Sign in 

3D Secure – the basics: What businesses need to know

  1. Introduction
  2. What is 3D Secure?
  3. How does 3D Secure work?
    1. Transaction initiation
    2. Request for authentication
    3. Authentication process
    4. Confirmation or denial
    5. Completion of the transaction
  4. 3D Secure 1 vs 3D Secure 2
    1. Customer experience
    2. Mobile integration
    3. Data points
    4. Frictionless flow
    5. Scope of transactions
    6. Regulation and compliance
    7. Issuer and business communication
  5. Benefits of implementing 3D Secure
  6. Common misconceptions about 3D Secure
  7. Challenges and drawbacks of 3D Secure
  8. How to implement 3D Secure into your payment system
  9. Get started with Stripe 

Digital payments live at the intersection of convenience and security. As businesses grow, so does the need for solutions that keep customers' data safe without compromising their online experience. 3D Secure, a go-to authentication protocol for protecting payments, is one solution to this challenge. In 3D Secure 2, this established framework has received an upgrade, with an emphasis on stronger defences and a smoother customer experience.

The rise of mobile and digital transactions has paved the way for protocols such as 3D Secure 2. According to a report from Grand View Research, the global 3D secure payment authentication market was estimated to be worth US$1.1 billion in 2022. Businesses need a system that can be integrated effectively with their existing platforms – a system that offers robust protection while elevating the entire payment experience. Below, we'll look at the specifics of 3D Secure: what it is, how it works and how businesses can implement it to help adapt and optimise their payment systems – all while meeting the demands of their customers.

What's in this article?

  • What is 3D Secure?
  • How does 3D Secure work?
  • 3D Secure 1 vs 3D Secure 2
  • Benefits of implementing 3D Secure
  • Common misconceptions about 3D Secure
  • Challenges and drawbacks of 3D Secure
  • How to implement 3D Secure into your payment system

What is 3D Secure?

3D Secure, short for "Three-Domain Secure", is an authentication protocol that is designed to support the safety of online credit and debit card transactions. The protocol was initially developed by Visa under the name "Verified by Visa". It involves three key parties: the card issuer, the acquirer and the interoperability domain.

The primary function of 3D Secure is to add an extra layer of verification for online payments. While conventional transactions only require card details and a security code, a 3D Secure transaction prompts the cardholder for an additional password or sends a one-off code to their mobile device. This step usually takes place in a pop-up window or an in-app interface.

How does 3D Secure work?

The 3D Secure process is a multi-step, multi-party operation that provides an additional layer of security for online transactions. Each of these steps contribute to creating a reliable and effective authentication system.

The protocol hinges on a complex interaction among three domains: the card issuer, the acquirer and the interoperability domain. Below, we'll break down each integral step of the process.

Transaction initiation

When a customer decides to make a purchase online, they enter their card details on the business's website, as usual. At this point, the business's server recognises the need for 3D Secure authentication and sends a request to the acquirer – the financial institution that processes the business's card transactions.

The business plays a key role in this step, because the server determines whether 3D Secure is necessary based on the nature of the transaction and the policies of the card issuer. Recognising when to employ this extra level of security can reduce the incidence of fraudulent transactions substantially.

Request for authentication

The acquirer forwards this request to the card network, often Visa or Mastercard, which facilitates communication between the issuer and the acquirer.

Timely and accurate communication between the acquirer and the card network can mean the difference between a successful and failed transaction. Errors or delays can lead to transaction abandonment, which has a negative effect on both the customer experience and the business's revenue.

Authentication process

The card network identifies the card issuer and transmits the authentication request to it. The issuer then prompts the cardholder for additional information, usually through a pop-up window or an in-app interface.

During this step, the issuer must balance security and customer experience effectively. While confirming the cardholder's identity is extremely important, using overly complicated or time-consuming prompts can deter customers and lead to lost sales.

Confirmation or denial

Once the cardholder has provided the requested information, the issuer evaluates it to authenticate the transaction. The issuer then sends a response back through the card network to the acquirer, which subsequently informs the business.

This step is a focal point in the transaction process. A positive authentication gives the green light for the transaction, while often reducing the business's liability for chargebacks related to fraud. Conversely, a negative response can result in the transaction's cancellation, although this also serves as a protective measure against unauthorised use of the card.

Completion of the transaction

Finally, if the issuer confirms the cardholder's identity, the business proceeds with the transaction and delivers the goods or services. The business should provide clear messaging to the customer about the transaction outcome at this stage, as this sets the tone for post-purchase interactions, such as product delivery and customer service.

