3-D Secure credit card payments - wha???

Disclaimer: I'm Danish and live in Denmark/Europe

Yes - this has been around for quite a while. It is supposed to prevent anyone who has stolen (or bought) you credit card numbers (which can be done without you noticing) from using it, because it is very hard to also steal your mobile phone without you noticing.

I understand your frustration, but once it is set up and you get used to it, I feel much more secure.

Of course the merchant should have warned you on the initial page that he would not accept US cards, but sometime they forget.

Yes, I see it often here in France with French retailers and service providers. Of course, my French debit card is set up for this, so it's not a problem for me. That's pretty bad if they are instituting this for all purchases, when people from the States won't have cards/accounts that are equipped to deal with this!

Yes, 3D Secure is very much like Verified by Visa. Mine is set up so all I need t do is enter a password when prompted. This makes credit card fraud more difficult but I can appreciate how frustrating it must be for you but I'm not sure why American banks are not implementing it (much like chip & pin).

I'm pretty much sure that these plans can be registered for by anybody. Once you are registered and the appropriate cards are linked it is an easy process. Both M/C and Visa have recently announced in the news here that they are clamping down and forcing more transactions through that system.

It isn't your merchant, and it it isn't (directly) your bank - it is the network.

This is the system used with some U.K. cards, although I have never actually gone through the process when buying anything. My U.S. sister-in-law has a card on our John Lewis account, and when I told her about it the response was "That's the same system we have over here". Perhaps the variation is more between banks in the same country rather than banks internationally.

I have been having this same issue. My workaround--pay using paypal.

Many US card issuers didn't like the early 3D Secure online system for the same reason that they didn't like PIN authentication - people can't remember the password/numbers etc, and don't use the card. However, they are out of step with nearly everyone else. Today 3D Secure has moved on and rarely asks for the password.

Is this affecting only online purchases? Or is also affecting in-person purchases?
I haven’t ran into the problem—yet.
Thanks for the info.

I've heard of Verified by Visa, but I've never encountered, or even heard of, 3-D Secure. I think the only times I've had issues with foreign payments was when my bank flagged it as suspected fraud. But I'd get an email immediately from them, tell them it's OK, and then the charge goes through. I've made several foreign on-line charges in the last few months, with no problems. I guess there's nothing I can do about the possibility of running into 3-D Secure.

I ran into this issue in 2017 when trying to buy an advance train ticket on OBB, made calls to my card issuer and got no where so just bought my ticket once I arrived in Vienna.

I'm pretty much sure that these plans can be registered for by anybody. Once you are registered and the appropriate cards are linked it is an easy process.

Not necessarily if your credit card is issued by a bank in the USA. If you have a USA-issued credit card, for many cards, there is nothing you or your bank can do to make this system work, those major USA-issued credit cards are incompatible with the system.

Is this affecting only online purchases? Or is also affecting in-person purchases?

I've only encountered it with online payments. But, sometimes you need to make an online payment before you get there (in my case, a deposit for large travel expense).

I have been having this same issue. My workaround--pay using paypal.

The merchant I'm trying to use does not accept paypal. After blithely repeating "just try a different card" for 2 days, they finally shared that US credit cards just won't work, and I would need to wire money to their bank account.

I'm going to switch to TransferWise for this transaction (in this case I'm confident enough that they are legitimate and not a scam, although sending money by wire transfer is fraught with risk so it's far from ideal). But this came as a big surprise, it took almost 4 days and hours of back-and-forth email with the merchant to get to the root of the issue, and it looks to become a potential source of fairly serious hassles in the future.

I've heard of Verified by Visa, but I've never encountered, or even
heard of, 3-D Secure.

3-D Secure is a security protocol used in online transactions, it is marketed under different names like Verified by Visa, or SecureCode, so you've heard of it, just not the name. And it is very common in Europe, so the strange thing is why US banks haven't adopted it yet.

I'm not offering any opinion on how great or not great it may be. I'm suggesting it's something that Americans traveling abroad might run up against, with no good options to get through it.

Based on my (admittedly limited) experience I would say it's pretty much unknown to most Americans and many people working at American banks that issue credit cards. I called Chase and American Express (not exactly some minor, small-town credit union) and the CS agents I spoke with at both were quite unfamiliar with it.

The merchant in Europe I am dealing with caters to international customers worldwide, and proudly touts that they accept credit cards with no hidden fees. It took a while (multiple attempts with multiple individuals there) to get someone on their staff to share the critical fact that US credit cards are incompatible with their payment systems.

The system may indeed be secure, wonderful, and provide many benefits. However, for Americans trying to do what otherwise would seem to be a completely routine online payment for travel services, it can be a significant hassle, effectively rendering any credit card you have 100% useless. Just wanted to give folks a heads-up about it, because even as someone who travels a good bit, it caught me completely by surprise.

I hope it doesn't push us back to the days of carrying bundles of travelers checks or steam trunks filled with cash...

David, I very much appreciate your post and the responses from those who know about and use 3-D secure. I have never heard about it or run into it, either. I think I'll call my bank(s)/cc issuers and see if they know anything about this. Major PITA, indeed.

