3D Secure & 3D Secure 2.0 (3DS2): What You Must Know [2023]

Our cybersecurity expert explains how you can use 3DS2 to make sure your business is in full compliance with transaction security regulations.

With ecommerce continuing to grow at a rapid pace, and with consumers using a variety of devices to purchase and pay, there is also an increase in fraud and potential fraud. Preventing fraud is of prime importance to consumers and business owners alike - it’s in everyone’s best interest to ensure that online transactions are safe and secure. At the same time, consumers don’t want their speedy online shopping experience to become clunky and slow - so the challenge is to provide a safe checkout solution without compromising on speed and efficiency.

3D secure and its new and improved version, 3DS2, are authentication protocols that were designed to increase the protection of consumers making purchases online as well as to protect companies from fraudulent transactions. In this article, we will explain how these verification solutions work and why they are an important tool for your ecommerce business. 

What is 3D Secure?

If you have ever been redirected to your bank’s website and asked to put in a password or a one-time code when making a purchase online, you have experienced 3D secure. This is a merchant’s way of adding an additional level of security and requiring the issuing bank to verify the identity of the cardholder. 3D secure shifts the burden of any fraudulent chargebacks to the bank instead of the merchant, protecting them from unnecessary losses. 

The problem with the original 3D secure protocol was the often-confusing authentication process that consumers were prompted to complete. In many situations, shoppers would just give up and abandon the cart, causing online businesses to lose out on sales. 

How Does 3D Secure Authentication Work?

From a customer perspective, if 3D secure is being used, they are asked to enter their personal code as part of the checkout process. If they are not already enrolled in a 3D secure program, they are redirected to the bank site and given the option to sign up. 

Behind the scenes, the protocol uses a three-domain model (hence the name 3D) to add an extra layer of security in between the financial authorization process from the bank and the online authentication process done by the merchant. The three domains are:

  • Acquirer domain - the bank and the merchant that are receiving the payment in the transaction
  • Issuer domain - the bank that originally issued the card being used for the transaction.
  • Interoperability domain - the infrastructure that supports the 3D secure protocol being used by the card. 

In a nutshell, what happens is the customer enters their card information and then is asked to verify that they are who they claim to be by entering in a personal code that only they would know. This code is verified by the issuing bank who then takes on the responsibility in case the charge is actually fraudulent. 

What is 3D Secure 2.0?

To address the challenges of the original 3D secure, a new standard known as 3DS2 was introduced, offering a more user-friendly and stronger way to detect and prevent fraud. This new version offers real-time information sharing between merchants, payment networks and banks so that transactions can be authenticated more accurately without negatively impacting the consumer’s checkout experience. 

Merchants that use 3DS2 get the benefit of 10 times as much data, which greatly speeds up the authentication process and increases the security. Because so much data is shared, merchants and card issuers have more context in which they can verify a cardholder’s identity, meaning that not every purchase will require a customer to manually input a password. 

What is 3DS1? 

3DS1 was the original 3D secure protocol, requiring high-risk transactions to be authenticated. While merchants could choose whether or not to implement 3D secure and for which transactions, there was a huge downside to the process which was the increased friction experienced by customers. The original 3D secure was not mobile-friendly, and was a particularly difficult challenge especially as so many online purchases are made via mobile devices. 

representation of 3d secure 1.0 and its weakness

What is 3DS2?

3DS2 was built to improve upon 3DS1 and address the challenges inherent in that protocol. Specifically, 3DS2 was intended to improve the user experience in the following 3 ways:

  • More data - over 100 pieces of data are sent from the merchant to the card issuer, which means the issuer has a lot more information at their disposal to help them decide how risky the transaction is and whether it requires additional authentication or not. The majority of transactions can be automatically authenticated without the customer having to take any action.
  • Reduced friction - the entire process can be made easier for the consumer, including using biometrics and one-time passwords directly on the checkout page. A more seamless checkout experience for consumers means more sales for merchants.
  • Mobile optimization - both iOS and Android have native-device payment options that can be used to make the mobile experience smoother. 

The value of 3DS2 is that it prioritizes the consumer experience, making it possible for merchants to retain customers while also protecting themselves from fraudulent purchases and chargebacks. 

representation of 3d secure 1.0 and its benefits

How do 3DS2 Payments Work?

3DS2 works as follows:

  1. The cardholder making a purchase enters card details for payment.
  2. The merchant’s 3D secure service provider sends the transaction data and an authentication request to the card issuer.
  3. The card issuer’s 3D secure service provider determines the level of risk inherent in the particular transaction and:
  1. if the transaction is high risk, customer will be asked for additional verification (less than 5% of transactions)
  2. if the transaction is low risk, no additional customer action is needed (95% of transactions)
  1. Card issuer sends the result of the authentication back to the merchant
  2. The merchant then submits the transaction for authorization, including the authentication result

In order to authenticate a transaction using 3DS2, if a cardholder is asked to verify their identity, they need to provide one of three pieces of information: something they have, something they know and something they are. Something they have is confirmed by data from the device they are using; something they know is their bank login or a one-time password; and something they are can be confirmed using biometrics. 

