• France
status page
demonstrations
assistance
FAQContact support
Search
Categories
Tags
English
French
English
Homepage
Use cases
Create a payment
Create an installment payment
Create a multi-card (split) payment
Create a payment by Alias (Token)
Create a payment link
Create a recurring payment
Manage subscriptions
Manage your transactions (refund, cancel...)
Analyze your reports
API docs
Embedded Form
REST API
Hosted payment
Mobile payment
File exchange
Snippets
Payment methods
Plugins
Guides
Merchant Back Office
Functional guides

3D Secure

3D Secure is an interbank protocol that provides a high level of security for online payments.

In 2019, CB developed its own service for securing card payments called “FAST'R by CB”.

It acts as a Directory Server for strong cardholder authentication, but also as an anti-fraud tool thanks to an authentication scoring system and merchant risk management.

When a transaction is processed by the CB network, the “CB Paiement sécurisé” logo reassures the buyer that the payment is secure and that it is processed in France.

The second Payment Services Directive (or PSD2) requires strong authentication for payments when the buyer is present at the time of purchase, but also provides for cases where interaction with the buyer (challenge) is not mandatory. To qualify for frictionless authentication, the payment must be eligible for an exemption.

Merchant preference and Liability shift

Under PSD2, it is no longer possible to disable authentication in 3DS2.

However, the merchant can express their choice regarding cardholder authentication.

This is called “merchant preference”.

The merchant can choose to:
  • Request strong authentication, i.e. with cardholder interaction (challenge)
  • Request authentication without interaction (frictionless)
  • Not choose anything and let the issuer decide (no preference)

By default, “no preference” is applied.

The choice is made either in the payment request, or via a payment module (PrestaShop, Magento, etc.), or via the Merchant Back Office for merchants authorized to access the advanced risk module.

The expression of this wish is taken into account in the CB scoring and is communicated to the issuer. In addition, this desire has an impact on the transfer of responsibility.

The burden of fraud is always borne by the issuer, except in the case where the merchant requests passive authentication (frictionless) and the issuer enforces this choice.

For more information, please see our 3D Secure guide.

Authentication scoring

For each authentication request on the CB network, a score is calculated.

This score reflects the level of risk and is based on the current transaction data as well as the historical purchase profile of the cardholder and the merchant.

The score is between 0 and 99.

  • It is sent to the ACS in the authentication request, to facilitate the issuer's decision (strong or frictionless authentication).
  • It is sent in the return of the authentication request to share the risk analysis with all the actors of the payment chain.
  • It is sent by the payment platform in the authorization request.

Based on the score achieved, CB will provide the issuer with a recommendation that depends on other factors, including the merchant's desire for strong authentication.

© 2025 {'|'} All rights reserved to Sogecommerce
25.18-1.11