3D Secure (alternatively, 3-D Secure/3-Domain Secure) is an additional authentication process for e-commerce transactions which aims to prevent fraudulent use of payment cards online. Most major card schemes implement a brand of 3D Secure.
Authentication occurs prior to authorisation, and if successful, results are passed on to the acquirer and card scheme. These include evidence of the authentication outcome, which can be used to defend against certain types of chargeback on eligible card types. This provides liability shift for merchants, who might otherwise lose funds despite acting in good faith.
3D Secure was first introduced (as 3DSv1) in 2001, usually consisting of a password or simple credential provided by the cardholder to their issuer’s Access Control Server (ACS). This provided some verification, but did not usually facilitate any significant risk analysis, nor allow for more sophisticated authentication approaches. 3DSv1 was decommissioned in late 2022.
3D Secure 2 (3DSv2, also known as EMV 3DS) is the current version of the process, and provides increased security while also aiming to allow for a frictionless payer journey wherever possible. Issuers can now access a broader range of information about the transaction (including some provided by the merchant), and the cardholder’s device, allowing for more sophisticated risk analysis. Where additional authentication is required, a challenge can be invoked, which provides Strong Customer Authentication (SCA). SCA challenges incorporate multi-factor authentication (MFA) and allow cardholders a greater variety of ways to verify their identity, including the use of mobile devices and mobile banking apps. SCA is required to accept cards online in several territories, including the UK, EU and EEA.
Advanced Payments supports 3DSv2 for Visa Secure, Mastercard Identity Check and American Express SafeKey.
See 3D Secure 2 for further information and guidance on implementing it into your payment flow.