3D Secure 1 vs 3D Secure 2

EMVCo introduced the update for 3D Secure 2 (from 3D Secure 1) in October 2016, but adoption and full implementation by businesses, issuers and payment gateways was not immediate. There was a broader push for the adoption of 3D Secure 2 in 2019, as a result of several new regulations – including the European Union's Revised Payment Services Directive (PSD2) and its requirements for Strong Customer Authentication (SCA).

While 3D Secure 1 and 3D Secure 2 are both authentication protocols for online credit card transactions, they have key differences in their design and customer experience. Here's how they compare:

Customer experience

  • 3D Secure 1: customers were redirected to a separate authentication page, which sometimes resulted in a more disruptive checkout experience.
  • 3D Secure 2: designed in part to improve the customer experience, 3D Secure 2 minimises interruptions during the checkout process. Usually, only high-risk transactions require additional authentication.

Mobile integration

  • 3D Secure 1: because it wasn't optimised for mobile experiences, this sometimes led to non-responsive or awkwardly displayed authentication pages on mobile devices.
  • 3D Secure 2: built for mobile use, it's optimised for smoother mobile integrations and works well with mobile apps and browsers.

Data points

  • 3D Secure 1: used fewer data points during the authentication process.
  • 3D Secure 2: uses many more data points (such as transaction history and device information) for a risk-based assessment. This allows for smarter authentication, where low-risk transactions may not need additional verification.

Frictionless flow

  • 3D Secure 1: typically required a password or some form of static authentication from the cardholder.
  • 3D Secure 2: introduces a "frictionless flow", where certain transactions can be authenticated without the need for cardholder interaction.

Scope of transactions

Regulation and compliance

  • 3D Secure 1: pre-dated some of the modern online payment regulations.
  • 3D Secure 2: designed to comply with the European Union's Revised Payment Services Directive (PSD2), especially its requirement for Strong Customer Authentication (SCA) for online transactions.

Issuer and business communication

  • 3D Secure 1: had limited ways for issuers and businesses to communicate about transactions.
  • 3D Secure 2: facilitates more direct communication between issuers and businesses, allowing for real-time decision-making based on transaction risk.

Both protocols provide a secure environment for online credit card transactions, but the implementation of 3D Secure 2 introduces advances in the customer experience, mobile optimisation and adaptive authentication methods. This new iteration allows for a more modern and user-friendly solution for online commerce.

Benefits of implementing 3D Secure

  • Reduced risk of fraudulent transactions
    The 3D Secure technology vets transactions in real time by requesting additional identification steps from customers. This eliminates the majority of unauthorised transactions and leads to an overall decrease in fraud-related costs for businesses. Fewer chargebacks also mean a more favourable rating with banks. In 2022, payment fraud caused estimated e-commerce losses of US$41 billion globally, according to Statista data, which highlights the scale of fraudulent transactions that businesses face.

  • Increased customer trust and confidence
    For shoppers, an extra layer of authentication provides a green light to proceed safely. This increased confidence has long-lasting benefits. It can reverberate through the customer life cycle, helping to convert one-off buyers into repeat customers and turning occasional shoppers into brand advocates.

  • Compliance with regulatory standards
    Legal compliance is a complicated and unavoidable part of doing business in the digital age. Regulatory bodies frequently update their guidelines, making it difficult for businesses to keep up. Incorporating 3D Secure can help you to stay compliant and avoid hefty fines and legal complications. A reputation for stringent compliance can also become a market differentiator, offering wary customers a solid reason to choose your platform over a less secure competitor.

Common misconceptions about 3D Secure

There are several misconceptions about 3D Secure that can affect a business's decision to implement the technology. Seeing the truth behind these common misconceptions is key to making an informed choice. Let's take a closer look:

  • Misconception 1: It scares away customers.
    The idea that added security measures result in abandoned baskets isn't entirely accurate. Data suggests that when people see businesses taking steps to protect customer information, they're more likely to finalise a purchase. These measures can help customers to associate your brand with feelings of trust and safety, eventually leading to customer retention and long-term loyalty.

  • Misconception 2: It's a bulletproof solution to fraud.
    While 3D Secure reduces the risk of fraudulent transactions substantially, no system is perfect. Consequently, a balanced strategy should involve multiple layers of security measures, including but not limited to 3D Secure, to combat different types of fraudulent activity most effectively.

  • Misconception 3: It slows down transactions.
    There is a perception that 3D Secure adds unnecessary delays to transaction time. However, the extra few seconds that authentication takes can save time in the long run by reducing the number of transactions that need to be investigated for fraud. The potential for reduced chargeback fees and other fraud-related costs can compensate for any minimal delays in transaction time.

