ComparePSP

What Is 3D Secure?

Definition

3D Secure (3DS) is an authentication protocol for online card payments that adds an extra verification step to reduce fraud and shift liability from merchants to card issuers for authenticated transactions.

Explained in Detail

3D Secure (3DS) is a security protocol designed to provide an additional layer of authentication for online credit and debit card transactions. The "3D" refers to the three domains involved: the acquirer domain (the merchant and their bank), the issuer domain (the cardholder's bank), and the interoperability domain (the card network infrastructure that connects them). Originally developed by Visa as "Verified by Visa" in 2001, 3DS is now supported by all major card networks under their respective brands: Visa Secure, Mastercard Identity Check, American Express SafeKey, Discover ProtectBuy, and JCB J/Secure.

## How 3D Secure Works

When a consumer makes an online card payment at a merchant that implements 3DS, the following process occurs:

1. The consumer enters their card details at checkout. 2. The merchant's PSP sends the transaction details (including card number, amount, and device/browser data) to the card network's 3DS directory server. 3. The directory server routes the request to the cardholder's issuing bank. 4. The issuing bank evaluates the transaction risk using the provided data and decides whether to authenticate the cardholder (challenge flow) or approve without additional interaction (frictionless flow). 5. If challenged, the cardholder is prompted to verify their identity — typically via a one-time password (OTP) sent by SMS, biometric authentication in their banking app, or a push notification to approve. 6. The issuing bank returns an authentication result to the merchant, who includes it in the authorization request.

## 3DS1 vs 3DS2

**3D Secure 1.0** (3DS1), the original version, was widely criticized for its poor user experience. It redirected consumers to a separate pop-up window for authentication, often requiring them to remember a static password. This caused significant cart abandonment — studies showed 10-25% of consumers dropped off when presented with a 3DS1 challenge. 3DS1 was sunset by card networks in October 2022.

**3D Secure 2.0** (3DS2), released in 2019, was a major redesign. Key improvements include:

- **Frictionless authentication**: 3DS2 transmits over 100 data points (device fingerprint, browser data, transaction history, shipping address) to the issuer, allowing risk-based decisions. Low-risk transactions can be approved without any consumer interaction (frictionless flow), which occurs in 70-90% of transactions. - **Mobile-native experience**: 3DS2 supports in-app authentication via SDKs, eliminating the clunky browser redirects of 3DS1. - **Biometric support**: Issuers can prompt fingerprint or face recognition in their banking app instead of SMS codes. - **Better conversion**: Because most transactions pass through frictionlessly, 3DS2 has minimal impact on conversion rates compared to the significant drop-off caused by 3DS1.

## Liability Shift

One of the most important benefits of 3D Secure for merchants is the liability shift. When a merchant successfully authenticates a transaction using 3DS and the transaction later turns out to be fraudulent, the liability for the chargeback shifts from the merchant to the card issuer. This means the merchant does not bear the financial loss for fraud on authenticated transactions. The liability shift applies regardless of whether the authentication was frictionless or challenged — what matters is that the merchant attempted 3DS and received a successful authentication result.

## PSD2 and SCA Requirements

In Europe, 3D Secure gained renewed importance with the introduction of Strong Customer Authentication (SCA) requirements under PSD2. Since December 2020 (with enforcement timelines varying by country), most online card payments in the European Economic Area must be authenticated using SCA — which requires at least two of three authentication factors: something the customer knows (password, PIN), something the customer has (phone, card), and something the customer is (biometric). 3DS2 is the primary mechanism for meeting SCA requirements for e-commerce card payments.

Exemptions to SCA exist for low-value transactions (under €30), trusted beneficiaries (merchants whitelisted by the cardholder), recurring payments (after the initial authentication), and transactions assessed as low-risk by the acquirer through Transaction Risk Analysis (TRA).

## Impact on Conversion

3DS2's frictionless flow has largely solved the conversion problem of 3DS1. Data from major PSPs shows that 3DS2 frictionless authentication rates range from 70-90% depending on the market, issuer, and data quality. For transactions that do require a challenge, conversion rates are still significantly higher than 3DS1 because modern challenge methods (app-based push notifications, biometrics) are less disruptive than the old static password approach.

Related Terms

ChargebackPCI ComplianceAuthorizationPSD2

Related Providers

Stripe logo

Stripe

4.6
Adyen logo

Adyen

4.5
Checkout.com logo

Checkout.com

4.4
Braintree logo

Braintree

3.9

Related Payment Methods

Visa / Mastercard

Visa and Mastercard are the two largest card payment networks in the world, collectively processing over 80% of global card transactions. They enable consumers to make purchases using credit, debit, and prepaid cards at merchants worldwide, with instant authorization and settlement typically within 1-2 business days.

Learn more

Related Resources

Glossary

Chargeback

Glossary

PCI Compliance

Glossary

Authorization

Glossary

PSD2

Provider

Stripe

Provider

Adyen

Provider

Checkout.com

Provider

Braintree

Method

Visa / Mastercard