PASA: 3D Secure on all CNP transactions

The Payment Association of South Africa (PASA) is the association recognised by the Reserve Bank (SARB) and responsible for managing payment systems in South Africa.

PASA has mandated that 3D Secure is implemented on all online credit card transactions (known as CNP or card not present), starting February 28, 2014.


A little history

CP (or card present) transactions are those that happen in the real world; like when you go into a supermarket and purchase groceries with your credit card. Historically these cards only had a magnetic strip (with the cardholder’s data) and a signature on the back. To authenticate a transaction, the card would be swiped (to confirm if it was enabled for use) and the receipt would be signed (and matched against the signature on the card).

Where money goes, fraudsters follow.


Fraudulent (CP) transactions started appearing and increasing: criminals would obtain someone’s credit card (either a physical copy or a clone), swipe it and sign with an approximation of the cardholder’s signature. This meant that anyone with access to a card could potentially make physical purchases.

Fraudulent transactions lead to chargebacks.


The rightful owners of the card could (and still can) then dispute the fraudulent charges with their bank, as they didn’t authorise those transactions. The banks, in turn, would reverse (or charge back) the money paid to the physical retailer back into the cardholder’s account. This left the merchant without the goods and without the money for those goods. The burden has been (and still is) on the merchant to make sure that they don’t accept fraudulent payments (such as fraudulent cheques, fraudulent bank notes and fraudulent credit card transactions) and if they do, that they would ultimately lose out.

Chargebacks lead to Chip & PIN.


Starting in the early 2000’s, most credit cards (like the ones in circulation in most places around the world – a notable exception was the United States, but that is set to change soon) started appearing with an embedded chip, which requires a PIN to be entered to complete the transaction. This is still in place today and far less fraud gets perpetrated with the Chip & PIN system (also known as EMV). This requires someone to prove ownership of the card before a transaction can be successful  (since the PIN is something that is memorised and shouldn’t be shared).

Retail went online. The pattern reappeared.


E-commerce has been growing at an amazing pace, due to a lot of factors (such as higher ADSL speeds, lower startup cost, bigger potential markets etc.). The problem was that online credit card payments still didn’t have any way of verifying that the person making the transaction was actually the legitimate cardholder. This meant that, as in the 90’s in retail, that anyone with access to someone else’s credit card could potentially use it to buy things online by simply providing the credit card name, number and three-digit CVV on the back of the card. This would (and does) result in the same payment reversal where the seller is left without the goods and without the money.

The card associations and banks responded.


The two major card associations, Visa and MasterCard, started tackling the problem with solutions they branded as “Verified by Visa” and “MasterCard SecureCode”. 3D Secure is the blanket term for these programs.

In essence they are ways for a cardholder to verify their identity and ownership of the card. This was easier said than done since all the banks that issued the credit cards wanted their own methods how to verify identity and also their own methods of when to register someone for 3D Secure. Methods of verifying identity ranged from (initially, at least) entering one’s telephone number, address, ID number, credit card PIN, a password or a one time pin (OTP). Some banks required registration at the branch, others offered it as an option on their online banking platforms, others only allowed for it to happen during checkout (again in a myriad of ways). It was, needless to say, a bit of a mess and online merchants started complaining of honest cardholders trying (but ultimately failing) to make a legitimate purchase with their card, due to the confusing registration and/or verification process

The mess got cleaned up (but there’s room for improvement).


We’re happy to report that the card associations –and very importantly: the card issuing banks– have vastly improved the methods of registering for and using 3D Secure. We wrote about it here, but in short, credit cards issued by the majority of South African banks, can be registered for 3D Secure before or during the payment (or checkout) process and it is increasingly a very seamless experience. Note that registration only happens once on each credit card (like when you register a PIN on your new credit card for Chip & PIN use). Most banks allow for transactions to be verified by means of a one-time PIN (OTP) which they deliver via SMS/email, except for a few that require a memorised password.

Final thoughts

We know that this has been a contentious issue, but in the end, PASA’s decision is hard to argue with as it has been made to reduce online fraud, which negatively affects buyer, sellers and e-commerce in general.

It was surely a mammoth task, but kudos to the card associations and banks for (somewhat) standardising the methods of registering (either in the same page where the payment is being completed or on the online banking platform) and the actual methods of authenticating the transaction (either by delivery of an OTP or by entering a memorised password).

There is a joint responsibility here: banks should make 3D Secure registration/authentication an easy and consistent process (like Chip & PIN currently is, so arguably more work can be done there), help educate their customers on how to register for it and explain how it works. Online sellers, in turn, should also do their part in educating buyers on what 3D Secure is, why it is in place, how to register for and use it and explain that ultimately it is in place to keep everyone safe.

There’s definitely still work to be done in improving the user experience for mobile transactions, but as with business, payments and the Internet in general, we’re confident that things will evolve and improve.

We want to emphasise that PayFast sellers won’t have to do a thing; your accounts will be fully compliant and 3D Secure will automatically be added on all credit card transactions to help protect you and keep fraudsters at bay.

Thanks for reading!