3D Secure

Discover how 3D Secure authentication can enhance security and protect your business from fraud.

3D Secure 2.0 (3DS) is a security protocol banks and financial institutions use to authenticate customers during online transactions. It is designed to provide an additional layer of security for online payments by verifying the identity of the person making the transaction. It is an improvement over the previous version, 3D Secure Version 1 (3DSv1), providing greater security and usability for you and your customers.

3DS is developed to comply with the requirements of the Payment Services Directive 2 (PSD2). Under PSD2, Strong Customer Authentication (SCA) is required for online transactions within the European Economic Area (EEA). SCA requires that your customers provide two or more forms of authentication from the following categories: something the customer knows (such as a password or PIN), something the customer has (such as a mobile phone or token), or something the customer is (such as biometric data).


Prerequisites


3DS Authentication Flows

If a transaction qualifies for 3DS, it goes through an authentication flow, depending on the issuer’s requirements.

Frictionless flow

Frictionless flow is a streamlined authentication process where the customer is seamlessly authenticated without any additional input or action required on their part.

Challenge flow

Challenge flow is an authentication process where the customer is challenged to provide additional information, such as a one-time password, to complete the transaction. It is typically triggered when the transaction is deemed to be high-risk or when the customer’s authentication information cannot be verified through frictionless flow.

Customers must also go through a challenge flow when their credentials are stored on file for subsequent merchant-initiated transactions, for example with recurring payments.


3DS Method URL

The Method URL is a feature in the EMV 3DS protocol that allows issuing banks to obtain additional browser information at the start of the authentication session. It runs a device fingerprint collection in the background. The additional data collected helps the issuer facilitate risk-based authentication and reduce the likelihood of fraudulent transactions.

The Method URL is an optional layer and it is up to you to decide if you want to implement it or not. It adds more complexity and latency to the authentication process but it improves the overall frictionless transaction rates.


Liability shift

Under 3DS, if the issuer successfully authenticates a transaction in a challenge flow, the liability shifts from you to the card issuer. This means that you are protected from the financial consequences of a chargeback.

The card issuer can also accept the liability in a frictionless 3DS flow when you are not explicitly requesting an exemption, but the issuer considers the transaction to be low-risk and approves it. This is also known as Risk Based Authentication (RBA).

The liability can shift to the issuer when you attempt to authenticate the transaction but the issuer can’t provide the service at the time. This can happen due to a temporary technical issue. Issuers can decline such authorisations flagged with an attempted result.