# 3-D Secure (3DS)

[3-D Secure (3DS)](https://www.emvco.com/emv-technologies/3-d-secure/) is a security layer that helps prevent fraud in online card transactions. It'll make things safer for both you and your customers by cutting down on card misuse and potential chargebacks.

When a customer makes a payment using 3DS, their credit card provider confirms it's really them using two-factor authentication. This usually means a one-time password (OTP) sent to the customer's phone or email. Since the provider handles the verification, they also take on the liability for any losses. This means you get **chargeback protection** for transactions the customer denies.

Keep in mind that 3DS only works with credit cards. It's not available for other types of payments, like [digital wallets](/pay/common-use-cases/digital-wallets.md).

## Prerequisites

3-D Secure is managed by the credit card company you [signed your acquiring agreement](/pay/getting-started/prerequisites-and-initial-setup.md#3-sign-credit-card-acquiring-agreements) with, like Isracard, Cal, or Max. Whether it's available or not depends on how your merchant profile is set up by the acquirer.

To use 3DS, you'll need:

1. An internet-enabled **vendor number** (מספר ספק אינטרנטי) from your acquirer. You should already have this from your initial setup.
2. A valid **merchant category code (MCC)**, sometimes called a 'branch code', assigned by your acquirer. This code tells everyone what kind of business you run and is needed for 3DS to work.
3. A **merchant identification number (MID)**, which is a unique 9 or 10-digit number your credit card company (Isracard, Max, or Cal) gives you. For American Express, your MID will always be a 10-digit number starting with `972`.

Most of the time, you won't even need to sign a new contract to enable 3DS. Your acquirer just updates your existing merchant profile. Once these details are ready, you can activate and configure 3DS.

## Activating and configuring 3DS for your terminal

1. Log in to the Hyp Pay account for your production terminal. 3DS is only available on production terminals.
2. Click **3DS עסקה בטוחה** (**3DS safe transaction**) under **הגדרות** (**Settings**).
3. In the **פרטי עסקה בטוחה** (**Secure transaction details**) area, fill in the following:
   1. ‎**שם** (**Merchant name**): Type your business name in English as it appears with the credit company (no spaces, up to 10 characters).
   2. ‎**כתובת אתר** (**Website address**): Enter your website's domain. (If you're only using payment links via the Hyp Pay account or app, enter `hyp.co.il`).
   3. ‎**קוד מדינה** (**Country code**): Enter `376`, which is the numeric code for Israel.
   4. ‎**גודל חלון אימות** (**Authentication window size**): Pick how large you want the 3DS prompt to be when it asks your customers for their one-time passwords. We recommend going with full screen.
4. Further down the same page, in the **הגדרות** (**Settings**) section, set this up for all the credit card brands you handle:
   1. **MID**: Type the merchant provider number your credit company gave you. For American Express, remember to use the 10-digit number starting with 972.
   2. ‎**סולק** (**Acquirer**): For Visa, MasterCard, and Diners, pick the credit company that handles that brand (Isracard/Visa, Cal/Max).
   3. **MCC**: Enter the MCC code for your business sector that you got from the credit company.
   4. ‎**ישראל** (**Israel**) and **תייר** (**Tourist**): Enable both of these card types, even if you don't plan on clearing tourist cards.
   5. Optionally, you can set a minimum amount for any of the four supported currencies — 3DS will only kick in for transactions above that limit.
5. Check the boxes in the **הגדרות** (**Settings**) section:
   1. **Fallback ביצוע עסקאות ללא עסקה בטוחה במקרה של** (**Perform transactions without 3DS in case of fallback**): This lets the transaction go through without 3DS if there's a temporary system glitch. Leave this unchecked if you want to make sure every transaction is protected.
   2. ‎**חסום עסקאות שבוצעו בכרטיסי אשראי ישראכרט מקומי** (**Block transactions performed with local Isracard cards**): Local Isracard brands don't support 3DS. If you check this, customers with those cards will get a "Card not supported" error.
   3. ‎**אילוץ אימות לקוח על ידי OTP במידה והמנפיק תומך** (**Force customer authentication by OTP if the issuer supports it**): Usually, 3DS is smart enough to secure things without asking for a code every single time. We recommend leaving this unchecked for a smoother customer experience.
6. Click **שמור הגדרות** (**Save changes**).