Collecting device data happens without the consumer even knowing - in most cases this is enough to authenticate the transaction providing a completely seamless experience for the user. Even if further authentication is needed, it can also be frictionless if all it entails is the user using their fingerprint to provide biometric data or approving the use of a saved password. 

Is 3DS2 Mandatory Everywhere?

While it is recommended, 3DS2 is not yet mandatory worldwide. In Europe, the Payment Services Directive (PSD2) requires companies to follow certain regulations when it comes to accepting payments in the countries in which the directive is enforced. One of the major requirements within PSD2 is Strong Customer Authentication (SCA) - 3DS2 makes it easy to comply with SCA requirements. Both Brazil and Australia have also adopted SCA mandates making the adoption of 3DS2 there more popular as well. Other countries are likely to follow suit as the need for more security around online payments continues to grow. 

How to Activate 3DS2?

Merchants need to work with a 3DS2 service provider in order to integrate this protocol into their payment infrastructure

Are there Limitations in Using 3D Secure and 3DS2?

We’ve already described the major limitation to the original 3D secure protocol and the difficulties it caused in the checkout experience. A second limitation involved card issuers being overly cautious and declining transactions due to potential fraud that where actually legitimate transactions.

Both of these limitations have been addressed with 3DS2, and for merchants operating in Europe and other countries where such protections are mandatory, it is a good solution. But for those who are not required to use 3DS2, there are a few limitations to consider when deciding whether or not to jump on the bandwagon: 

  • Adaptability - most card issuers have not updated their fraud detection technology in years. Just because they have access to updated systems like 3DS2 does not mean they know how to use it properly and glitches are to be expected.
  • Proof - because 3DS2 is still relatively new, there is not yet much hard data to show whether or not it’s been successful in increasing sales and conversion rates.
  • Providers - not all 3DS2 providers are equal - some have more experience than others and may provide different levels of service. You need to make sure that you, as the merchant, will be given access to all of the data points collected which will give you useful insights into customer behavior. 

Benefits of 3D Secure and 3DS2

While it’s important to consider the potential limitations, there are also many benefits that come from 3DS2, including:

  • Increased authorization rates - because more data is shared from the merchant to the card issuer, the card issuer is better able to assess risk and is more likely to approve legitimate transactions and only prevent ones that are actually fraudulent. 
  • Enhanced customer experience - in most cases, the authentication process takes place in the background without the cardholder having to take any additional action. In cases where additional authentication is necessary, it can be done via an SMS code and password and/or using fingerprint or facial recognition. These authentication processes are much improved from 3DS1 and still provide a frictionless experience for the user. 
  • Faster transaction time - checkout time is up to 85% faster than using 3DS1 methods.
  • Fewer abandoned carts - shoppers are much more likely to complete transactions than to abandon the cart in the middle when the authentication process is too onerous. 
  • Liability shift - liability is taken away from the merchant and shifted to the issuing bank in the event that a fraudulent charge is mistakenly approved. 
  • Regulatory compliance - 3DS2 makes it easy for ecommerce providers to comply with SCA rules and regulations especially in European countries that are under the jurisdiction of the Payment Services Directive. 
A side by side representation of the benefits of 3ds2.0 over 3ds1.0

What Pay.com Offers

Pay.com can help you easily integrate 3SD2 into your payment infrastructure. You’ll offer your customers the smooth and seamless checkout experience that they expect, while ensuring that transactions are secure and all sides are protected from fraud. 

With Pay.com, you don’t have to worry about ever-changing regulations as we will always make sure that the system is up to date and that you are in full compliance. All you have to do is focus on bringing in customers and we handle everything that goes on behind the scenes. 

FAQs

Is 3D Secure mandatory?

3D secure is mandatory in many European countries that must comply with the Payment Services Directive and offer strong customer authentication (SCA). Australia and Brazil also have similar mandates and other countries may follow suit.

How do I know if my credit card is 3D Secure?

Most credit cards are 3D secure as a free service offered to users. It is the merchants who opt in to providing this level of protection to buyers on their site. If they do, there should be a logo on the site identifying them as using 3D secure. When making a purchase using a 3D secure card on a site that has opted in, a cardholder may be asked to provide additional information to verify that they are who they say they are to maintain the security of the transaction.

Can a 3DS2 be bypassed?

Transactions that are deemed low-risk by the issuing bank can bypass the requirement for additional layers of authentication.

Meet the author
Emily Kirschenbaum
Emily is a content writer with a special interest in fintech and business. She loves sharing her knowledge to help small businesses take their first steps towards success.

Ready to boost revenue for your business

Contact sales