3DS is mostly independent standard from Visa and Mastercard. Yes they’re responsible for authoring, but the technical systems underneath are pretty much independent of standard card processing systems. 3DS is basically implemented as a standard set of REST API and html pages, with a standard around how the 3D flow is initiated, and crypto tokens exchanged via standard card payment ISO messages.
Nothing would prevent you from strapping 3D onto any other payment system of your choice.
Merchants have to choose to perform 3DS, but EU Strong Customer Authentication rules make it mostly mandatory for EU merchants to use 3DS. They can only really opt-out if they can consistently demonstrate they’re capable of detecting and preventing fraud, keeping it at levels that are basically equivalent to fraud seen on 3DS transactions.
The card number alone is not enough to perform a card transaction. There are some merchants out there that are capable of performing card transactions with only the 16-digit number, such as Amazon, but you need to be a very large merchant, and demonstrate you’ve got effective fraud controls in place to prevent abuse. Any smaller merchant attempting something similar will find their merchant accounts quickly closed, and all transactions automatically refunded.
> Many webshops kinda do something like that by handing payment off to their payment provider, but their payment provider isn't my payment provider yet still needs a credit card number. And what if a merchant uses a shady payment provider?
They mostly don’t exist. Becoming a payment provider on the Visa and Mastercard networks is expensive, difficult and very time consuming. Additionally Visa and Mastercard monitor all network participants, if they’re seen to be misbehaving then they get disconnected from the network, and their collateral payment is seized. So running a shady payment processor isn’t profitable.
The system isn’t perfect, but most of things you’re concerned about don’t happen in the EU. They happen a lot in the U.S., but the U.S. has a very different culture around money to the EU, and their payment systems are a bit more bonkers. Which is why EU banks tend to get a bit trigger happy with their fraud rules when customers travel to the U.S.
Nothing would prevent you from strapping 3D onto any other payment system of your choice.
Merchants have to choose to perform 3DS, but EU Strong Customer Authentication rules make it mostly mandatory for EU merchants to use 3DS. They can only really opt-out if they can consistently demonstrate they’re capable of detecting and preventing fraud, keeping it at levels that are basically equivalent to fraud seen on 3DS transactions.
The card number alone is not enough to perform a card transaction. There are some merchants out there that are capable of performing card transactions with only the 16-digit number, such as Amazon, but you need to be a very large merchant, and demonstrate you’ve got effective fraud controls in place to prevent abuse. Any smaller merchant attempting something similar will find their merchant accounts quickly closed, and all transactions automatically refunded.
> Many webshops kinda do something like that by handing payment off to their payment provider, but their payment provider isn't my payment provider yet still needs a credit card number. And what if a merchant uses a shady payment provider?
They mostly don’t exist. Becoming a payment provider on the Visa and Mastercard networks is expensive, difficult and very time consuming. Additionally Visa and Mastercard monitor all network participants, if they’re seen to be misbehaving then they get disconnected from the network, and their collateral payment is seized. So running a shady payment processor isn’t profitable.
The system isn’t perfect, but most of things you’re concerned about don’t happen in the EU. They happen a lot in the U.S., but the U.S. has a very different culture around money to the EU, and their payment systems are a bit more bonkers. Which is why EU banks tend to get a bit trigger happy with their fraud rules when customers travel to the U.S.