Skip to main content

3-D Secure

The 3-D Secure (3DS) authentication API separates the cardholder authentication flow from the transaction authorization flow and gives granular control over the full authentication process. This is ideal for:

  • Authenticating use cases not supported by Orchestrated 3DS via the Online Payments API.
  • Authenticating cardholders for transactions to be submitted on J.P. Morgan platforms other than the Commerce platform.
Note

The card-branded 3DS solutions supported on the Commerce platform are as follows:

  • Visa Secure
  • Mastercard Identity Check
  • American Express SafeKey
  • Discover/Discover Diners Club International Protect Buy (North America only)

Availability

The 3DS API is available in the following regions:

  • Australia (coming soon)
  • Canada (coming soon)
  • Europe
  • United Kingdom
  • United States (coming soon)

Who should use 3DS authentication?

In general, you would leverage 3DS authentication if you have consumers in Europe (or another market where 3DS is required), or if you want to reduce your card payments risk liability. We support the following 3DS options on our Commerce platform::

  • Orchestrated 3DS — J.P. Morgan handles the 3DS authentication flow for you as part of your card payment transaction process.
  • 3DS API — Manage the entire 3DS workflow yourself separate from the card payment process.
  • Pass-through 3DS — Pass-through 3DS values obtained from an independent 3DS provider in your payment transactions to J.P. Morgan.

How 3DS works

3-D Secure process flow
  1. Your consumer places an order on your website.
  2. If you determine that the purchase warrants authentication, initiate a 3DS authentication with your 3DS authentication provider. Reasons a transaction warrants authentication may include:
    1. The authentication is mandated by a regulation like PSD2 in Europe.
    2. The cardholder is a new consumer with whom you have no prior business relationship.
    3. The item being purchased is a common target for fraudulent purchases.
  3. Your 3DS provider passes the authentication request through to the card issuer.
  4. The card issuer processes the authentication one of two ways:
    1. Frictionless — The issuer completes the authentication using only information from the authentication API call and device information from the browser.
    2. Challenge — The issuer prompts the cardholder to provide additional information to complete the authentication.
  5. The issuer returns the authentication results to you via your 3DS authentication provider.
  6. If you decide to process a transaction using the Online Payments API for your consumer's order based on a successful authentication response, include the authentication result details in your /payments or /verifications request.
Tip

Including the 3DS authentication results in your authorization processing transactions will shift the liability for fraud-related chargebacks to the issuer, a payment brand benefit.

Specific regions (such as EU, UK, India, and Australia) have regulations requiring e-commerce merchants to utilize authentication protocols, such as 3DS. Payment network mandates also provide guidance on how and when to utilize 3DS with their specific card products. You are ultimately responsible for knowing whether 3DS is applicable to you.

Frictionless authentications

A frictionless authentication occurs when the issuer uses the information submitted in the authentication, data from the cardholder’s browser, and past cardholder behavior to authenticate without challenging the cardholder. A frictionless authentication is completely transparent to the cardholder and does not include additional consumer interaction to the payment process. However, frictionless authentications do not meet European Payment Services Directive 2 (PSD2) Strong Customer Authentication (SCA) requirements for many use cases, such as storing a card to a customer profile. While a merchant can request a frictionless authentication, the issuer makes the determination whether to use the frictionless or the challenge path.

Frictionless authentication flow

Challenge authentications

In a challenge authentication, the issuer returns a challenge URL that creates a connection between the cardholder’s browser and the issuer. During a challenge, the issuer can ask the cardholder to verify account information, enter a one-time passcode, or use some other means to verify the identity of the cardholder. A challenge authentication meets all requirements for European PSD2 SCA requirements, but does introduce friction into the transaction flow and can increase cart abandonment. The challenge flow also changes the steps a merchant must take to complete the authentication.

Challenge authentication flow