure 3D Secure on a payment gateway, see Configure 3D Secure (3DS).

3DS flow

This process describes the flow of a 3DS transaction between a merchant, a cardholder, and the cardholder's bank:

  1. Authentication request: The merchant sends an authentication request to the cardholder's bank.
  2. Cardholder authentication: The cardholder authenticates the transaction using a password, one-time code, or biometric authentication.
  3. Transaction response: The bank sends a response back to the merchant, indicating whether the transaction was authenticated or declined.
  4. Transaction completion: If the transaction is authenticated, the transaction is completed. If the transaction is declined, the cardholder is prompted to try again or use a different payment method.

3DS internal flow

This process describes the internal flow between a payment gateway that is using 3DS and Rebilly.

  1. A transaction is created and 3DS is enabled on the selected payment gateway. Rebilly returns the approvalUrl and the transaction with a status of waiting-approval and a result of unknown.
  2. Rebilly detects when the customer is redirected to the approvalUrl. When this occurs, the transaction status is set to offsite and the result is set to unknown. Rebilly does not redirect the customer to theapprovalUrl, that must be completed by whomever is calling the API.
  3. After a successful 3DS flow that triggers the call to the payment gateway, the customer is redirected back to Rebilly.
  4. Rebilly receives the response from the payment gateway. The transaction status is set to completed and result is set to approved, or declined.
  5. The customer is redirected back to the redirectUrl.

To view all transaction result and status values, status and result.

Test 3DS

To verify your 3DS configuration is working correctly, see Test a 3DS challenge flow and Test a generic 3DS flow.