Article summary

        Unfortunately, online fraud is still a problem and represents an important cost factor for some Merchants. That’s why MasterCard® SecureCode™, Verified by Visa and American Express SafeKey, or 3D Secure or 3DS/3 DS was specifically designed for online Merchants. It significantly reduces the risks involved with credit card payments for the selling party.

        Mastercard® SecureCode™, Verified by Visa en American Express SafeKey

        MasterCard SecureCode, Verified by Visa and American Express SafeKey are unique standards that do what was missing during online credit card payments before: identify and authenticate. In short, these unique systems enable the card issuing insitution to check whether the buyer is indeed the rightful owner of the credit card.


        The verification of online Bancontact payments, during which card data are used as identification, is also guaranteed by a 3-D Secure action. After the card data have been entered, the user will be asked to share an additional code. This code can be generated by using the digipass or card reader which was provided for this card by the issuing bank.

        How does identification work?

        All participants, Merchants as well as consumers, are registered in central data bases managed by MasterCard, Visa, American Express and Bancontact themselves. The participating consumers are registered with certain characteristics. The card issuing institution (issuer) takes care of this part of the registration process. The Merchant is also linked to a unique identification number. This is provided by the contracting party for credit card acceptance that has an agreement with the Merchant. Thus, all control data for both parties are available, although this does not necessarily lead to a conclusive data control. For the latter, special software has been developed: the Merchant Plug-in (MPI). This MPI is linked to the Merchant’s payment system. Thus, the characteristics of both the consumer and the Merchant can be compared to those in the databank.

        Specifically for American Express SafeKey

        If you as a Merchant decide to register everything via Safekey, the liability always lies with American Express. The consumer is offered 3 chances to register as well. If the consumer does not register the first two times, the transaction is processed successfully after all (without verification/registration), but the risk lies with American Express in case of fraud. If the consumer doesn’t register the third time either, the transaction is cancelled by American Express.


        Some cards are issued in countries that do not participate in the Safekey program. For these cards, the liability (the risk) lies with the Merchant. The list of countries in which SafeKey is active, is managed by American Express.

        Liability shift

        With MasterCard® SecureCode™, Verified by Visa, American Express SafeKey and Bancontact, evidence of the transaction is captured. When a card holder claims he hasn’t made the purchase, the card issuing institution and the card holder have to prove this if the transaction was made with 3-D Secure. The Merchant doesn’t have to do anything, unlike with non-3-D Secure transactions. For the Merchant doesn’t have the unique code issued by the card issuing institution. Thanks to 3-D Secure, a shift of responsibility has taken place. This is referenced to as a ‘Liability shift’ (from the Merchant to the card issuing institution). What obviously doesn’t change is that a card holder can dispute a transaction if a product hasn’t been delivered or not according to what was agreed upon, or was defective when received. The card issuing institutions assume that the Merchant has ensured that responsibility in the delivery process.

        Advice: Avoid misunderstandings and make sure you have a clear complaint, guarantee and return policy.

        The figure and table below show whether there is a liability shift or not.

        • The first check is Enrollment: Is the card included in the 3-D Secure program or not?

        • The second check is Authentication: Has 3-D Secure been implemented properly?

        Card typeEnrolledStatusLiability
        Visa & AmexU-[Cancelled]
        Visa & AmexN-Card Issuer
        Visa & AmexYYCard Issuer
        Visa & AmexYN[Cancelled]
        Visa & AmexYACard Issuer
        Visa & AmexYU[Cancelled]
        MasterCardYYCard Issuer
        MasterCardYACard Issuer
        MaestroN-Card Issuer
        MaestroYYCard Issuer
        MaestroYACard Issuer
        BancontactYYCard Issuer
        #### Explanation with regard to tables above
        • Enrollment= answer to the question: is the card enrolled in the 3-D Secure system?
        • A 3-D Secure transaction can be enrolled in the following ways: U = Unknown; N = No; Y = Yes
        • After a transaction has been enrolled, one of the following authentication statuses can apply: Y= Yes; N = No; U = Unknown; A = Attempt


        For Worldline Collecting, the option Dynamic 3-D Secure (3DS) has been added based on order amount. This means that a Merchant can set an amount/limit in the Plaza. If the transaction amount remains below this limit, then 3-D Secure authentication is skipped. This amount/limit can be set per currency. The reason to use this option is that a Merchant can estimate that a lower order amount comes with a lower risk of fraud. In those cases, the Merchant could decide not to confront the consumer with the extra DDS authentication step. The Merchant then knowingly takes the risk of fraud on his own account.


        After entering SCA via 3DS 2.x, this option can no longer be used.

        Was this article helpful?