Getting to grips with 3D Secure

3D Secure (3DS) was introduced to bolster the security of online transactions. Its primary goal is to help consumers and merchants combat the increasing threat of fraudulent transactions and chargebacks.

There has been much hype about its success—and equally as much debate about its impact on the customer experience. And, as 3D Secure authentication evolves to keep pace with new channels, behaviors, and threats, merchants must stay updated about how 3DS works, its values, and when to request a 3DS challenge.

What exactly is 3D Secure, and why is it needed?

The growth in online payments has led to a significant rise in payment card fraud—projected to cost merchants an estimated $38.5 billion by 2027. In response, many card issuers and regulators now advocate for using 3DS to combat fraud and enhance cardholder security during online shopping.

3DS is a security protocol that provides additional protection for online credit and debit card transactions. Cardholders must authenticate purchases at the checkout (usually using a One Time Pass Code (OTP) sent to their mobile phone or through their banking application).

Implementing this authentication step has sometimes resulted in a notable reduction—up to 40%—in unauthorized or fraudulent card-not-present transactions while ensuring instant approval for 95% of transactions.

Why is it called 3D Secure?

If you look at the parties involved in 3DS, it's easy to see how it got its name. "3D" stands for the three domains that interact using the protocol—the issuer, the acquirer, and the infrastructure:

Issuer Domain

The Issuer Domain refers to the bank or financial institution that issued the cardholder's credit or debit card. Its role is to verify the cardholder's ID during an online transaction.

Acquirer Domain

The Acquirer Domain is the bank or payment service provider that processes the payment on behalf of the merchant. Its role is to communicate with the issuer domain to verify the transaction.

Interoperability Domain

The Interoperability Domain is the infrastructure that manages protocols/communication between the issuer and acquirer domains. It standardizes the 3DS process
and works across banks and merchants.

Are customers aware of 3DS?

Any consumer asked to authenticate will do so using 3DS. But they will unlikely know it as 3DS. That's because card networks have their own customer-facing branded deployments that help reassure cardholders that authorization requests are from a trusted party.  

Names consumers may be more familiar with are:

• Visa Secure (formerly Verified by Visa)
• JCB J/Secure
• Discover ProtectBuy
• Mastercard Identity Check
• American Express SafeKey

Consumer education surrounding 3DS in its different iterations is expanding, especially in regions where its adoption is mandatory, such as Europe. However, this wasn't always the case. During its initial enforcement in Europe, 3DS led to a decline in conversion rates of up to 50% in certain countries.

The key lesson for those contemplating 3DS implementation in markets without widespread usage is to prioritize extensive consumer education and use 3DS tactically to avoid cart abandonment.

How does the 3DS authentication flow work?

Although it adds an extra step for cardholders, 3DS is designed to be as fast and frictionless as possible. There are typically 4-steps involved in the authentication flow:  

1. Customer inputs payment details: A cardholder makes an online purchase with a merchant that supports 3D Secure.
2. Redirect to issuer: During the checkout process, the customer is redirected to a page hosted by their card issuer.
3. User authentication: The cardholder is asked to authenticate the transaction by entering a one-time password or security code sent to their mobile phone or email, answering a security question, or providing another form of authentication.
4. Transaction confirmed or declined: If the authorization is unsuccessful, the transaction may be declined, or the cardholder may be asked to contact their bank. If the info matches with the issuer, the transaction is approved, and the purchase is completed.

Should 3DS be applied to all online payments?

3DS only applies to online card transactions. Digital wallets like Apple Pay and Google Pay generally don't require any additional authentication. This is due to their inherent 3DS nature, utilizing built-in 2-factor authentication mechanisms, such as biometrics, to verify purchases.

Can merchants choose where to use 3DS?

In countries where 3DS is mandated, some out-of-scope transactions and exemptions can apply depending on your application and risk appetite.

The latest versions of 3DS allow for adaptive Risk-Based Authentication (RBA). RBA determines the fraud risk and level of customer authentication required for each financial transaction. It can help alleviate concerns around 3DS friction and cart abandonment, as most transactions will not require a challenge to authenticate the user.  

In countries without a mandate, merchants should exercise 3DS for their transactions at their discretion.

How are the 3DS protocols evolving?

3DS is constantly being enhanced to improve usability and keep pace with what’s happening in the market. Here’s a snapshot of how it has evolved:

3DS v1 (now sunsetted in most countries)

Introduced in 2001 and initially designed for PC-based online commerce, this protocol relied on static passwords and was browser-dependent.

3DS v2.0 (expected to sunset in the next two years.)

Deployed in 2016, this protocol reduced user pain points and provided easier integration with mobile devices to support the growing use of mobile commerce.

3DS v2.1 (expected to sunset in the next two years.)

Updated in 2017, this improved the customer experience, creating a frictionless flow by allowing low-risk transactions to be approved without additional authentication.

3DS v2.2

This protocol has all the advantages of V2.1, but it supports SCA exemptions using enhanced risk analysis. It allows authentication on all devices/IOT and advanced authentication, e.g., biometrics.

3DS v2.3
The latest version. It covers more channels and makes authentication by app more user-friendly by allowing the issuer to store consumers’ device data (device binding).

Where is 3D Secure mandated?

Because it uses two-factor authentication (including biometrics and token-based models instead of static passwords), 3DS2 is central to the Strong Customer Authentication (SCA) rules now mandated in many countries.

Merchants must use 3DS in the EU and UK for all online card transactions, excluding those that are out-of-scope and that qualify for exemptions. Countries such as Australia, Bangladesh, India, Malaysia, Nigeria, Singapore, and South Africa also mandate 3DS at different levels.

Many countries are expected to follow and mandate authentication as part of the online card payment flow. In the USA, for instance, some merchants already use 3DS, and the US Consumer Financial Protection Bureau (CFPB) is encouraging online businesses to implement some form of customer authentication.

In the Asia Pacific Region, merchants can freely choose 3DS to reduce the risk of fraud and chargebacks. As a result, its use is accelerating in mature APAC ecommerce markets like Japan.

What benefits does 3D Secure offer?

Depending on your market, you may have to adopt 3DS to ensure regulatory compliance. However, 3DS offers significant advantages beyond regulatory compliance regarding reputation and financial returns. Here are three key benefits:

• Reduction in card fraud: With next-gen AI driving more account takeovers, it makes sense for merchants to help protect themselves (and their reputations) by authenticating the user ID and payment method before accepting a sale.
• Liability shift: Where 3DS is used, any liability for a fraudulent chargeback moves from you to the card issuer. This helps you minimize losses and avoid chargeback fees, which can cost up to £150 per chargeback in the UK and $100 in the US.
• Lower processing costs: You can use 3DS to qualify for reduced interchange fees.

How to optimize 3DS authentication

The key to optimizing your application of 3DS is to understand there is no one-size-fits-all approach. Instead, you should conduct detailed analysis and testing of the impact that applying 3DS (outside of where it's mandated) has on your conversation and authentication rates.

For more detail on this topic, take a look at this blog post.

How Primer helps merchants make 3DS a win-win

One of the main benefits of using Primer is that we've decoupled 3D Secure from any underlying processor and simplified the implementation of 3DS across all your platforms.

Using our Universal Checkout, you can configure 3DS in your workflow, and we will handle the rest. This results in an entirely 'in-context' and optimized 3D Secure flow to your customers on the web and mobile.

Our 3DS dashboards allow you to dive deep into your performance, uncover anomalies, and quickly identify optimization opportunities.

See our guide on how to configure 3DS on Primer.