Hello Pythagoras & rab
Thank you for your comments.
This discussion is about online transactions (e-commerce), which with 3DS2 require additional authentication via SMS/email code or an Issuer Access app. In connection with 3DS2, it is important to know that not every single online transaction automatically requires this.
Technically, the following exceptions do not usually initiate a 3DS2 challenge flow in the backend:
- Transactions of smaller amounts. Typically, a 3DS2 Challenge Flow is only technically requested when the amount is anywhere between USD 30.- and USD 200.-. However, this may vary depending on the merchant, PSP or issuer.
- When paying in-store (e.g. by card, NFC or smartphone), the transaction is carried out via the classic EMV chip card standard and not via 3DS. These payments are secured by holding the physical card and entering a PIN or signature (in the case of mobile wallets such as Apple Pay / Google Pay, also by biometric approval).
With your additional information that the card worked for merchants from EU member states, I took another deep dive into the technical world of 3D Secure and the regulation of PSD2 and would like to share these insights with you:
- Merchants from EU member states are legally protected for extended liability by PSD2 when they implement 3DS2 (financial responsibility for chargebacks passes from the merchant to the issuer). Thanks to PSD2, this merchant protection through extended liability shifting applies even if the issuer does not support 3DS2.
- As Switzerland is not an EU member state, Swiss merchants are not protected by the PSD2 regulation and they are subject to the ordinary shifting of liability according to the rules of the international card networks (Visa, Mastercard, AMEX, etc.), which means that shifting of liability is only possible after a successful 3DS2 challenge flow. A successful 3DS2 challenge flow requires that the issuer support 3DS2.
Conclusion:
- The fact that a credit card works with a merchant from an EU member state cannot be taken as an indicator that the issuer supports 3DS2.
- If customers never receive a code from the Issuer ACS via SMS, e-mail or Issuer Access app for an online transaction that requires 3DS2, it is obvious that the issuer does not support 3DS2 or that the card in the issuer customer profile is not (fully) set up for 3DS2. Only a (technical) clarification with the issuer can provide clarity.
The EMV 3-D Secure Standard is global
The EMV 3-D Secure (3DS2) standard is a technical protocol developed by EMVCo that defines the same data fields, the same communication flow and the same basic rules worldwide.
- Technical flow: The process is the same worldwide (merchant / PSP sends data > Visa Directory Server (or Mastercard, AMEX, etc.) forwards > card issuer evaluates > issuer sends reply).
Conclusion:
- If a problem really existed on the merchant / PSP side, all Visa cards worldwide would be affected (including Visa cards issued by European and Swiss banks).
- It is technically not possible that the problem exists on the merchant / PSP side, if the 3DS2 Challenge flow fails only with specific card issuers (banks) or only with individual users, because Merchant / PSP always sends the same data fields to the Visa Directory Server (or Mastercard, AMEX, etc.).
If the issuer-ACS does not reply correctly (e.g. incorrect or missing issuer implementation of 3DS2), the payment process on the merchant’s website is automatically aborted and the next flow (payment authorisation) can never be triggered technically. For this reason, statements such as “We don’t see a rejected payment” do not make sense from a technical point of view and in the context of 3DS2 (note: A rejected payment is only visible in the payment authorisation flow, but not if the transaction already dies in the previous 3DS2 flow).
- 3D Secure is not yet or not fully set up for the card in the Issuer customer profile (see also Comment No. 18 from Shuvievai22 in this discussion on Citi Visa > Note; this step is required for every new card, including a replacement card).
- If the Issuer ACS uses e-mail or SMS to communicate with the cardholder for the 3DS2 authentication, the Issuer customer profile may still contain outdated customer contact details if a different e-mail address / telephone number is now used.
- If the Issuer ACS uses its own Access app for 3DS2 authentication, it may be that the app has not yet been set up on the new smartphone or not fully set up on the new smartphone when changing smartphone (note: it may also be necessary to remove the old smartphone first and add the new smartphone in the Issuer customer profile).
- Some issuers offer the option of blocking/unblocking the card for individual countries/regions. Since Switzerland is located in Europe but is not an EU country, it may be necessary to activate the card explicitly for Switzerland in the issuer customer profile.
- temporary technical malfunctions in the issuer ACS or directory server of the affected card network (Visa, Mastercard, AMEX, etc.)
Pythagoras I even called my bank (Chase) and they have no clue why my international card keeps getting declined.
I can’t speak from personal experience, but based on the feedback here from the community, it seems to me that Chase’s 1st level phone support is unfamiliar with 3DS2. Did you tell customer support about EMV 3DS 2.x, ACS and Visa Directory Server (as recommended in comment No. 13) when you called?
According to feedback from Shuvievai22, this was checked with Chase and the answer was that Chase does not support 3DS:
Shuvievai22 Chase Visa was contacted and said they do not support 3DS.
Reddit discussions also mention that Chase doesn’t work with 3DS:
In this community we can’t support you any further than;
- share the information that the card must support 3DS according to the global EMC 3-D Secure standard.
- share technical background information so that you can argue with 1st Level Issuer Customer Support why your issues need to be forwarded to other issuer support teams (2nd Level, 3rd Level, etc.) who are familiar with the issue.
- or recommend using another card that supports the requirements.
rab And, for what it’s worth, I just tried 2 different Amex cards and those didn’t work either. Also tried with multiple different browsers. No contact from either Amex or Chase indicating a transaction needing to be confirmed or having been rejected. Never redirected to the 3DS confirmation pages. Something is pretty clearly messed up on Datatran’s side.
A general problem with AMEX is not known. The original questioner EricS from this discussion was also able to complete the transaction with AMEX. I suspect there is a problem with an individual AMEX user profile. Have you already checked whether your contact details on AMEX are still up to date? If yes, was AMEX contacted to clarify why both did not work?
If it is not due to the AMEX user profile and AMEX has not yet been contacted, the following information may help:
Kind regards,
Nicole
