Secure payment services
Secure payment services — PCI L1, 3D Secure 2, signed events.
topropay wraps every authorisation in the PCI DSS Level 1 vault, selective 3D Secure 2 / SCA, network tokens and signed webhook delivery. Secure processing at scale — with the routing, cascade and reconciliation that make a multi-acquirer setup feel like one secure payment gateway.
- PCI L1
- service-provider posture
- 3DS2
- selective challenges per transaction
- Vault
- tokens replace PAN end-to-end
- Signed
- webhooks, replay-safe events
Key benefits
Four pillars of secure payment solutions on the platform
Vault, 3D Secure orchestration, scheme programme tracking and signed events — the four pillars that together let merchants inherit a service-provider posture rather than building one themselves.
- 01
Vault tokenisation that keeps PAN out of merchant systems
Card data captures into the PCI DSS Level 1 vault before it ever touches the merchant origin. Refunds, captures, retries and recurring all run on vault tokens. The merchant inherits the service-provider posture rather than carrying it themselves.
- 02
3D Secure 2 / SCA orchestration applied per transaction
Selective challenges are issued per authorisation based on BIN, scheme, country and risk signals. The 3D Secure system runs frictionless where the scheme exemption holds, and steps up to a challenge only where the risk model or the regulation demands it — keeping conversion high without skipping the compliance bar.
- 03
Scheme programme tracking baked into the data model
Visa VDMP / VAMP / VFMP and Mastercard ECP / EFMP thresholds are tracked per merchant per acquirer; the dashboard surfaces position versus limit, with alerts before a programme intervention happens.
- 04
Signed, replay-safe webhook delivery
Every event delivered to the merchant carries an HMAC signature with rotation and an idempotency key. The merchant's listener verifies the signature, drops duplicates and pipes events into a SIEM or warehouse without bespoke plumbing.
How it works
The 3D Secure system, stage by stage
How an authorisation moves through the 3D Secure payment gateway layer — from eligibility to the signed event the merchant's webhook handler reads.
- Init
Authorisation kicks off
Merchant calls the unified API. The platform reads BIN, scheme, country, currency and merchant policy to decide whether 3D Secure processing applies to this transaction.
- Eligible
Eligibility check
If the scheme requires SCA (Europe, UK, certain other markets) or the merchant's policy enforces it, the 3DS2 flow kicks in. Otherwise, the authorisation runs as a one-step MIT or CIT request.
- Frictionless
Try frictionless first
The 3D Secure payment gateway passes device, browser and transaction signals to the ACS. Where the issuer's risk model is comfortable, the authorisation clears without any buyer-side step — that's most traffic in healthy markets.
- Challenge
Step up only when necessary
If the ACS demands a challenge (biometric, OTP, in-app), the buyer sees a clean 3D Secure checkout overlay. Native iframe on web, app-sheet on mobile — branded to match the merchant surface where possible.
- Auth
Final authorisation
Whichever path was taken, the final authorisation runs through the routing engine and lands on the chosen acquirer. The 3DS result is preserved on the request so the acquirer applies the liability shift correctly.
- Receipt
Signed event lands
A normalised signed event carries the 3DS outcome, eci, acsTransID, dsTransID and the eventual authorisation result — auditable from one event row.
Decision matrix
When 3D Secure processing goes frictionless vs challenge
Six common transaction signals and the path the 3D Secure checkout takes for each. The same logic applies regardless of which acquirer the routing engine picks.
| Signal | Outcome | Lane |
|---|---|---|
| Low-value (< €30) in EU | Frictionless — low-value exemption applied | Frictionless |
| Returning buyer with vault token, MIT flag | Frictionless — merchant-initiated exemption applied | Frictionless |
| First-time buyer, EU BIN, high cart value | Challenge required — buyer sees OTP / biometric step | Challenge |
| Trusted-beneficiary flagged buyer (allow-list) | Frictionless — TRA exemption where supported | Frictionless |
| Risk model returns elevated score on the BIN | Challenge required — overrides the merchant exemption | Challenge |
| Non-EEA buyer on a non-SCA market | Frictionless — 3DS2 still passed for ECI 5 liability shift | Frictionless |
Main use cases
Where 3D secure services earn their keep
Six merchant shapes that lean on the same security posture but stress different parts of it — checkout SCA, recurring consent, high-value challenge, cross-border variance.
- 01
E-commerce checkout in EU / UK
PSD2-mandatory SCA on most card transactions; the platform applies low-value, low-risk and merchant-initiated exemptions where permitted to keep frictionless rates high. Merchants don't write per-bank logic; the orchestration handles it.
- 02
Subscription / recurring billing
First authorisation runs through the 3D Secure system to satisfy SCA; subsequent merchant-initiated transactions ride the original consent flag. Scheme updaters and network tokens keep the recurring flow alive without re-challenging on every renewal.
