3D Secure is a cardholder authentication protocol used in card-not-present (online) transactions that adds an identity verification step between payment submission and authorization. The cardholder confirms their identity, typically via a one-time code sent to their phone or biometric confirmation through their bank’s app.
The current version, 3DS2, uses risk-based authentication. Low-risk transactions are silently approved in the background while higher-risk transactions trigger an explicit cardholder challenge. When a transaction passes 3DS authentication, fraud-related chargeback liability shifts from the merchant to the card issuer.
3DS2 passes far more contextual data to the issuer than the original 3DS, including device fingerprint, purchase history, billing address match, and behavioral signals. This enables frictionless approval of low-risk transactions rather than challenging every online purchase.
Diving Deeper into 3D Secure (3DS)
3D Secure was introduced in the late 1990s to address a fundamental gap in card-not-present transactions. Unlike in-person purchases where a cardholder physically presents their card, online transactions provided no way to verify that the person submitting a card number was actually the cardholder. The original protocol attempted to solve this by routing shoppers through a bank-hosted authentication page mid-checkout, where they entered a static password to confirm their identity.
The redirect model created significant friction. Conversion rates dropped when customers were interrupted during checkout, and cart abandonment increased substantially. The static password approach also proved easy to phish and difficult for cardholders to remember consistently. Merchants absorbed the cost of lost sales without receiving meaningful fraud protection in return.
The Shift from 3D Secure to 3DS2
3DS2, introduced by EMVco and widely adopted through the early 2020s, fundamentally changed the authentication model. Rather than routing every transaction through an explicit challenge, 3DS2 enables the card issuer to make an intelligent risk decision based on a rich data payload transmitted with each transaction request.
What Data Gets Shared
The data payload sent to the issuer under 3DS2 is substantially more detailed than anything available under the original protocol. It includes device fingerprint, browser type and version, IP address, billing and shipping address match status, cardholder account age and transaction history, and behavioral signals captured during the session such as how the user navigated the page and interacted with form fields.
How the Risk Decision Works
The issuer’s risk engine processes this payload in real time and makes one of two decisions. If the transaction appears low risk based on the available signals, it is approved silently in the background through what is called a frictionless flow — the cardholder experiences nothing out of the ordinary and the purchase completes normally. If the transaction triggers risk thresholds, the issuer initiates a challenge, typically a one-time passcode sent via SMS or a biometric confirmation through the cardholder’s banking app.
The result is that legitimate customers are rarely interrupted while suspicious transactions are still flagged and challenged before approval.
Liability Shift
One of the most commercially significant aspects of 3D Secure is the liability shift it provides to merchants. Under standard card network rules, when a fraudulent card-not-present transaction results in a chargeback, the merchant absorbs the loss. When a transaction is authenticated through 3DS and subsequently approved by the issuer, that liability transfers to the issuer. The merchant is protected even if the underlying card credentials were compromised, provided the authentication was completed successfully.
For merchants operating in high-ticket or high-risk categories, enabling 3D Secure on relevant transaction types can meaningfully reduce chargeback exposure. Lower chargeback ratios in turn protect merchant account standing, reduce the likelihood of reserve requirements being imposed by the acquirer, and improve the merchant’s overall risk profile with their processing partners.
Regulatory Requirements
PSD2 and Strong Customer Authentication
In Europe, 3D Secure is required under the Payment Services Directive 2 as part of Strong Customer Authentication mandates. SCA requires that electronic payments be authenticated using at least two independent factors drawn from three categories: something the cardholder knows such as a PIN or password, something they have such as a registered device, and something they are such as a fingerprint or face scan. 3DS2 satisfies this requirement while minimizing checkout friction through its risk-based frictionless flow for low-risk transactions.
Global Adoption
Outside of Europe, 3D Secure adoption is voluntary but increasingly expected by card networks and acquirers, particularly for merchants in high-risk categories, those processing cross-border transactions, or those with elevated chargeback ratios. Some acquirers mandate 3DS enrollment as a condition of onboarding specific merchant types.
3D Secure and Payment Gateways
Implementation of 3DS2 happens at the gateway or payment facilitator level in most cases. Merchants do not typically integrate directly with card network 3DS infrastructure. Instead, the gateway handles the authentication request, communicates with the issuer’s access control server, processes the authentication result, and passes the authentication values through to the authorization request. Merchants selecting a gateway should confirm 3DS2 support and understand how the gateway handles fallback scenarios when issuers do not support 3DS2 and fall back to the original 3DS protocol.