What is 3D Secure authentication, and why is it important?

If you've paid for something online, you will have probably used 3D Secure. And if you're a small business owner that takes ecommerce payments, it's likely that your customers will have used it to pay you securely and efficiently.

Although you may have been using 3D Secure for years, you may have no idea what it is, why it's used, or why it's an integral part of payment security. 

Alternatively, you may have come across 3D Secure in relation to the Payment Services Directive 2 (PSD2), which is an European Union legislation which went into effect in 2019. 

In this guide, we'll take you through all things 3D Secure, from its origins, how it works, the benefits, how it relates to PSD2 and any limitations.

What is 3D Secure? 

3D Secure or sometimes known as 3DS, is short for 3-domain server. It's a security protocol designed to prevent online fraud for credit and debit card transactions. 

It was first invented by Arcot Systems (now CA Technologies) in 2001 and taken to market and made popular by Visa with their 'Visa Secure'. Since its successful launch with Visa, many other card networks have developed and implemented their own 3D Secure protocols. 

For example, Mastercard has SecureCode, American Express has its version called SafeKey, and the Discover Global Network has ProtectBuy. These are all branded names for their 3DS solutions. Although they all use 3D Secure technology, each solution varies in its functionality.

Why is it called 3D Secure? 

The term 3DS refers to the three-domain servers that it uses. These are:

  1. The acquirer domain – The merchant's acquiring bank.
  2. The issuer domain – The cardholders' issuing bank (e.g. Barclays).
  3. The Interoperability domain – The infrastructure provided by the card scheme (e.g. Visa, Mastercard) to support the 3D Secure protocol.

How does 3D Secure work? 

3D Secure is a strong customer authentication (SCA) that typically asks cardholders to answer a security question or enter a specific PIN sent to them via SMS or email. 

The steps involved for consumers are:

  1. The cardholder enters their unique card data into the merchant's online payment gateway.
  2. The system checks whether the card details are firstly correct then secondly if 3D Secure has been enabled.
  3. If 3D Secure is enabled, the cardholder is redirected to either a separate or embedded frame.
  4. This redirect or embed frame will contain instructions for the cardholder to verify their identity. This could be with a unique security question and answer or a one-time secure PIN sent to the cardholder's phone.
  5. If the cardholder enters the correct information, the acquirer will authorise the payment.
  6. The customer is then directed back to the merchant's website to receive a confirmation of their purchase.

What are the benefits of 3D Secure?

The most apparent advantage of the 3D Secure protocol is that it protects both merchants and customers from online payment fraud. 

Although transaction speeds take marginally longer – with customers asked to provide identification – the benefits for merchants should not be understated. 

The most significant advantage of using 3D Secure is that in the instance of fraud and, therefore, a merchant chargeback, the liability shifts to the card issuer.  

What is a 3D Secure liability shift? 

A 3D Secure ‘liability shift' can occur in the following scenarios:

  • When a cardholder enrolled with 3D Secure submits a merchant chargeback for a fraudulent transaction, but the transaction was successfully verified by the issuing bank using their 3D Secure. 
  • When a cardholder who is enrolled with 3D Secure attempts authentication but the issuing bank is unable to respond to the request. The merchant can still go ahead with the transaction, but the liability is with the issuer.

However, the liability is still with the merchant in the following scenarios: 

  •  When an enrolled cardholder fails 3D Secure, the merchant chooses to go ahead with the transaction anyway.
  • Then an enrolled cardholder experiences an error during the authentication process at the merchant-end (e.g. a network error).

When merchant chargebacks occur, some issuing banks such as Visa will ensure that you don't receive the chargeback on your account. This can help minimise 'friendly fraud' when a cardholder deliberately files for a chargeback hoping that the bank will automatically side with them. 

What are the limitations of 3D Secure?

Some 3D Secure transactions create friction for both customers and merchants. They often require lengthy passwords that are easy to forget, or the account is connected to an old phone number. This creates inefficiencies at the point of sale and can lose merchants money. 

Also, not all card issuers take part in the scheme, which means that chargebacks are only limited but not completely eradicated. 

And finally, sometimes you can get false declines, whereby the card issuer declines a legitimate transaction, which is costly for the merchant.

What is the Payment Services Directive 2 (PSD2)?

To fully understand the necessity of card security and 3D Secure, it's helpful to understand the role of the Payment Services Directive 2 (PSD2).

PSD2 is a legislation passed by the European Union in 2018-2019, designed to encourage safer payment services, cut down on fraud, give customers more control, and help lead innovation with open banking.

One way PSD2 aims to tackle payment fraud is with Strong Customer Authentications (SCAs). These are essentially checks by the merchant to assess and verify the customer's identity when making a transaction either online or in person.

With PSD2's new legislation, the customer should be able to prove their identity when purchasing with two out of the three options:

Knowledge: Something that only the cardholder will know, such as a password or PIN.
Possession: Something that only the cardholder will have, such as their digital wallet or physical debit or credit card.
Inheritance: Something unique to the cardholder – such as biometric information including fingerprints or facial recognition.

Not all of these requirements need to be met all of the time. A contactless face-to-face payment can be made with the value up to £45, the cumulative value of £150, or five transactions without the customer providing their 'knowledge', i.e. their PIN.

Bypassing SCAs is only typically done in low-risk situations. This helps customers and merchants take frictionless payments that are easy and efficient for both parties.

PSD2 and 3D Secure for safer mobile ecommerce. 

There is a higher risk of cardholder, not present fraud when it comes to online payments, which is costly for consumers, merchants, and banks. 

This is because there wasn't a way to identify if the person purchasing something using their laptop or smartphone was the card owner. 

However, 3D Secure provided a method of identification for online payments and was a Strong Customer Authentication. 

This meant that cardholders would need more than just the details printed on the card for a transaction to be verified, making it a lot harder for fraudsters.

The introduction of 3D Secure 2.0 (3DS2). 

With the growth of mobile ecommerce, 3DS needed to evolve to provide a better consumer experience on device. So in 2015, a new standard called 3DS2 was introduced by EMVco. It’s aim is to deliver a better experience but has also been extended to incorporate the demands of PSD2 and provide a reliable method of SCAs for online payments. 

3DS2 collects a lot more information than its predecessor, which means that the cardholder rarely has to input anything for the fraud checks to be made. 

When a 3DS2 transaction happens, specific data points are collected, sent to a 3DS server and routed to the card issuer for approval. The issuer will then make a decision based on the data presented, which includes IP address, browser language, merchant category code – among many others.

Depending on the decision, the issuer will send back two customer flows: 

  • Frictionless approval – the issuer will approve the transaction immediately, so the cardholder will not need to take any further action.
  • The issuer will request additional information from the cardholder, a biometric such as a fingerprint or a PIN and a login. 

As well as making the process easier for consumers, it helps merchants too. With 3DS, issuers would err on the side of caution when it came to their liability, declining any transaction they weren't sure about based on very little information which was at the cost of the merchant and cardholder. 

With access to a lot more data, 3DS2 helps the card issuer make better-informed decisions and reduces the liability exposure for themselves and the merchant.

Taking online payments securely.

3D Secure technology is branded under different names and acronyms, which can confuse merchants at the best of times. And with an ever-changing landscape and new technologies formed at such a rapid pace, we're here to keep you at the forefront of technology.

That way, you can take the necessary steps to protect your customers from fraud and your business from the costs associated with it. 

All of our card machines use P2PE encryption – the best payment security on the market. That means you'll keep customer card data safe and take the pain out of PCI compliance

See our full range of card machines here, or get your online quote today.