- 03
Travel, ticketing and high-ticket retail
High-value transactions are the ones most likely to be challenged. The 3D Secure payment system carries that challenge cleanly inside the same checkout — no per-bank handoff, no dropped baskets at the OTP step.
- 04
Cross-border merchants
BIN and country pair determine whether SCA is in force. The platform's 3D secure services handle the per-market difference; one integration covers EU SCA, UK SCA, EEA-wide variations and the markets that simply don't require it.
- 05
PSPs and ISVs
Resellers inherit the 3DS posture per merchant; their downstream merchants integrate as sub-merchants and get the same selective-challenge logic without separate ACS contracts.
- 06
Licensed gaming and regulated verticals
Where the regulator requires additional KYC or step-up on certain flows, the 3D Secure orchestration interleaves with the operator's KYC / responsible-gaming logic via the merchant's webhook layer.
Platform features
Capabilities behind secure processing on topropay
What the platform ships specifically for the security side — beyond the general orchestration features shared with one-off authorisations.
-
PCI DSS Level 1 vault
Card data captures into the platform vault; merchant origin never touches PAN data; vault tokens drive every downstream operation.
-
3D Secure 2 ACS connectivity
Direct ACS connectivity through scheme infrastructure; selective challenges, exemption application and EMV 3DS / Identity Check support.
-
Network tokens
Network-token-by-default across major schemes; tokens persist across card re-issuance for recurring flows.
-
Account updaters
Visa VAU / Mastercard ABU wired in; saved cards refresh in the background, recurring keeps flowing.
-
Risk engine
Velocity rules, list management and partner-agnostic fraud-engine connectors layered on top of routing.
-
Scheme programme tracking
Visa VDMP / VAMP / VFMP and Mastercard ECP / EFMP thresholds tracked per merchant per acquirer with dashboard alerts.
-
Signed webhooks
HMAC signatures, key rotation, idempotency keys and replay-safe delivery; SIEM-friendly out of the box.
-
Audit & event log
Operator actions, refund events and 3DS outcomes logged with actor identity, reason code and timestamp.
-
Data residency
Regional data-residency options for merchants under regulators that require it.
-
Sandbox parity
Per-environment sandbox that mirrors production 3DS, exemption and challenge behaviour.
Trust & compliance
The posture behind a secure payments company
Every authorisation runs through a single audited environment. Merchants inherit the platform's posture rather than carrying separate certifications per provider.
- PCI DSS Level 1
- Annual on-site assessment plus quarterly ASV scans, validated by an external QSA. Sub-merchants inherit the posture.
- PSD2 / SCA compliance
- Selective 3DS2 application on the authorisation path; exemption framework wired into the routing engine; liability-shift preservation across the cascade.
- EMV 3DS / Identity Check
- Direct ACS connectivity through Visa Secure (EMV 3DS) and Mastercard Identity Check; per-scheme protocol updates absorbed by the platform.
- Tokenisation posture
- Vault tokens are scoped per merchant; network tokens are scheme-issued; PAN never leaves the platform's audited environment.
- Sanctions & AML
- Sanctions screening on onboarding; AML monitoring tuned per merchant vertical and volume.
- Licensed verticals only
- Licensed gaming, regulated financial services and other compliance-bound verticals supported only where current operating licences exist. Grey and black-market verticals are out of scope regardless of integration shape.
Ready to inherit the posture
Wrap every authorisation in PCI L1, 3DS2 and signed events.
A 30-minute security review walks through the posture relevant for your geographies and verticals, the 3DS exemption strategy that fits, and a sandbox to test against before any commercial commitment.
Frequently asked
Buyer questions about secure payment services
Questions buyers ask before committing — covering 3DS2 behaviour, PCI scope, merchant-account boundaries and the relationship between the 3DS layer and the routing engine.
- 01
What does topropay mean by secure payment services?
Secure payment services on topropay is the bundle of controls that wrap every authorisation — PCI DSS Level 1 vault, 3D Secure 2 / SCA orchestration, network tokens, signed webhook delivery, sanctions screening and scheme-programme tracking. The merchant integrates against the unified API and inherits the posture; the platform handles the certifications, the protocol updates and the per-acquirer reporting.
- 02
Are these secure payment solutions the same across regions?
The core posture is the same globally — PCI Level 1 is one standard, vault tokens are one mechanism, signed webhooks are universal. The 3D Secure layer varies by region: SCA is mandatory in the EEA and UK, optional with strong liability incentives in many other markets, and selectively applied based on issuer / acquirer rules elsewhere.
- 03
What does it mean to integrate as a secure merchant on the platform?
A secure merchant integrates as a sub-merchant on topropay's acquiring contracts and inherits the platform's compliance posture. PCI scope is minimised; 3DS / SCA is applied selectively; refunds and recurring run on vault tokens. The merchant origin never touches PAN data, and the day-to-day operational shape — webhook handlers, dashboard, reconciliation — is the same as any other merchant on the platform.
