Learn about strong customer authentication (SCA) and 3D Secure (3DS) to verify buyers for online and in-app payments.
Take Payments

3D Secure Overview

Use 3D Secure (Strong Customer Authentication in the EEA) in Square Online and In-App Payments APIs to verify the buyer and reduce the chance of fraudulent transactions.

What is 3D Secure? Permalink Get a link to this section

3D Secure (3DS) is a standard protocol developed by a collaboration of several payment card issuers. It defines a multi-factor authentication mechanism that can be used to satisfy the requirements of Strong Customer Authentication (SCA) wherever SCA is required.

Note

SCA is a new European requirement to make online and in-app payments more secure in the European Economic Area (EEA).

3DS can also be used to authenticate buyers in countries where SCA is not a requirement. In those countries, Square provides the 3DS mechanism for those sellers who opt to use it.

The 3DS protocol creates the same buyer experience regardless of whether it is initiated from an SCA-required country.

SCA requirements Permalink Get a link to this section

Currently, when paying online, customers must enter their card number, expiration date, CVV, and postal code to make a payment. Buyers are required to complete two of the three factors of authentication when initiating a payment: something they know, something they own, and something they are. For online card payments, the SCA requirements are met by implementing 3DS. For in-store payments, SCA requirements are met through the use of chip and PIN or mobile wallets. Payments without this additional authentication are declined by the cardholder's bank. Payments initiated by sellers, such as recurring transactions or mail-order/telephone order (MOTO), do not require SCA.

A graphic showing the three elements of a multi-factor authentication, which are something you know, something you have, and something you are.

Do I need to support SCA? Permalink Get a link to this section

Square advises all Square developers and partners operating in the European Economic Area (EEA), including the UK, to take appropriate steps to be ready for SCA enforcement starting January 1, 2021, to avoid an increase in declined payments for European cardholders.

In the UK, banks started asking their cardholders to complete SCA, with full enforcement of the SCA requirements by March 14, 2022. Across the rest of the EEA, banks are ramping up SCA enforcement starting January 1, 2021, with a staggered ramp-up through 2021.

Square provides SCA features for the Web Payments SDK and In-app Payments SDK within Europe, where the business taking the payment and the cardholder's bank are both in the EEA.

Note

SCA is not required for in-person payment solutions such as the Square Point of Sale API or Reader SDK applications.

How is Square helping me prepare for SCA? Permalink Get a link to this section

Sellers using Square products, such as Square Online and Invoices, do not need to make any changes because the products have been updated to meet SCA requirements. For example, Square invokes 3D Secure for online card payments or flags transactions as exempt (such as seller initiated). No additional updates are required for in-person payment solutions such as the Square Point of Sale API or Reader SDK.

Developers and partners that use Square developer products (such as the Web Payments SDK, In-App Payments SDK, and Square APIs) must ensure that their applications are SCA-compliant to minimize the impact of declined payments.

Using two of these elements together, instead of the traditional approach of using only passwords, helps reduce online fraud. Square also incorporates other low-friction authentication mechanisms like fingerprint and facial recognition to help increase your conversion rates.

Important

  • 3D Secure should be invoked through the verifyBuyer() function only when the buyer is present and has initiated the transaction.

  • In the EU, payments that do not provide authentication get a CARD_DECLINED_VERIFICATION_REQUIRED error for transactions that require authentication. This error means that the seller did not implement verifyBuyer on the customer-initiated payments. For more information, see VerifyBuyerError.

3DS in non-mandated markets Permalink Get a link to this section

The 3DS flow is started for a buyer if their payment card meets any of the conditions listed in the Square Risk Manager Glossary. For sellers outside of regions that require SCA, Square provides a mechanism in Risk Manager to let them opt in for 3DS on a location basis. For example, a seller might have an in-person location, an in-person and online location, and an online only location. Online payments are card-not-present payments and benefit from the added security of 3DS. In this case, a seller might opt in for 3DS in those locations.

A payment card might trigger the 3DS authentication flow and verify the identity of the buyer without generating a payment alert. A payment alert is only created in Risk Manager if the payment appears to be suspicious or fraudulent. Sellers in the European Union can use Risk Manager to manage potential fraud even though 3DS is enabled for them by default.

Enable 3DS Permalink Get a link to this section

To enable 3DS, a non-EU seller uses an application integrated with a Square payments SDK to take a payment with a debit or credit card. If the application called the verifyBuyer function when getting a payment token, the seller can enable 3DS in Risk Manager for the location that called the function. When enabled, 3DS is active until the seller disables it. 3DS cannot be enabled until verifyBuyer has been called by the application at least once.

How it works Permalink Get a link to this section

Learn how SCA works by choosing Next and walking through the steps in the following example:

Walkthrough Image

Next steps Permalink Get a link to this section

Implement 3DS in your application to start the 3D Secure flow by reading Verify the Buyer When Using a Payment Token.

If you need more assistance, contact Developer Support or ask for help in the Developer Forums.