USA-issued credit cards are incompatible with the system.

That would explain why, when I checked the web sites for the 2 American banks that I have credit cards with (BOA and Cap One), there was no mention of this.

David,

The 3D-Secure seems to be the next evolution of the Verified by Visa and MasterCard Secure protocols, but I haven't encountered it yet in any of the "card not present" transactions I've made. 3D-Secure it's not without criticism however. One paragraph that stood out in the Wikipedia description of this was....

"In some cases, 3-D Secure ends up providing little security to the cardholder, and can act as a device to pass liability for fraudulent transactions from the bank or retailer to the cardholder. Legal conditions applied to the 3-D Secure service are sometimes worded in a way that makes it difficult for the cardholder to escape liability from fraudulent "cardholder not present" transactions."

I'm sure the banks are working on further methods to make this more secure. I'll check with some of my card issuers to see if they've adopted this protocol, as I'd be interested to know whether I might also have problems in the future.

The 3-D Secure standards are a common problem for Americans trying to make online purchases on those foreign web sites that have chosen to implement the procedure, including many in France and many railways (France SNCF, Norway NSB, Austria OEBB, etc.). " Short-circuited" is a good description - if it doesn't detect that you're in the program, it does just stop the whole approval process.

It's not an issue for in-person transactions with a human agent in Europe, but US card approval can again be a problem with stand-alone ticket machines, gas pumps, or toll booths, depending on location. See also https://www.ricksteves.com/travel-tips/money/chip-pin-cards.

If none of your cards are working but the web site accepts PayPal, then that is the easiest work-around. I believe some people have had better luck with the CapitalOne-issed cards, or some CreditUnion-issued cards, or debit cards.

In the past, calling your issuing bank rarely found any staffers knowledgeable about the process. Reports in this forum over the past few years had some people (maybe Europeans?) saying that you could sign up online. The links below don't make it sound that easy, and may indeed just refer you back to your card issuer.

• https://www.visa.co.uk/run-your-business/small-business-tools/payment-technology/verified-by-visa.html

• https://www.mastercard.ie/en-ie/consumers/features-benefits/securecode.html

• https://www.americanexpress.com/icc/safekey.html

Buying certain items like budget airline tickets online can be a completely separate issue, as US card issuers may automatically flag that category as suspicious, requiring you to confirm the purchase with them either before or after completing it.

Laura, thank you for the clarification!

The Wikipedia article on 3D Secure is out of date and refers in the main to the original versions of how it worked. I haven't been asked for a password in years. Occasionally I will get a two factor authentication request.

The USA credit card issuers are out of step with nearly everywhere else as to the tolerance they have towards fraud. After chip+pin reduced card present fraud elsewhere, card not present fraud increased, so these authentication means we're developed to combat this.

Talk about timing...This morning I looked at my BAC CC and found a fraudulent pending (internet) charge. If the US used better security, I wouldn't be dealing with this. FYI, BAC Fraud was very helpful. It's interesting that the previous two charges I made were Trenitalia and AutoEurope.

"US banks rely mostly on algorithms to catch fraud, and this seems to be sufficient although it requires on-the-spot texting or emailing an “everything’s OK” to move the transaction forward."
Yes, and the latter part can create problems. When I make an on-line charge with Cap One while at my desk, if there's a fraud warning I get an email right away, and I've been able to deal with it quickly. However, when I'm travelling, it doesn't work so well, partly due to the nature of my phone and service. But my only problems have come with my debit card in Canada, not my credit card.

I just wanted to add something to this discussion. Twice in the last 3 weeks I have used my US based credit card (issued by USAA) to purchase items in France with the 3-D Secure system.

First one was tickets for the FIFA Womens World Cup;
Second one was tickets for Versailles.

After entering all my payment information, I was told that I would be sent to a site to confirm this information. Both times I was asked if I was near my mobile phone with the USAA app installed. The first time, I couldn't find the confirmation section in the app and alternatively had a 6-digit code texted to me that i had to input on my laptop for the transaction to go through (and it did).

Second time was last week. Same circumstances, I was told that I would be sent to a site to confirm this information. I was asked if I was near my mobile phone with the USAA app installed. I opened the app but this tine I knew where the confirmation info was so I was able to tap twice to confirm the transaction.

No real issues either time and I have tickets for both events. YMMV.

Many US card issuers didn't like the early 3D Secure online system for the same reason that they didn't like PIN authentication - people can't remember the password/numbers etc, and don't use the card. However, they are out of step with nearly everyone else.

I wish it was out of concern for the lowly customer that US Card Issuers are dragging on PIN and 3D Secure, but as it usually is, it is all about the money. And not the POS terminal or merchant hardware, but core structure and major investment to change the concept of the system.

US card systems are not really all that interactive, there really is only a pretty stagnant verification of a few bits of information (is the account valid, is it under limit, not much more) in fact many transactions are offline. Both PIN and 3D secure are highly interactive with the merchant system and card system exchanging much more data including validations. As you can imagine, this type of system requires much more processing and communication, not something a business likes to dump money into.