Secure payment services

Secure payment services — PCI L1, 3D Secure 2, signed events.

topropay wraps every authorisation in the PCI DSS Level 1 vault, selective 3D Secure 2 / SCA, network tokens and signed webhook delivery. Secure processing at scale — with the routing, cascade and reconciliation that make a multi-acquirer setup feel like one secure payment gateway.

Card · €189 FRICTIONLESS Issuer accepts CHALLENGE OTP / biometric Authorised ECI 5 · liability shifted
Frictionless first; challenge only when the issuer asks.
PCI L1
service-provider posture
3DS2
selective challenges per transaction
Vault
tokens replace PAN end-to-end
Signed
webhooks, replay-safe events

Key benefits

Four pillars of secure payment solutions on the platform

Vault, 3D Secure orchestration, scheme programme tracking and signed events — the four pillars that together let merchants inherit a service-provider posture rather than building one themselves.

  1. 01

    Vault tokenisation that keeps PAN out of merchant systems

    Card data captures into the PCI DSS Level 1 vault before it ever touches the merchant origin. Refunds, captures, retries and recurring all run on vault tokens. The merchant inherits the service-provider posture rather than carrying it themselves.

  2. 02

    3D Secure 2 / SCA orchestration applied per transaction

    Selective challenges are issued per authorisation based on BIN, scheme, country and risk signals. The 3D Secure system runs frictionless where the scheme exemption holds, and steps up to a challenge only where the risk model or the regulation demands it — keeping conversion high without skipping the compliance bar.

  3. 03

    Scheme programme tracking baked into the data model

    Visa VDMP / VAMP / VFMP and Mastercard ECP / EFMP thresholds are tracked per merchant per acquirer; the dashboard surfaces position versus limit, with alerts before a programme intervention happens.

  4. 04

    Signed, replay-safe webhook delivery

    Every event delivered to the merchant carries an HMAC signature with rotation and an idempotency key. The merchant's listener verifies the signature, drops duplicates and pipes events into a SIEM or warehouse without bespoke plumbing.

How it works

The 3D Secure system, stage by stage

How an authorisation moves through the 3D Secure payment gateway layer — from eligibility to the signed event the merchant's webhook handler reads.

  1. Init

    Authorisation kicks off

    Merchant calls the unified API. The platform reads BIN, scheme, country, currency and merchant policy to decide whether 3D Secure processing applies to this transaction.

  2. Eligible

    Eligibility check

    If the scheme requires SCA (Europe, UK, certain other markets) or the merchant's policy enforces it, the 3DS2 flow kicks in. Otherwise, the authorisation runs as a one-step MIT or CIT request.

  3. Frictionless

    Try frictionless first

    The 3D Secure payment gateway passes device, browser and transaction signals to the ACS. Where the issuer's risk model is comfortable, the authorisation clears without any buyer-side step — that's most traffic in healthy markets.

  4. Challenge

    Step up only when necessary

    If the ACS demands a challenge (biometric, OTP, in-app), the buyer sees a clean 3D Secure checkout overlay. Native iframe on web, app-sheet on mobile — branded to match the merchant surface where possible.

  5. Auth

    Final authorisation

    Whichever path was taken, the final authorisation runs through the routing engine and lands on the chosen acquirer. The 3DS result is preserved on the request so the acquirer applies the liability shift correctly.

  6. Receipt

    Signed event lands

    A normalised signed event carries the 3DS outcome, eci, acsTransID, dsTransID and the eventual authorisation result — auditable from one event row.

Decision matrix

When 3D Secure processing goes frictionless vs challenge

Six common transaction signals and the path the 3D Secure checkout takes for each. The same logic applies regardless of which acquirer the routing engine picks.

Signal Outcome Lane
Low-value (< €30) in EU Frictionless — low-value exemption applied Frictionless
Returning buyer with vault token, MIT flag Frictionless — merchant-initiated exemption applied Frictionless
First-time buyer, EU BIN, high cart value Challenge required — buyer sees OTP / biometric step Challenge
Trusted-beneficiary flagged buyer (allow-list) Frictionless — TRA exemption where supported Frictionless
Risk model returns elevated score on the BIN Challenge required — overrides the merchant exemption Challenge
Non-EEA buyer on a non-SCA market Frictionless — 3DS2 still passed for ECI 5 liability shift Frictionless

Main use cases

Where 3D secure services earn their keep

Six merchant shapes that lean on the same security posture but stress different parts of it — checkout SCA, recurring consent, high-value challenge, cross-border variance.

  • 01

    E-commerce checkout in EU / UK

    PSD2-mandatory SCA on most card transactions; the platform applies low-value, low-risk and merchant-initiated exemptions where permitted to keep frictionless rates high. Merchants don't write per-bank logic; the orchestration handles it.