- 04
How is secure processing different from secure payment processing?
The terms are interchangeable in practice. Secure processing inside the platform covers every authorisation, capture, refund, dispute and chargeback event — each one runs through the same audited environment with vault tokens, signed events and selective 3DS / SCA where applicable.
- 05
What do 3d secure services on topropay include?
3d secure services on topropay include direct ACS connectivity through Visa Secure (EMV 3DS) and Mastercard Identity Check, selective challenge application based on BIN / scheme / country and merchant risk policy, exemption application (low-value, MIT, TRA, trusted-beneficiary) where permitted, and ECI / liability-shift preservation across the routing cascade.
- 06
How does the 3d secure system handle frictionless vs challenge authorisations?
The 3d secure system runs the authorisation through the ACS in frictionless mode first, with device, browser and transaction signals attached. Where the issuer's risk model accepts the frictionless path, the buyer sees no extra step. Where it doesn't, the platform surfaces a clean 3D Secure checkout overlay for the challenge (biometric or OTP, depending on the issuer).
- 07
Is the 3d secure payment gateway behaviour the same across schemes?
Behaviour is harmonised on the EMV 3DS protocol across Visa Secure, Mastercard Identity Check, Amex SafeKey and other supported networks. The 3d secure payment gateway abstracts the per-scheme differences so the merchant's integration is the same regardless of which network the card sits on.
- 08
Is there a difference between a 3d payment gateway and a 3d gateway in the industry usage?
Both terms refer to the same thing in industry vernacular — the gateway that applies 3D Secure authentication on top of the card authorisation. The platform exposes the 3d gateway capability inside the same unified API as one-step authorisations; the merchant doesn't manage a separate 3DS-only surface.
- 09
How does payment gateway 3d secure interact with the routing engine?
The payment gateway 3d secure layer applies before the routing decision: the authorisation runs 3DS first (where applicable), then the routing engine picks the acquirer with the 3DS result preserved on the request. The liability shift carries through the cascade — if an acquirer cascade re-routes the authorisation after the challenge, the 3DS result still applies.
- 10
What is the relationship between a 3d secure payment system and the unified API?
A 3d secure payment system sits inside the unified API as an optional layer per authorisation, controlled by merchant policy and applied automatically where regulation requires it. The merchant doesn't integrate a separate 3DS endpoint — the unified API absorbs the protocol.
- 11
Can the 3d secure checkout be branded to match the merchant's surface?
The 3d secure checkout overlay is branded inside the limits of the issuer's ACS UI — the overlay header, merchant name and logo are surfaced where the scheme allows. On mobile, the native pay sheet replaces the overlay entirely. Both keep the buyer inside a familiar surface during the challenge.
- 12
What is 3d secure processing in concrete terms?
3d secure processing is the act of running an EMV 3DS authentication request alongside the authorisation. The platform passes browser, device and transaction signals to the issuer's ACS, receives back either a frictionless approval or a challenge requirement, and surfaces the challenge to the buyer if needed. The result is preserved on the final authorisation request.
- 13
Do I need a secure merchant account to use the platform?
A secure merchant account is one of two valid paths: either you hold direct acquirer contracts (and topropay sits as the orchestration layer in front) or you integrate as a sub-merchant on the platform's acquiring contracts. The 3DS / SCA / PCI posture is the same in both cases; the difference is contractual.
- 14
Is topropay a secure payments company in the regulatory sense?
topropay is a payment aggregation and orchestration platform with PCI DSS Level 1 service-provider posture in the regions it operates in. The regulatory shape varies per region — PSD2 / SCA in the EEA, FCA in the UK, partner-licensed routes for APAC and LATAM — but the secure-payments-company designation describes the operational posture: audited, scheme-aligned, vault-by-default.
- 15
How do scheme programme thresholds (VDMP / ECP) interact with secure processing?
Scheme programmes track merchant chargeback and fraud ratios per acquirer. The platform's secure processing layer surfaces position vs limit per merchant in the dashboard; if a merchant approaches a threshold the orchestration can rebalance traffic across acquirers or tighten 3DS challenges to bring the ratio down before scheme intervention.
Related
Related on the topropay platform
- Controls Risk & fraud controls Velocity rules, list management and fraud-engine connectors that pair with the secure-processing posture.
- Compliance Compliance overview The wider compliance shape that 3DS / SCA and PCI Level 1 fit inside.
- Aggregation Payment aggregator overview The aggregation pattern these secure services sit inside.
- Processors Payment processors, orchestrated Every connected processor running under the same security posture.
- Routing Smart routing & cascading The routing engine that picks an acquirer per authorisation — with 3DS results preserved across the cascade.
- Surface Payment page The merchant-facing surface where the 3D Secure checkout overlay surfaces.