3D Secure

Discover how 3D Secure authentication can enhance security and protect your business from fraud.

3D Secure 2.0 (3DS) is a security protocol banks and financial institutions use to authenticate customers during online transactions. It is designed to provide an additional layer of security for online payments by verifying the identity of the person making the transaction. It is an improvement over the previous version, 3D Secure Version 1 (3DSv1), providing greater security and usability for you and your customers.

3DS is developed to comply with the requirements of the Payment Services Directive 2 (PSD2). Under PSD2, Strong Customer Authentication (SCA) is required for online transactions within the European Economic Area (EEA).

SCA requires two or more of the following:

Something the customer knows (e.g., password or PIN)
Something the customer has (e.g., mobile device)
Something the customer is (e.g., fingerprint or facial recognition)

When to use 3DS

You should implement 3DS for online transactions within the European Economic Area (EEA) to comply with PSD2. It is also useful for reducing fraud globally, even where SCA is not required.

For implementation details, refer to the emerchantpay API documentation.

3DS Authentication Flows

When a transaction is eligible for 3DS, it goes through one of the following flows based on the issuer’s risk evaluation.

Frictionless flow

The customer is authenticated in the background with no additional input required. The issuer uses contextual data to assess and approve the transaction silently.

Challenge flow

The customer is prompted to complete an additional authentication step, such as entering a one-time password or using biometric verification.

This flow is triggered when:

The issuer considers the transaction high risk.
Authentication data is insufficient.
The customer’s card credentials are stored for merchant-initiated transactions (e.g., recurring payments).

3DS Method URL

The Method URL is a feature in the EMV 3DS protocol that allows issuing banks to obtain additional browser information at the start of the authentication session. It runs a device fingerprint collection in the background. The additional data collected helps the issuer facilitate risk-based authentication and reduce the likelihood of fraudulent transactions.

The Method URL is an optional layer and it is up to you to decide if you want to implement it or not. It adds more complexity and latency to the authentication process but it improves the overall frictionless transaction rates.

Liability shift

3DS provides liability protection in specific scenarios. When the issuer successfully authenticates the customer, the liability for chargebacks may shift from you to the issuer.

Liability shifts to the issuer when:

A challenge flow is completed successfully.
A frictionless flow is approved based on Risk-Based Authentication (RBA).
You attempt 3DS but the issuer cannot complete the service due to a technical issue.

Liability does not shift when 3DS is not attempted or the transaction fails authentication.

The liability shift only applies to transactions that are authenticated using 3DS. If a transaction is not authenticated using 3DS, the liability for any chargeback remains with you.

To learn more about 3DS, see this emerchantpay blog article.

Was this page helpful?