  • 02

    Subscription / recurring billing

    First authorisation runs through the 3D Secure system to satisfy SCA; subsequent merchant-initiated transactions ride the original consent flag. Scheme updaters and network tokens keep the recurring flow alive without re-challenging on every renewal.

  • 03

    Travel, ticketing and high-ticket retail

    High-value transactions are the ones most likely to be challenged. The 3D Secure payment system carries that challenge cleanly inside the same checkout — no per-bank handoff, no dropped baskets at the OTP step.

  • 04

    Cross-border merchants

    BIN and country pair determine whether SCA is in force. The platform's 3D secure services handle the per-market difference; one integration covers EU SCA, UK SCA, EEA-wide variations and the markets that simply don't require it.

  • 05

    PSPs and ISVs

    Resellers inherit the 3DS posture per merchant; their downstream merchants integrate as sub-merchants and get the same selective-challenge logic without separate ACS contracts.

  • 06

    Licensed gaming and regulated verticals

    Where the regulator requires additional KYC or step-up on certain flows, the 3D Secure orchestration interleaves with the operator's KYC / responsible-gaming logic via the merchant's webhook layer.

Platform features

Capabilities behind secure processing on topropay

What the platform ships specifically for the security side — beyond the general orchestration features shared with one-off authorisations.

  • PCI DSS Level 1 vault

    Card data captures into the platform vault; merchant origin never touches PAN data; vault tokens drive every downstream operation.

  • 3D Secure 2 ACS connectivity

    Direct ACS connectivity through scheme infrastructure; selective challenges, exemption application and EMV 3DS / Identity Check support.

  • Network tokens

    Network-token-by-default across major schemes; tokens persist across card re-issuance for recurring flows.

  • Account updaters

    Visa VAU / Mastercard ABU wired in; saved cards refresh in the background, recurring keeps flowing.

  • Risk engine

    Velocity rules, list management and partner-agnostic fraud-engine connectors layered on top of routing.

  • Scheme programme tracking

    Visa VDMP / VAMP / VFMP and Mastercard ECP / EFMP thresholds tracked per merchant per acquirer with dashboard alerts.

  • Signed webhooks

    HMAC signatures, key rotation, idempotency keys and replay-safe delivery; SIEM-friendly out of the box.

  • Audit & event log

    Operator actions, refund events and 3DS outcomes logged with actor identity, reason code and timestamp.

  • Data residency

    Regional data-residency options for merchants under regulators that require it.

  • Sandbox parity

    Per-environment sandbox that mirrors production 3DS, exemption and challenge behaviour.

Trust & compliance

The posture behind a secure payments company

Every authorisation runs through a single audited environment. Merchants inherit the platform's posture rather than carrying separate certifications per provider.

PCI DSS Level 1
Annual on-site assessment plus quarterly ASV scans, validated by an external QSA. Sub-merchants inherit the posture.
PSD2 / SCA compliance
Selective 3DS2 application on the authorisation path; exemption framework wired into the routing engine; liability-shift preservation across the cascade.
EMV 3DS / Identity Check
Direct ACS connectivity through Visa Secure (EMV 3DS) and Mastercard Identity Check; per-scheme protocol updates absorbed by the platform.
Tokenisation posture
Vault tokens are scoped per merchant; network tokens are scheme-issued; PAN never leaves the platform's audited environment.
Sanctions & AML
Sanctions screening on onboarding; AML monitoring tuned per merchant vertical and volume.
Licensed verticals only
Licensed gaming, regulated financial services and other compliance-bound verticals supported only where current operating licences exist. Grey and black-market verticals are out of scope regardless of integration shape.

Ready to inherit the posture

Wrap every authorisation in PCI L1, 3DS2 and signed events.

A 30-minute security review walks through the posture relevant for your geographies and verticals, the 3DS exemption strategy that fits, and a sandbox to test against before any commercial commitment.

Frequently asked

Buyer questions about secure payment services

Questions buyers ask before committing — covering 3DS2 behaviour, PCI scope, merchant-account boundaries and the relationship between the 3DS layer and the routing engine.

  1. 01

    What does topropay mean by secure payment services?

    Secure payment services on topropay is the bundle of controls that wrap every authorisation — PCI DSS Level 1 vault, 3D Secure 2 / SCA orchestration, network tokens, signed webhook delivery, sanctions screening and scheme-programme tracking. The merchant integrates against the unified API and inherits the posture; the platform handles the certifications, the protocol updates and the per-acquirer reporting.

  2. 02

    Are these secure payment solutions the same across regions?

    The core posture is the same globally — PCI Level 1 is one standard, vault tokens are one mechanism, signed webhooks are universal. The 3D Secure layer varies by region: SCA is mandatory in the EEA and UK, optional with strong liability incentives in many other markets, and selectively applied based on issuer / acquirer rules elsewhere.

