Total Processing > Blog > Payments > What is 3D Secure authentication?

What is 3D Secure authentication?

What is 3D Secure authentication?


Faye Duncan


15 Mar 2023

Read time

3 Minutes



A guide to 3D Secure authentication

If you have ever used a credit card or debit card to make a payment while online shopping, which, let’s be honest, we’d be surprised if you haven’t, then it is likely that you have already used 3D Secure (3DS).

And if you’re accepting payments online, then it’s important to have a full understanding of what it is and why it’s important. So, let’s delve into it!

What is 3D Secure?

3D Secure authentication is an added security layer introduced into the payment process to protect both the merchant and consumer from online card payment fraud. Whenever a customer makes a purchase from your online store, the payment system will automatically require the cardholder to provide more information, such as a one-time passcode, to verify that they are the owner of that card.

The 3DS standard, alongside other fraud validation methods, such as Address Verification System (AVS) and Card Verification Code Check (CVC), gave customers access to secure payment methods worldwide via credit card and debit card transactions.

This fraud prevention measure was launched in 2001 by Visa (as Verified-by-Visa). It has gained credibility over the years and is now licensed by Mastercard, so it’s used by major card schemes.

How does 3D Secure work?

Without going too deep into the technical process of 3D Secure, it acts by directing the customer to an authentication page or pop-up window during the online transaction process. The customer will be asked to enter a password that they have previously set up with their issuing bank or a one-time passcode that’s sent either by SMS or email to authorise the transaction. Only after successfully completing this process will a customer be able to complete the payment.

The authentication requirements are carried out by the issuing bank (the cardholder’s bank or credit card provider) via an Access Control Server (ACS). When customers are redirected to the authentication page, it is down to the card issuer to verify the information and the ACS will signal whether the transaction can be approved or not. After the right details are entered, they are then automatically sent back to the website with an order confirmation message. Quick and simple, but very secure!

What are the benefits of 3D Secure?

The main benefit of 3DS is pretty self-explanatory; it makes online payments and recurring payments more secure. It provides both online merchants and their customers with an added level of security when online shopping. But let’s take a look at the benefits more specifically.

3D Secure helps:

  • prevent card details from being stolen,
  • protects against any unauthorised transaction chargebacks,
  • protects the merchant from liability – Once the transaction has passed the authentication process, the liability is passed onto the card payment provider, who is then responsible for resolving any customer issues or refunds.

The limits of 3D Secure

Perhaps the biggest disadvantage of 3D Secure for online retailers is the friction it can cause. Many users believe the additional validation step ruins the user experience during the checkout process. This can result in an increase in transaction abandonment and lost sales.

The type of information required can also cause issues. Some banks may ask the customer to create their own password which can easily be forgotten rather than sending a one-time passcode. However, since the protocol was introduced, it has developed to be as seamless as possible, and the added step isn’t needed for every transaction. More often than not, it also gives the customer the reassurance they need to know the website is safe.

SMS one-time passscode

The key players

There are three key banking domains present throughout the transaction process. Each will play its own part with its own liabilities. These banking domains are:

  • Issuer domain – The customer’s bank or credit card provider.
  • Acquirer domain – The merchant’s bank where the revenue will settle after a successful transaction.
  • Interoperability domain – The payment system that connects the two.

3DS is not required in every country nor by every card scheme worldwide. However, in using this authentication at the checkout stage in your choice of payment gateway, the liability of chargeback fraud is more likely to fall on the acquirer and not the merchant who has implemented every measure required to verify the identity of the customer.

The implementation of 3D Secure is also likely to increase with the requirement of Strong Customer Authentication (SCA) compliance.

Strong Customer Authentication – A breakdown

SCA refers to the additional information that is required from the customer during the payment process. It’s a regulatory mandate that was introduced across Europe back in 2016 as an addition to the Payment Service Directive (PSD2).

Fraudulent activity and chargeback costs were scarily high before SCA was brought in and is primarily used as an extended effort to further validate payments at the checkout stage and verify cardholder identity.

SCA protocols work by acquiring two of three types of verification:

  • Something they own, such as the customer’s card
  • Something they are, such as fingerprint ID
  • Something they know, such as their password

What is 3D Secure 2?

3D Secure 2 is the latest development within the authentication protocol, making the integration of security compliance much easier than before. It was released by a network of six major card issuers, collectively called EMVco, and was launched back in 2017, although it took some banks till 2020 to have it fully integrated. Since its main aim is to be less disruptive than its predecessor, 3DS 2 sends more data elements from the cardholder in the initial transaction stage, in order to perform a risk analysis. This determines whether the bank will push the transaction into a frictionless checkout flow, or have it challenged and require more details.

The upgrade has resolved what was seen as added friction at the checkout in the move to increase payment security; especially when taking payments on mobiles and other smart devices. The improved design dramatically increases the user experience on mobile by being fully compatible with in-app transactions, which, in turn, can also be used with biometric identification.

With the added options of Apple Pay and Google Pay, which already carry the benefits of being two-factor authentication compliant, additional payment choices are increasing conversions for merchants worldwide alongside reducing payment friction for consumers.

How do I get started with 3D Secure authentication?

If you’re ready to get started taking payments, or if you need to optimise your checkout flow with a seamless and secure payment experience, we can help. At Total Processing, our online payment gateway and processing solutions allow you to take payments through our 3D Secure hosted iframes with easy integration and full technical support.

Ready To Start
Accepting payments?