[rbag]

In France we have 3D Secure, when you make the paiement you are redirected to a page that belongs to the bank, you receive a SMS with a one time code to validate the paiement and are redirected to the merchant with the validation.

Quite efficient, but I think there's fees for the merchant in this case.

[phlo]

3D Secure is used to authorize credit card payments, while Sofort and iDEAL send wire transfers. Big difference.

With 3D Secure, you provide the normal card data (i.e. card number, expiration, name, CVV/CVC) to the merchant and are then redirected to an authentication form from your card issuer. There, you'll be asked to either provide a password or, as you described, input a confirmation code from a text.

With Sofort, you're entering your login data to your e-banking account on a login page served by Sofort. They, in turn, use it to log in to your e-banking using a simulated browser and send a wire transfer. You lose control, however, of what else they do: once they are logged in to your e-banking, they can check your previous transactions, send other transfers or they might change your mailing address...

[dx034]

As far as I know, 3D secure also works for debit cards. In many countries debit and credit cards use the same system (Visa/Mastercard). Have seen 3D secured payments several times for my UK debit Mastercard.

[makmanalp]

I've seen some horrific UI on some 3D secure implementations. Also, I've seen some websites refresh to a "loading 3D secure ..." page, only to somehow skip it and go further. If the merchant can just skip it and charge your card like a regular credit card, then what's even the point of having it?

[phlo]

As another comment already pointed out, you are probably seeing your card issuer's risk-based 3D Secure system in action. If your system (IP address, location, user-agent) and/or the transaction (merchant, sector, amount) look familiar enough, some issuers let you skip the password/TAN entry. If they are doing it right, that's a good thing.

[captn3m0]

The worst I've ever experienced is the RuPay card network's (India) Second Factor. You pick an image out of collection of thirty odd images that you must select again at the time of every transaction. It also forces you to type your PIN via a shuffled numeric clickpad on the browser.

[Elhana]

I believe that if buyer supports 3dsecure and merchant skips it, then he'll be the looser in case of a fraud.

[vladvasiliu]

The merchant can choose wether and when to use 3dsecure (at least in France). I work for a company that uses Paybox for online payments. We can set an amount above which 3dsecure is used, e.g 20 EUR. I'm guessing the bank has to support 3dsecure, but they can't or at least don't impose it.

[mack73]

I work with fraud detection at an online travel agency. If you use 3D Secure and there is a fraud, your insurance will cover the cost of that transaction. As a merchant you may bypass (not use) that security feature at your discression. 3D Secure is a Mastercard feature, no?

[vladvasiliu]

3dsecure works with Visa too. I don't know about AmEx, although I do know that for Point Of Sale payments we have to have a special bank contract (one for Visa / Mastercard and one for AmEx).

I suppose the merchant decides wether to use this or not by trying to find a balance between user experience and fraud risk.

In our case I think the limit is set right above the usual purchase amount (we sell movie tickets). It's low enough that a fraud wouldn't hurt us too badly and there's not much incentive for it either. Also, most of the clients don't have to fiddle with 3dsecure (in my case I would have to cary a fob around, which I never do), so it's a better experience for them.

If someone tries to buy a lot of tickets at once, they are more likely to be doing something fishy so we use 3dsecure.

[Flimm]

I'm guessing that the page gets skipped when you're on a familiar IP address with a familiar cookie, or there are other factors where the bank decides more authentication is unnecessary.

[mack73]

10 years ago I got a Mastercard that for the first time required me to answer a 3D Secure questing each time I did an online purchase. It's been at least seven years since I had to answer that question though. How 3DS figures my card carries no fraud risk I have no idea. Is my card less likely to get stolen? Perhaps they have geography as a metric?

[greggman]

That would suck if anytime I wanted to deal with things back home while travelling I had to remove my local sim and put back in my home sim just so I could receive SMS messages from my bank.

Do they offer any non SMS options?

[briandear]

In France they do not have a non SMS option. Also if you change your number you have to wait days while your bank mails a new activation code to your postal address. Actually snail mail. (At least with BNP.)

An incredible pain. I hate it. ApplePay for the web is far superior.

[just_had_tea]

Data point of one here, but my experience is different. I used Crédit Coopératif, and they issued me with a password generator fob (like a small calculator in which you stick your Visa chip-card) which the 3D Secure page would ask for a response from.

I suspect it depends on your bank. Back when i used Crédit Agricole, i was indeed forced to do SMS auth, which is inferior.

[shripadk]

3D Secure (at least in India) offers both SMS OTP and Password validation. So you can use your 3D Secure Password (which is different from bank credentials) or use SMS OTP to confirm the transaction.

[eknkc]

Have 3d Secure here in Turkey too. Most merchants provide a checkbox to enable 3D secure, if you do so, they redirect to the bank's page and you need to enter a code.

Most of the time, non 3d secure purchases take a little more time to go through and if the amount is higher than your regular spendings or the charge happened to be in the middle of the night, banks ask for confirmation via SMS anyway. If you go with 3D secure, it just works instantly.

All banks provide virtual credit card numbers with predefined limits too though.

[blowski]

Usually there are no fees, and it also protects you from chargebacks. But it's harder to implement, and it does tend to increase abandon rates a bit.

[cm2187]

And some implementations rely on 3rd party cookies!