  3. 03

    What does it mean to integrate as a secure merchant on the platform?

    A secure merchant integrates as a sub-merchant on topropay's acquiring contracts and inherits the platform's compliance posture. PCI scope is minimised; 3DS / SCA is applied selectively; refunds and recurring run on vault tokens. The merchant origin never touches PAN data, and the day-to-day operational shape — webhook handlers, dashboard, reconciliation — is the same as any other merchant on the platform.

  4. 04

    How is secure processing different from secure payment processing?

    The terms are interchangeable in practice. Secure processing inside the platform covers every authorisation, capture, refund, dispute and chargeback event — each one runs through the same audited environment with vault tokens, signed events and selective 3DS / SCA where applicable.

  5. 05

    What do 3d secure services on topropay include?

    3d secure services on topropay include direct ACS connectivity through Visa Secure (EMV 3DS) and Mastercard Identity Check, selective challenge application based on BIN / scheme / country and merchant risk policy, exemption application (low-value, MIT, TRA, trusted-beneficiary) where permitted, and ECI / liability-shift preservation across the routing cascade.

  6. 06

    How does the 3d secure system handle frictionless vs challenge authorisations?

    The 3d secure system runs the authorisation through the ACS in frictionless mode first, with device, browser and transaction signals attached. Where the issuer's risk model accepts the frictionless path, the buyer sees no extra step. Where it doesn't, the platform surfaces a clean 3D Secure checkout overlay for the challenge (biometric or OTP, depending on the issuer).

  7. 07

    Is the 3d secure payment gateway behaviour the same across schemes?

    Behaviour is harmonised on the EMV 3DS protocol across Visa Secure, Mastercard Identity Check, Amex SafeKey and other supported networks. The 3d secure payment gateway abstracts the per-scheme differences so the merchant's integration is the same regardless of which network the card sits on.

  8. 08

    Is there a difference between a 3d payment gateway and a 3d gateway in the industry usage?

    Both terms refer to the same thing in industry vernacular — the gateway that applies 3D Secure authentication on top of the card authorisation. The platform exposes the 3d gateway capability inside the same unified API as one-step authorisations; the merchant doesn't manage a separate 3DS-only surface.

  9. 09

    How does payment gateway 3d secure interact with the routing engine?

    The payment gateway 3d secure layer applies before the routing decision: the authorisation runs 3DS first (where applicable), then the routing engine picks the acquirer with the 3DS result preserved on the request. The liability shift carries through the cascade — if an acquirer cascade re-routes the authorisation after the challenge, the 3DS result still applies.

  10. 10

    What is the relationship between a 3d secure payment system and the unified API?

    A 3d secure payment system sits inside the unified API as an optional layer per authorisation, controlled by merchant policy and applied automatically where regulation requires it. The merchant doesn't integrate a separate 3DS endpoint — the unified API absorbs the protocol.

  11. 11

    Can the 3d secure checkout be branded to match the merchant's surface?

    The 3d secure checkout overlay is branded inside the limits of the issuer's ACS UI — the overlay header, merchant name and logo are surfaced where the scheme allows. On mobile, the native pay sheet replaces the overlay entirely. Both keep the buyer inside a familiar surface during the challenge.

  12. 12

    What is 3d secure processing in concrete terms?

    3d secure processing is the act of running an EMV 3DS authentication request alongside the authorisation. The platform passes browser, device and transaction signals to the issuer's ACS, receives back either a frictionless approval or a challenge requirement, and surfaces the challenge to the buyer if needed. The result is preserved on the final authorisation request.

  13. 13

    Do I need a secure merchant account to use the platform?

    A secure merchant account is one of two valid paths: either you hold direct acquirer contracts (and topropay sits as the orchestration layer in front) or you integrate as a sub-merchant on the platform's acquiring contracts. The 3DS / SCA / PCI posture is the same in both cases; the difference is contractual.

  14. 14

    Is topropay a secure payments company in the regulatory sense?

    topropay is a payment aggregation and orchestration platform with PCI DSS Level 1 service-provider posture in the regions it operates in. The regulatory shape varies per region — PSD2 / SCA in the EEA, FCA in the UK, partner-licensed routes for APAC and LATAM — but the secure-payments-company designation describes the operational posture: audited, scheme-aligned, vault-by-default.

  15. 15

    How do scheme programme thresholds (VDMP / ECP) interact with secure processing?

    Scheme programmes track merchant chargeback and fraud ratios per acquirer. The platform's secure processing layer surfaces position vs limit per merchant in the dashboard; if a merchant approaches a threshold the orchestration can rebalance traffic across acquirers or tighten 3DS challenges to bring the ratio down before scheme intervention.