A friend of mine once asked me if it is secure to do an online transaction with credit/debit card. I prompted, absolutely secure!! I  told him if he would google it, he will get a lot of content that will answer his question. However, my purpose of writing a blog is to address this common concern in the simplest possible way. Let me start with giving you a bit of background on why some people are still skeptical of sharing their card details online. This is because in the past, there had been increased frauds in “card not present” as there was no way to “Authenticate” a customer during an online card transaction. Thanks to the e-commerce boom, the level of confidence amongst online shoppers has increased significantly over the last couple of years.

The process of authentication requires a system that could authenticate the card owner and his credentials. This process verifies a credit card owner thereby indicating that the card details are being submitted by the owner of the card. So, an Authentication system known as 3-D secure system, or popularly known as Issuer ACS System minimizes the risk of frauds by authenticating cardholder’s identity.


Once authentication is successful, financial validations such as check Valid Card Number, check for sufficient funds, etc. takes place as a part of transaction authorization. Merchant Plug-in (MPI) will facilitate this by sending card credentials from Merchant Website to the acquirer system or popularly known as a Payment Gateway. MPI is a software component that connects Issuer ACS, Payment Gateway and Merchant Website together.

In other words, Merchant Plug-in connects the merchant website with the Visa/MC directory server and enables 3-D secure authentication. It then routes the card data to payment gateway for transaction authorization.

How an Issuer ACS (or 3-D secure) system works?

When a customer checks out of the merchant website after filling in the card details, issuer bank of the entered card, through MPI, invokes their ACS system to display a screen where either a password or a one-time password (OTP – delivered to cardholders email/mobile) is asked for authentication. This way Cardholder Identity is positively authenticated if entered OTP/Password is correct.  A fully integrated 3-D secure enabled merchant website reduces chargeback rates and shifts the liability of disputed transactions from the Merchant to the Card Issuers.

How a Payment Gateway works?

Payment Gateway is the Point of Sale (POS) of the e-commerce world. After the cardholder authentication is done by the Issuer ACS, MPI passes the card data to Payment Gateway for transaction authorization. The Payment Gateway, then uses the Payment Scheme (Visa/MC) network to send the authorization request to the card issuer for Authorization approval. If the card issuer sends positive response after doing all financial validations on the card, transaction is approved.

How a fully integrated system works?

MPI resides in the server hosting the merchant website. It has connectivity to the directory server of payment schemes. When an online transaction is performed by a cardholder (1&2), MPI first looks the directory server to check whether the particular Card Issuer to whom the payment card belongs to, is enrolled for 3-D secure Authentication (3). If yes, MPI fetches Issuer ACS URL from the directory server (4) and routes it to the Issuer ACS system (5&6). The ACS systems does the authentication in terms of asking the password or generating an OTP for the cardholder to fill on the 3-D secure screen (7). After the authentication, it sends back the response to MPI (8). If the 3D authentication is successful, MPI submits the card data to Payment gateway for transaction authorization (9). Payment Gateway uses the scheme network to send the authorization request to card issuer. Card issuer does the financial validations and based upon that approves or rejects the authorization and sends it back to MPI via scheme network (10). MPI then send the response to Merchant Website (11). The transaction is completed and the cardholder sees the status of the transaction as passed or failed (12).