1. Introduction

3-D Secure (also referred to as 3D secure authentication or 3DS) is a fraud prevention protocol that makes it possible to identify the cardholder by requesting online authentication. Unfortunately, 3DS may not just complicate the payment process for your customers but may also prevent valid and honest transactions from a successful completing at checkout.

Thankfully, you can use Selective use of 3-D Secure to:

  • Combine with otherPostFinance anti-fraud modules.
  • Find the perfect balance between fraud protection and maintaining a smooth checkout experience for your customers.
  • Deactivate 3-D Secure for low amounts transactions.

You will need an active Fraud Expert Scoring or Fraud Expert Checklist subscription to use this service. If you do not have a subscription, get in touch with an PostFinance representative.

2. Before we begin

Selective use of 3-D Secure tool will need to be used in conjunction with one of the following Fraud Detection modules:

This guide will walk you through how to deactivate 3-D Secure (3DS) for transactions that are considered low risk by FDMAs or FDMAc.

To get started, make sure that your FDMAc or FDMAs subscription is activated. You can do this by going to Configuration > Account > Your options in your account. 

3. Manage 3DS settings

Once your fraud subscription is active, we can now configure your 3DS settings.

Configure 3DS settings

Go to Advanced > Fraud Detection. 3DS has to be configured individually for each payment method. Under 3-D Secure, select a payment method by clicking on EDIT. Any of these settings will overrule 3D-Secure preferences that you have configured with CAP1 or CAP2 (i.e. a Force Review rule will be ignored).

The table below provides you a guide on possible settings that you can configure.

Description of settings Explanation
Deactivate 3-D Secure for the following BIN Enter the first six digits of a credit card
Deactivate 3-D Secure when the transaction amount is less than X EUR If a transaction is below a specific amount 3DS will not be triggered
Deactivate 3-D Secure for the following Card country Available only for Visa / MasterCard / American Express / Diners
Deactivate 3-D Secure for the following IP country
Deactivate 3-D Secure when Global Fraud Score is Red Available only if you are using Checklist or Scoring and Fraud Expert
Deactivate 3-D Secure when Global Fraud Score is Green Available only if you are using Checklist or Scoring and Fraud Expert

Selective use of 3DS

Add items by entering a specific value in the input fields or select an item from the dropdown menu. Remove items by flagging Delete. Confirm any of your actions by clicking on SUBMIT.

Note: By using these settings, you might not benefit from the conditional payment guarantee in case of chargebacks. Please contact your acquirer for more information.

If you have configured more than one setting, 3DS will be deactivated even if only one condition is met.


From 1st January 2020 for Europe and from 14th September 2021 for UK, Strong Customer Authentication (SCA) rules will come into effect for all digital payments in Europe. Right now, banks, payment service providers and card networks are all working on technical solutions that will comply with the requirements for PSD2. To accept payments after January 1st you will have to make sure that these technical solutions will work with your online store.

Accepting payments from the world’s largest card networks, Visa, Mastercard and Amex, will require that you have implemented the security solution 3D Secure for your online store. 3D Secure has been used since 2001 to improve the security for online card transaction but now a new version has been developed that will facilitate the PSD2 Strong Customer Authentication requirements.

We recommend you to use 3-D Secure, since it helps prevent fraud and also protects you from liability in case of any fraud. From January 1st 2020 it will also be a requirement for accepting the payments from major cards.

The EU’s Second Payment Services Directive (2015/2366 PSD2) entered into force in January 2018, aiming to ensure consumer protection across all payment types, promoting an even more open, competitive payments landscape. Acting as a payment service provider, we pride ourselves on being confirmed PSD2 compliant since 29 May 2018.

One of the key requirements of PSD2 relates to Strong Customer Authentication (SCA) that will be required on all electronic transactions in the EU from 1st January 2021 for Europe and from 14th September 2021 for UK. SCA will require cardholders to authenticate themselves with at least TWO out of the following three methods:

  • Something they know (PIN, password, …)
  • Something they possess (card reader, mobile. …)
  • Something they are (voice recognition, fingerprint, …

This means your customers, in practice, will no longer be able to make a card payment online by using only the information on their cards. Instead they will have to, for example, verify their identity on a bank app that is connected to their phone and requires a password or fingerprint to approve the purchase.

More information about PSD2 can be found here: https://www.europeanpaymentscouncil.eu/sites/default/files/infographic/2018-04/EPC_Infographic_PSD2_April%202018.pdf

3DSv2 is inviting merchants to send additional information (mandatory / recommended ... ). All you need to know as a merchant can be found here:


COF in a nutshell: Customer initiates a first transaction with a merchant with a 3D-S (CIT). From this first transaction experience, the merchant has the possibility to do recurring transactions (subscription or with customer approval -> tokenization), flagged as MIT transactions.

MIT are one of the exemptions foreseen within the 3DSv2., if they fulfill the following cumulative conditions:

  • subsequent transactions of an initial CIT 
  • CIT was done with a mandatory authentication
  • A dynamic ID linking is made between initial CIT and the subsequent MITs

After initial authentication, exemptions/exclusions can apply:

  • Either because of legal recurring exemptions which apply to subscriptions with a fixed amount and periodicity (merchants are indeed advised to authenticate for full amount + provide details about number of agreed payments with card holders)
  • Either because other type of transactions are excluded from SCA scope... at merchant sole risk in case of chargeback (protection limited to authenticated amount) AND need for issuer to accept that risk to be taken:
    • Unscheduled COF: principle of subsequent transactions is agreed with card holder, but amount and/or periodicity is not fixed
    • Industry practices: incremental, no show, etc...