  • Misconception 4: It's only for high-risk industries.
    Some see 3D Secure as only being beneficial for certain sectors, such as luxury goods or online gambling, where high-value transactions are common. However, this is not the case. Businesses across many different sectors can benefit from added security – even businesses that don't operate in high-risk industries. 3D Secure is like an insurance policy – it's better to have it and not need it, rather than need it and not have it.

Challenges and drawbacks of 3D Secure

While 3D Secure has many benefits, challenges and drawbacks also exist, which businesses may face when implementing this technology.

  • Increased basket abandonment rates
    One challenge that businesses might come up against with 3D Secure is an increase in basket abandonment rates. Sometimes, customers exit the transaction process when they encounter an extra authentication process because they think it's cumbersome or they distrust its purpose. Although the intent of 3D Secure is to add a layer of safety, customers who see this as an inconvenience are less likely to complete their purchase.

  • Complexity in customer experience
    Adding multiple steps to the checkout process can lead to complexity in the customer experience. The less intuitive a payment process is, the more likely a customer is to abandon it. A payment experience should be as smooth as possible while maintaining necessary security measures, a balance that is sometimes challenging to maintain with the inclusion of 3D Secure.

  • Operational demands
    Implementing 3D Secure often means making changes to existing systems and processes. This could involve updating IT infrastructure and employee training, as well as ensuring that customer-service representatives are equipped to handle related queries. The initial investment in time and resources can be considerable, which might deter some businesses from adopting the technology.

  • Liability concerns
    While 3D Secure shifts some liability for fraudulent transactions away from businesses, the conditions and terms governing this shift can be complex. Not every fraudulent scenario is covered and businesses must remain vigilant in their anti-fraud measures. A misplaced sense of security could make businesses less cautious, which could have negative repercussions in the long run.

Even though 3D Secure has potential challenges, the right planning can offset these issues. One option for businesses is to work with a strong, comprehensive payment provider, such as Stripe.

How to implement 3D Secure into your payment system

Incorporating 3D Secure into your payment system provides an extra layer of security that acts as a preventive measure against fraudulent transactions. Stripe provides comprehensive support for 3D Secure 2, a more advanced and user-friendly version of this security protocol. Here are some key steps and considerations to bear in mind for implementation:

  • Integrate with Stripe's APIs
    Stripe facilitates 3D Secure 2 through its payment APIs and Checkout feature. Integrating these tools into your system protects high-risk transactions against potential fraud. A key advantage of using Stripe's integration is its capability to apply 3D Secure 2 when the cardholder's bank supports it and revert to 3D Secure 1 when necessary.

  • Focus on mobile applications
    Mobile apps demand a smooth transaction flow. Stripe's iOS and Android SDKs enable in-app authentication, creating a more direct experience for customers. This prevents customers from being redirected to external pages, which can interrupt the payment process. Even if a bank doesn't support 3D Secure 2, Stripe's mobile SDKs will showcase 3D Secure 1 in a webview embedded in your app.

  • Prioritise customer experience
    3D Secure 2 has been developed with smartphones in mind, allowing banks to update their authentication methods. For example, customers might authenticate a payment using their fingerprint or face ID, instead of traditional passwords or text messages. This new technology promotes a better transaction experience, with fewer interruptions.

  • Embrace web and mobile checkout flows
    3D Secure 2's design embeds the challenge flow within both web and mobile checkouts, eliminating the need for full-page redirects. If a customer confirms their identity on your website or application, they'll see the 3D Secure prompt within a modal on the checkout page.

  • Stay up to date with regulations
    If you do business in Europe, the enforcement of Strong Customer Authentication (SCA) is key. SCA mandates more stringent authentication for European payments, making the customer experience of 3D Secure 2 invaluable. Through the use of 3D Secure 2, businesses can minimise any potential negative impact on conversion rates.

  • Use the flexibility of 3D Secure 2
    Stripe's adaptability with the 3D Secure 2 protocol allows authentication to be skipped for certain transactions and for the "frictionless" flow to be used, especially if transactions are deemed to be "low risk". However, if the payment provider asks for an exemption and the transaction uses the "frictionless" method, the liability shift benefits may not apply.

Incorporating 3D Secure 2 into your payment system can help to prevent fraud while ensuring that the payment experience is as user-friendly as possible. By leveraging Stripe's tools and following the above guidelines, businesses can achieve a balanced combination of security and usability.

Learn more about 3D Secure 2 with Stripe.

More articles

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.