Why it’s time to revisit your 3D Secure strategy

3D Secure (3DS) has come a long way since 2001, when it was first introduced as ‘Verified by Visa’ to bring more security to the online payment ecosystem. What began as a simple password system has evolved into a dynamic, increasingly user-friendly protocol that’s helping to reduce payment fraud globally. 

Over the past decade, I’ve had the privilege of witnessing and contributing to the evolution of 3DS. As a solutions engineer at Braintree, I helped merchants integrate 3DS, and now, at Primer, I’m focused on developing one of the most comprehensive and versatile 3DS solutions available. 

It’s a space that continues to excite me today. I speak with merchants weekly about 3DS, and nearly every conversation reveals that there is so much that merchants can do to optimize their approach to authentication.

3DS sentiment shifts 

Most merchants, particularly in Europe, would agree that 3DS has been an interesting journey. When PSD2’s Strong Customer Authentication (SCA) regulations first came into play in Europe, there was much fear about customer drop-off because of the added friction introduced. 

Thankfully, that didn’t come to pass. Yes, most merchants initially experienced some drop-off as teething problems were solved and consumers became familiar with the flow. But it was nothing like the doomsday scenario that some predicted. 

I think it’s safe to say that consumers, particularly in those markets where 3DS is mandated, are now fully familiar with 3DS—and even welcome it.

Merchants have clearly benefited, with estimates suggesting it’s saved European merchants around €900 million worth of fraud annually. 

While merchant sentiment toward 3DS has undoubtedly changed, I often get the sense that many merchants still struggle to fully understand its impact. 

Whether that’s not fully understanding how their 3DS strategy is performing, its impact on their payment performance, or how they can avail the benefits introduced from the newer version of the protocols.

New protocols, new opportunities

Let’s start with the protocols. We recently saw the sun setting of 3DS 2.1, with all card issuers now using 3DS 2.2. 

The latest upgrade to the 3DS protocol builds upon its predecessors by introducing several new features and improvements to enhance security, user experience, and compatibility with modern payment methods. These include advanced biometric support, frictionless flow enhancements, and enhanced data fields. 

The flow itself is now much faster and has also been improved for use in areas with low internet coverage—a significant advantage for customers on the move.

Given all these developments, I suggest that merchants speak with their 3DS provider, whether that’s their payment service provider (PSP) or a standalone service, to understand how they’re availing all the new features available with 3DS 2.2 and how to use them to optimize the payment flow.

Beyond compliance 

When 3DS was first mandated in Europe, it’s fair to say that merchants saw it as an exercise in compliance—and a complex one at that. With limited knowledge, resources, and technical flexibility, many merchants took a blanket approach and applied 3DS to all their transactions—whether needed or not.

Quite often, when I speak with merchants, this strategy still exists. That’s a mistake, one that’s likely impacting their payment performance. 

3DS is intricate and nuanced, perhaps more than any other area of payments. This nuance presents merchants with many options to fine-tune their usage of 3DS to align with their unique business strategies. 

Let’s explore some of the options merchants have at their disposal.

Fine-tune authentication strategies

No one-size-fits-all approach exists for 3DS. For instance, in Europe, individual countries and even issuing banks approach 3DS slightly differently, with some being stricter than others regarding how it is used. Merchants must uncover these variations by analyzing 3DS performance at a BIN (Bank Identification Number) level and building a strategy around the results.

Take advantage of liability shifts outside Europe

Just because 3DS isn’t mandated in a particular market, it doesn’t mean a merchant shouldn’t always use it. 

For instance, merchants can use 3DS for liability shifts outside of Europe, especially for higher-value transactions or transactions suspected of being fraudulent. 

Of course, caution is necessary as results may vary depending on how the issuing bank treats 3DS (some may even think it means the transaction is fraudulent) and the customer sentiment around 3DS in that market. 

Use exemptions when available 

Merchants can request exemptions on certain payments. For instance, a low-value exemption is available on payments below €30 (or the sterling equivalent). 

Transaction Risk Analysis (TRA) exemptions are also available for transactions up to €500, depending on the fraud rate of the PSP processing the payment. However, it’s important to note that the issuing bank may not always grant exemptions; when granted, the merchant is liable for fraud. 

There’s no one-size-fits-all approach to 3DS

Merchants have nearly endless options for shaping their 3DS strategy. But ultimately, the approach begins with a simple question: What is our risk appetite? 

Payment fraud is not a zero-sum game. A merchant may say, "We're happy to accept some risk to provide a frictionless experience." As a result, they may look to use tools such as low-value exemptions and only apply 3DS when it’s absolutely necessary (we have a solution that does that in Adaptive 3DS). Other merchants may be more risk-averse and say they have zero tolerance for fraud and will use 3DS everywhere. 

Defining that risk appetite is the first step to building a more sophisticated 3DS strategy. From there, it’s about diving into the data and fine-tuning the approach to achieve the best possible results.

Legacy tools are holding merchants back

To maximize these strategies, merchants need access to data about the issuing bank, the region, and whether a transaction was successful after a challenge—or went through without one.

This is where the challenge arises. Compiling all this information can be difficult for merchants’ payment teams. In some cases, the information might not be available, and if it is, they might not have the time while juggling other priorities to consolidate and analyze it.

Applying the data adds another layer of complexity. If the merchant uses an integration with a 3D Secure provider, they often need to manually code and add specific conditions to the front-end integration. 

For example, they must define when a certain BIN is detected at checkout and how the transaction should flow. This complexity multiplies if the merchant uses multiple processors, as each one requires a separate setup.

That’s the problem we’re solving at Primer. Agnostic 3DS is our solution. It allows merchants to set their rules once in our no-code Workflow and apply them seamlessly across all their processors.

We empower merchants to go deeper by allowing them to set conditions based on BIN, region, issuing bank, and more. This flexibility enables them to truly tailor their 3DS strategy.

On the back end, we’ve built a comprehensive reporting suite, Primer Observability, that lets merchants drill down into the details to analyze their 3DS performance at the most granular level. This helps them spot trends, diagnose issues, and continuously refine their approach for optimal results.

Now is the best time to review your authentication strategy 

3DS is a topic that isn’t going away. 

Over the coming years, Japan will become the next country to mandate 3DS—and more countries will follow. Meanwhile, in Europe, we’re in the final stages of discussing PSD3, which will likely herald new changes to customer authentication. 

At the same time, the technology underpinning 3DS continues evolving. Version 2.3 will see even more merchant use cases for 3DS. This includes enabling customers to receive 3DS requests even when they aren’t directly in the payment flow and sending authentication requests across the connected ecosystem. 

As we stand on the precipice of these developments, now is the time for merchants to integrate 3DS into their payment strategy—if they haven’t already. 

By optimizing 3DS, merchants can significantly reduce the risk of payment processing, enhance customer satisfaction, and even gain an edge in the increasingly competitive digital marketplace.

Take a look at our blog on the key questions to ask when building an optimal 3DS strategy.