📘

This feature is in private beta

If you are interested in using 3D Secure, or want help with reducing fraud and chargebacks, please contact Rainforest Support.

What is 3D Secure?

3D Secure, also sometimes written "3DS" or "Three-D Secure", is an authentication protocol that can help you to prevent fraud and chargebacks. When using 3D Secure, your platform allows the bank to authenticate the cardholder before they make a credit card payment. As a result, you are protected from chargebacks claiming that the card was used fraudulently.

User experience

The user experience of the original 3D Secure was quite poor, but the most recent version is faster and smoother.

In the original 3DS, version 1, the cardholder was redirected away from the purchase page to their bank, where they would log in with their username and password, approve the transaction, and then be redirected back to the purchase page. This was slow, error-prone, and difficult to integrate into complex payment flows.

In the new version, 3DS2, the customer always stays on your webpage. In many cases, they can be authenticated behind the scenes without even being aware of it. In other cases, Rainforest will open a modal dialog over your page so that the customer can authenticate to their bank. Usually, the bank sends them a text message with a one-time passcode to enter into our modal.

Tradeoffs

While 3D Secure can be useful in preventing fraud and chargebacks, it also comes with several tradeoffs:

• Each attempted 3DS transaction incurs a cost from the card network. You can pass these costs on to your merchants.
• Some customers may be annoyed by the authentication process or not be able to complete it, which can hurt the conversion rate of your payments flows.
• Not every bank and card support 3DS, so if you want to get fraud protection on all of your transaction, you may have to turn away some customers. Our strategy is to attempt 3DS authentication, but then fall back to a normal card payment when it isn't available.

How to enable 3D Secure

If your platform can already take a payment on the web with Rainforest's Payment component, there are a few changes needed to enable 3D Secure.

In production, each merchant will need to be onboarded to 3D Secure. Contact your Customer Success Manager for more information on this process. (All sandbox merchants are automatically able to do simulated 3DS transactions.)

When you create a payin config and want to run 3DS, send a new property, threeds_mode with the value ATTEMPT. This tells Rainforest to make a best-effort attempt to run 3D Secure, but also to continue to run unauthenticated card transactions if the merchant or card doesn't support 3DS.

{
    "amount": 202, // $2.02
    "currency_code": "USD",
    "threeds_mode": "ATTEMPT"
}

Your payment page may need small tweaks to allow the Payment component to run 3DS on your behalf. You can test in Rainforest's Sandbox environment, where we will show a simulated 3DS modal dialog.

• The Rainforest 3DS modal will need to be visible above any elements on your page. If you currently listen to the payment component's attempted event and show your own modal or shadow over the page, you may need to do additional work to allow the Rainforest 3DS modal to appear:
  • The payment component emits events for threeds-challenge-opened and threeds-challenge-closed. You can listen to these to know when to hide and then re-show your own modal experience.
• If your webpage uses a Content Security Policy to control what code is allowed on the page, you may need to make changes to allow the bank's authentication to run inside of an iframe. Get in touch with your Customer Success Manager for more help with this change.
  • You will need to allow frames and form submits (via the frame-src and form-action directive) from: centinelapi.cardinalcommerce.com, api.rainforestpay.com, and static.rainforestpay.com.

There are two ways to find out if a transaction ran 3DS successfully:

1. In Rainforest's Portal, you can see the 3DS success shown with other details in the payin detail screen:

2. In the API, Payins will have a threeds_attempt_id property with a value prefixed with tds_, which references the successful 3DS session that was used to make that payin.