This 3D Secure protocol helps confirm the identity of cardholders at the time of purchase.

These services are collectively referred to as 3D Secure (3DS).

Why Use It?

Fraud Reduction: Adds an additional layer of security to online credit card transactions.
Chargeback Mitigation: Shifts liability for certain types of fraud-related chargebacks away from the merchant to the issuer or cardholder.
Risk Assignment: Depending on the result of the 3D Secure flow, the risk may lie with the merchant, issuer, or cardholder (see flowchart below).

How Does It Work?

Customer initiates payment on the secure PayGate page.
If the card supports 3DS, PayGate redirects the customer to their issuing bank's authentication page.
The cardholder enters a password or code (e.g. an OTP or secret PIN).
The issuing bank responds with either:
- Authentication successful → PayGate proceeds to authorization.
- Authentication failed → PayGate declines the transaction.

Not all issuing banks require 3D Secure enrollment. In such cases, the transaction proceeds, but the authentication attempt is recorded, shifting the risk away from the merchant.

PayProtector & 3D Secure Flow

This diagram outlines the flow of a card transaction using PayGate’s fraud protection (PayProtector) combined with the 3D Secure authentication services (Verified by Visa / MasterCard SecureCode).

sequenceDiagram
    participant Client
    participant Merchant
    participant PayGate
    participant IssuerBank

    Client->>Merchant: Initiate purchase
    Merchant->>PayGate: Send transaction request
    PayGate->>PayProtector: Fraud check

    alt Card is OK
        PayGate-->>PayGate: Proceed with 3DS logic
    else Card is not OK
        PayGate-->>Client: Decline transaction
        Note over PayGate,Client: Transaction ends
    end

    alt Is MasterCard or Visa?
        PayGate->>IssuerBank: Check 3DS enrollment
        alt Enrolled in 3DS
            PayGate->>Client: Redirect to Issuer 3DS page
            Client->>IssuerBank: Enter authentication details
            IssuerBank-->>PayGate: Auth result
            alt Auth success
                PayGate->>Bank: Send for authorisation
                Bank-->>PayGate: Authorisation result
            else Auth failed
                PayGate-->>Client: Decline transaction
            end
        else Not enrolled
            Note over PayGate: Risk shifts to Issuer
            PayGate->>Bank: Send for authorisation
        end
    else Not MasterCard/Visa
        Note over PayGate: Risk remains with Merchant
        PayGate->>Bank: Send for authorisation
    end

What About Other Card Brands?

Currently, only Visa and MasterCard support 3D Secure via Verified by Visa and MasterCard SecureCode. Transactions using other card brands (e.g. AMEX, Diners, etc.) are not authenticated and the liability remains with the merchant.