I have spent a huge amount of time trying to setup 3D secure in Shopify. I have also spent a ton of time trying to configure this with a 3rd party payment provider via Shopify. After all of this time I have gotten nowhere but wasted a lot of time.
First, I read the attached and it certain states that Shopify supports 3DS Billing authentication with 3D Secure · Shopify Help Center
However, when I try test payments, there is no indicator at all that it passed 3DS authentication. Therefore, it is somewhat worthless if there is a chargeback and we cannot prove that it used 3DS. There is just a vague risk indicator that doesnt give any indication of the most important risk indicator (3ds).
I am concerned because the Shopify article states that "shopify only uses 3D Secure when required by the issuing bank in order for a transaction to be authorized successfully." As a merchant this is not good because I want every transaction over a certain dollar amount to be authenticated with 3DS. Otherwise, I am not protected from chargebacks.
The same article it states "If you're using a third-party gateway and require 3D Secure, then you can use Cardinal as a 3D Secure provider." I have found this to be incorrect information for US merchants. So you may want to update your article.
Can someone from Shopify clearly state whether 3DS is supported natively in Shopify Pay for US merchants and if so how we know whether a particular order has authenticated with 3DS?
Thank you for taking the time to provide a great deal of context to your question/issue.
3D secure is enabled by default on Shopify Payments. The buyer will be asked to verify their purchase through a password/form of identification (this depends on the buyers' bank). The flow is not controlled by Shopify and will vary depending on the buyer's bank. It will be a form of SCA. So for example, the buyer may be asked to input their password, a one-time pin, or verify using a fingerprint scan. Shopify Payments supports 3DS 1.0 and 2.0. The version shown on checkout will depend on what the buyer's bank supports, however, Shopify Payments can facilitate both versions. If your customer has purchased using 3D secure, then you will see a card on the order page on the right side called 3D Secure Authentication.
As for Cardinal, this is only applicable to store owners in the EU and the UK:
Cardinal is a 3D Secure provider that integrates with many third-party payment gateways on Shopify in the European Economic Area (EEA) and United Kingdom.
As a follow up, I have been using Shopify Payments for a few weeks now. My opinion is that either 3DS support does not exist in Shopify or it is not being communicated in any way to merchants. As an example, we received an order today that suggests that it may be fraudulent. The Shopify portal states "this order is medium risk". What the hell? This doesn't help. The only relevant thing is whether the payment is 3DS compliant. Unfortunately, Shopify does not provide ANY indication whether the order meets 3DS authentication requirements. If it did, I would know whether I could fulfill the order with confidence. Now because Shopify does such a poor job of communicating about 3DS I must cancel the order and potentially I just lost a large sale.
As a reference, here is what other payment providers give to validate 3DS (where is this information in a Shopify pay transaction)? The key point here is the Liability shifted = TRUE.
Trevor's post above indicates that an order will have a message stating if your customer has purchased using 3D secure, then you will see a card on the order page on the right side called 3D Secure Authentication, This card does not exist.
Update: As an update to this post, I was able to dig and find some information about the transactions. It appears to me that Shopify does NOT support 3DS for US merchants. If you are considering using Shopify and have products that are high risk for fraud, you might want to look elsewhere. I migrated to Shopify because I was given false information here. I wish I hadn't even gotten on with Shopify.
Here is the information from the transaction: I assume the three_d_secure = nil means that 3D Secure is not used. I verified that this is the case for most of my store transactions. if i am somehow reading this wrong, please feel free to correct me.
"three_d_secure"=>nil, "wallet"=>nil}, "type"=>"card"}
I have posted about 3DS on Shopify extensively because in my opinion the official information is inaccurate and misleading. I will continue to update as I get more information and perhaps bring some attention to this gaping hole in the Shopify ecosystem.
Because I was not able to get 3DS working on Shopify after literally tens of hours of work and research and back and forth, I tried to see if it was possible on WooCommerce. In fact, after less than 2 hours of setup I had a working production ecommerce website on WooCommerce using 3DS version 2. To be completely fair, the solution i found does not support Amex, but frankly I don't care. Most of my transactions are visa/mc. But to be perfectly clear, I can confirm 3DS does work fine in production on WooCommerce.
Put very simply, it should not be this difficult for a $200 billion company to protect its users by implementing 3DS when in fact they already do it for EU customers. Until then, others might want to check out WooCommerce.