000027228 - What is Verified By Visa  Mastercard SecureCode  3DSecure and Securesuite

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000027228
Applies To

Verified By Visa, MasterCard SecureCode, 3DSecure and Securesuite are all names for the same service.

This service protects Credit and Debit cardholders from fraud in the eCommerce channel, by asking the cardholder to authenticate using personal information.

RSA provides this service to many card issuers in the world and has a few more services that provide stronger protection, like Transaction Monitoring for eCommerce, Adaptive Authentication for eCommerce and the use of One Time Passwords as a stronger authentication method.



Detailed description:

The protocol is called 3DSecure since it requires 3 dimensions:

  1. The merchant needs to be 3DSecure enabled
  2. The card schemes need to be 3DSecure enabled ? only Visa and MasterCard
  3. The issuer needs to be 3Decure enabled.


In this process, the cardholder needs to authenticate as genuine users by submitting personal information (set by the issuer). Upon successful authentication, users are requested to select a password which will be used in all future transactions and is known only to them.


  1. Cardholder checks out of 3D Secure online merchant, enters credit card number and presses ?Order?.
  2. Merchant checks if card is enrolled with Issuer?s Access Control Server (ACS), via the Directory Server (DS).
    The ACS returns a positive answer through the DS that the card is enrolled in 3DSecure.
  3. Merchant redirects cardholder?s browser to the ACS.
  4. The ACS presents the details of the transaction as a receipt in the user?s browser and asks for the password.
  5. The cardholder ?signs? the receipt by submitting the correct password and is authenticated by the system as the genuine cardholder.
  6. The ACS digitally signs the receipt and returns an answer to the merchant.
  7. The merchant saves receipt and performs regular authorization process.


The 3DSecure process begins before the authorization process and is an independent stage.

The cardholder may pass authentication (3DSecure) but the transaction may be rejected since the card doesn?t have sufficient funds/reported stolen or lost.

Therefore a successful 3DSecure transaction does not mean approval that the transaction was approved by the issuer.

However if the 3DSecure transaction failed (authentication failed) then the authorization process will not take place at all.

Legacy Article IDa43698