Merchant/Acquirer Implementation

Quick Reference for 3-D Secure 2.0

What
Visa’s 3-D Secure (3DS) 2.0 Program is a global solution designed to make e-commerce transactions more secure by helping to
ensure the transaction is initiated by the rightful owner of the Visa account. Authentication happens during the online checkout
process before authorization, and is enabled by a separate platform and separate set of messages.
The 3DS process is initiated by a Merchant using its 3-D Secure Server to submit a 3DS authentication request. Visa’s Directory
Server receives the request and routes the request to the issuer. The Issuer’s Access Control Server(ACS) reviews the information
in the authentication request, authenticates the cardholder using their form of authentication, and responses back to the
merchant.

Pre-Implementation
The Merchant/Acquirer must have a 3DS Server and 3DS SDK that can connect to Visa’s 3DS 2.0 Directory Server.
3DS SERVER AND 3DS SDK1
 Decide: Build, Buy, or use Hosted Solution
 If building in-house solution merchant/acquirer must:
- EMVCo’s 3DS requirements. This first step is done by completing EMVCo’s 3DS Testing. EMVCo issues an EMVCo
Reference Number and a Letter of Approval on successful completion of EMVCo 3DS Testing
- Visa’s 3DS requirements. This is done by completing Visa’s 3DS Compliance Test. Visa issues an 3DS Approval
Letter and lists the 3DS product on Visa 3DS Approved Products List
- Digital Certificates: Obtain and install Digital Certificates for the 3DS Server to connect to Visa’s Directory Server
 If using or buying an already built product, merchant/acquirer must:
- Visa’s 3DS requirement: Obtain EMVCo Letter of Approval & Reference # from purchsee and complete Visa’s 3DS
Compliance Test. Visa issues an 3DS Approval Letter
- Digital Certificates: Obtain and install Digital Certificates for the 3DS Server to connect to Visa’s Directory Server
 If using a hosted solution or buying an already built product, merchant/acquirer must:
- Choose a Compliant 3DS Server and/or 3DS SDKProduct: Choose a 3DS Server/3DS SDK that has completed EMVCo
3DS testing and Visa testing using the Visa Approved 3DS 2.0 Product list.
- Register 3DS Server with Visa through the 3rd party agent program (hosted solution only): Merchant/acquirer must
ensure its 3DS Server and/or 3DS SDK provider is registered in Visa’s Third Party Agent Program and obtains a Visa
Business ID (see website www.visa.com/third-party-agent)
- Digital Certificates: Obtain and install Digital Certificates for the 3DS Server to connect to Visa’s Directory Server

1
Using a hosted solution dramatically lowers implementation and maintenance requirements. Most of the steps in this document
will be performed by the service provider if a hosted solution is chosen. See page 2 for link to list of service providers
3DS Server and 3DS SDK Implementation
 Review relevant Visa guides and specifications: Implementation Guide
 3DS Server Integration and Requirements: integrate with 3DS Server with Merchant Application
 3DS SDK Integration and Requirements: integrate the 3DS SDK with the Merchant Application
 Review all 3DS 2.0 Data Elements: make sure to collect and provided all required, conditional, and optional data

Visa Implementation
 Obtain Visa Required Merchant Identifier’s
 Ensure Payment Gateway/ Acquirer Host Supports 3DS Fields in VisaNet
 Test 3DS Server, 3DS SDK, and Payment Gate/ Acquirer Host
PAYMENT PROCESS SETUP
 Obtain Visa Required Merchant Identifier: Obtain 3DS requestor ID
 Ensure Merchant/Acquirer payment processing system processes 3DS Authentication and related Authorization Data
Fields: CAVV Results Code (F44.13), Electronic Commerce Indicator (ECI)(F60.8), Cardholder Authentication Verification
Value (CAVV) Data (F126.9), 3DS Indicator (F126.20) (optional)
 Ensure Additional Processing Requirements are Supported: ACI and ECI Value Alignment (U.S. domestic only)
 Obtain Fraud Data (TC40): Request frequent fraud data reports from acquirer
TESTING
 Test Authentication: Merchant, 3DS server, 3DS SDK, and merchant application (if applicable)
 Test Authorization is also required if Merchant/Acquirer payment processing does not support the following fields:
Visa Authentication Data fields (CAVV Results Code (F44.13), ECI (F60.8), CAVV Data (F126.9)), Visa Authentication Data
field (3DS Indicator (F126.20))

Program Launch
 Finalize “go live” date: Communicate date to all stakeholders, Develop training materials for all parties, ensure all
internal teams are trained on Visa’s 3DS 2.0 program
 Launch 3DS 2.0 program: Set a coordinated “go live” date between 3DS Server, Acquirer and Merchant
 Manage the program: 3DS Server/3DS SDK Monitoring (system availability, authentication processing,
authorization processing), Reporting (transaction reports, statistical reports, disputed transactions reports),
Dispute Resolution (review and respond to disputes)
 Maintain Updated 3DS Program/System: 3DS server or SDK changes and updates

Additional 3DS 2.0 Issues, Decision Points, & Resources

Topic Considerations Resources
Hosted Solutions • Greatly streamlines implementations using the latest 3DS specifications • Approved provider list
and capabilities

Acquirer/Payment • Some acquirers / payment processors have a 3DS Server Software • Reach out to your acquirer or
Processor integrated into their payment platforms payment processor to ask if they
support participation in 3DS 2.0 and
have a 3DS Server

Fraud Data • 3DS provides merchants with liability protection on 3DS transactions • VOL for VisaVue
• Merchants no longer receive disputes related to 3DS fraud, and therefore • Reach out to acquirer
lose insight into fraudulent transactions
• Merchants should request fraud data (TC40) from acquirer
• Visa has a solution for Acquirers to easily obtain fraud data through a paid
for service called VisaVue Online

© 2017 Visa. All Rights Reserved.