When 3DS is turned on for your terminal, Hyp basically acts as a middleman between you and your acquirer. If your acquirer supports a specific card brand, it'll work through Hyp too.

## How the 3DS flow works

Once 3DS is active on your terminal, you don't have to do anything else to get it working on your payment page. Hyp takes care of all the back-and-forth with the credit card issuer automatically.

Here's how a typical 3DS flow looks:

1. You create and show a payment page to your customer.
2. The customer types in their card details and clicks **Pay**.
3. Hyp starts the 3DS process with the credit card issuer.
4. If the issuer thinks it's necessary, a prompt will pop up asking the customer for an OTP sent via SMS or email. Every issuer's prompt looks a little different. ![Example of an OTP challenge prompt](/files/IKqpO1QzT5bBh9NGWRPH)
5. The customer enters the OTP, and the issuer tells Hyp if it all checked out.
6. If everything's good, the transaction moves forward and gets processed like normal.

## Identifying 3DS transaction results

After a customer is redirected back to your website following a transaction, you can check whether it was successfully verified with 3-D Secure. This is the best way to know for sure if you've got **chargeback protection** for that specific payment.

To see 3DS details in the response, set the `MoreData` parameter to `True` when [creating the payment page](/pay/getting-started/creating-a-payment-page.md). When this is on, Hyp Pay includes some extra info in the [payment completion redirect](/pay/getting-started/creating-a-payment-page.md#handle-the-redirect-back-to-your-website), like the `ECI` parameter:

{% code overflow="wrap" %}

```http
https://your-merchant-website.com/success.html?Id=423664659&CCode=0&Amount=21.1&ACode=0889867&Order=&Fild1=Israel%20Israeli&Fild2=test%40test.co.il&Fild3=&Sign=118e517b99d72fa173a5b685185d23984e98cf187838fcfe08a8d2c8eb403883&Bank=6&Payments=1&UserId=336335379&Brand=1&Issuer=1&L4digit=9286&street=&city=&zip=&cell=0544444444&Coin=1&Tmonth=02&Tyear=2032&Info=%EC%EC%E0%20%FA%E9%E0%E5%F8&ECI=02&errMsg=%FA%F7%E9%EF%20(0)&Hesh=EZ&UID=26050616245128669798150&SpType=0&BinCard=555650
```

{% endcode %}

In the example above, the `ECI` parameter is set to `02`. `ECI` is a two-digit code that tells you the result of the 3DS authentication. In this case, `02` means the customer passed the 3DS challenge, and you're covered if they try to dispute the transaction later.

Different card networks (like Visa and Mastercard) use their own codes, but they all fall into these three buckets:

| ECI value                      | Meaning                                                                                              | Chargeback protection                        |
| ------------------------------ | ---------------------------------------------------------------------------------------------------- | -------------------------------------------- |
| `05` (Visa), `02` (Mastercard) | Fully authenticated. The customer successfully completed the 3DS challenge.                          | Protected according to your acquirer's rules |
| `06` (Visa), `01` (Mastercard) | Authentication attempted. 3DS was started, but the issuer or the customer's card doesn't support it. | Protected according to your acquirer's rules |
| `07` (Visa), `00` (Mastercard) | Authentication failed. The 3DS verification didn't happen or failed.                                 | No protection                                |

If the `ECI` shows the transaction was fully authenticated or even just attempted, the credit card provider takes on the liability for fraudulent chargebacks. If it's `07` or `00`, you're still responsible for any disputes.

## Frequently asked questions

### Does Hyp control the 3DS process?

No. Hyp just acts as a passthrough. Your credit card provider and the card issuer are the ones in charge of the whole 3DS authentication process, including whether to ask for an OTP challenge for a certain transaction.

### Can I customize the 3DS screens?

The 3DS screens come directly from the credit card issuer, so neither Hyp nor you can change how they look. You can only pick the preferred size of the 3DS prompt window.

### Does the issuer always trigger an OTP challenge?

No. Sometimes the issuer might skip the OTP challenge if they think the transaction is low-risk. You can turn on a setting in your Hyp Pay account to request an OTP challenge for every transaction, but keep in mind the issuer can still decide to ignore that request.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developers.hyp.co.il/pay/advanced-features/3ds.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.