For the transitional period, schemes have defined default ID to be used for subsequent MITs created before introduction of 3DS v2.

As issuers have not provided us with reliable data yet, we don't have information on that. MasterCard is currently running surveys in Europe, but results may vary drastically depending on the country.  The status will continue to evolve until September. In January 2019, only 2/3 of issuers completed the EMVCo v2.1 certification and within this list of issuers, support of exemptions fluctuated from 80% (Recurring) to 50% (White Listing).

If you use our eCommerce page, PostFinance will take care of all mandatory fields.

If you are integrated in DirectLink, meaning that you have your own payment page, we have a Javascript example available on the support page to collect the mandatory data.

For the optional information collection, refer to our support page on how to integrate with PostFinance.

Unless the authentication is an obligatory step (i.e. in case of a card registration or an initial transaction of a series of recurring transactions), issuers can decide to pass on the authentication. In such a scenario the issuer will be liable in case of a charge back.
Add Card value refers to the case when a wallet provider uses 3DS protocol to add a card to their wallet. This will be implemented by the respective wallet provider.

Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

One of the core differences in version 2 is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge).

Separately the Strong Customer Authentication (SCA) required from 1st January 2021 for Europe and from 14th September 2021 for UK, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible. In short 3-D Secure version 2 means:

  • You will need to implement 3-D Secure before January 1st, 2021 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
  • You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
  • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data-points with 3rd parties
  • A much better user experience for your consumers

The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the cardholder compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted.

This situation is only possible if you are integrated via DirectLink only (Merchant own page / FlexCheckOut), as in PostFinance hosted payment page page, PostFinance is collecting the mandatory data.

First of all, PostFinance will identifiy the flow to be directed to v1 or v2 based on the card numbers.

If the card is enrolled V2, there are the following possible scenarios:

Mandatory data:

  • If the wrong data is passed, transaction is blocked
  • If some data is missing, PostFinance will direct your transaction to v1 flow
  • If no data is passed, transaction is NOT blocked but diverted to flow v1

Recommended or optional data:

  • if no data is passed, transaction is NOT blocked, but cannot benefit from exemption. 

As this is defined by the acquirers' readiness, the availability of 3DSv2 depends on the individual acquirer. 

Most of the French acquirers will support Strong Customer Authentication by September 14th 2019, but not exemptions. The introduction of exemptions will be made available by the individual acquirers between October 2019 and March 2020.

To make things easier for both merchants and consumers, PSD2 allows for some exemptions from strong customer authentication. What’s important to note is that all transactions that qualify for an exemption won’t be automatically exempted. In the case of card transactions, for example, it’s the card issuing bank that decides if an exemption is approved or not. So, even if a transaction qualifies for an exemption the customer might still have to make a strong customer authentication, if the card issuing bank chooses to demand it.

Our test platform is ready for you to start testing. A simulator will support all different scenarios.

Testing cards have been provided and can be found on the support site, as well as in the TEST environment (Configuration > Technical Information > Test info).

Please contact us should you wish to start using 3-D Secure version 2 (3DSv2) in production. 

Your PCI certificate is valid for a year and is compliant for any acquirer.

We are in a process of certification for v2.2 and it will be in production in Q4 2020.

Along with the platform release in July we have enhanced our transaction overview details. Individual transactions accessible now contain detailed information on which flow (legacy 3DS v1  or 3Dsv2) was applied. More information can be found in our notes for Release 04.133 in the Backoffice via Support > Platform Releases > Release 04.133

In addition to that we have added the new parameter VERSION_3DS to our electronic reporting tool.

The possible values for VERSION_3DS are

V1  (for 3DS v1)
V2C (for 3DS v2 challenge flow)
V2F (for 3DS v2 frictionless flow) 

To add this parameter to your transaction file downloads, follow the instructions as shown in this video:

Exclusions are transactions that are OUT of scope for PSD2 SCA regulations:

  • Mail order/telephone order
  • One leg journey - Payee's PSP (aka Merchant's acquirer) or Payer's PSP (aka Buyer's payment method issuer) is outside of EEA zone
  • Anonymous prepaid cards up to 150€ (article 63)
  • MIT - merchant initiated transactions

Exemptions are transactions that are IN the scope of PSD2 SCA regulations:

  • Low value transactions
  • Subscriptions
  • Risk analysis
  • Whitelisting

In a case like this, PostFinance will automatically manage a fallback to 3-D Secure v1.

The EBA (European Banking Authority) and national banks in each affected country agreed on a grace period (until at least March 2020). This will give every player in the eCommerce business the opportunity to clarify all details related to this new regulation. However, we still strongly recommend to activate 3DS in your account(s) as soon as possible.

Since our TEST environment is ready, we advise you to start testing your integration as soon as possible.

Click here if you’re using eCommerce. If you’re using your own page, click here.

If the issuer is applying new PSD2 ruleset and 3DS is not active in the merchant's account, the transaction will be rejected with a new error code - soft decline. Therefore, please make sure to have 3DS active for each brand in your account(s). If you are integrated with DirectLink (Server to Server), you will need to implement the soft decline mechanism.

As 3DSv2 introduces frictionless authentication, the time for processing a transaction may be reduced. Conversely, if Strong Customer Authentication is requested, the processing time may be longer.