Back to the Basics: 3DS Explained

Back to the Basics: 3DS Explained

3-D Secure, or 3DS, is a strong customer authentication protocol activated during a card-not-present (CNP) checkout process to confirm the cardholders’ identity prior to authorization. It is an extra layer of protection designed to reduce the risk of online fraud. Merchants all over the world use 3DS as a component of their eCommerce fraud prevention program.  

How does the protocol work? 

After a customer enters card details during online checkout, the issuing bank determines the fraud risk of the transaction based on predetermined data points, such as currency used or the web browser user agent. If the transaction is deemed potentially fraudulent, a window will pop up, requiring the customer to identify themselves (for example, using a password, fingerprint, or face recognition linked with the card being used). The issuer may also verify via an SMS code sent directly to the cardholder’s mobile phone. Once verified, they are able to proceed down the checkout funnel and complete the purchase. 

Here it is step-by-step:

  1. Card information collection
  1. 3D Secure enrolment confirmation
  1. Redirection to card provider’s 3D Secure authentication page
  1. Additional security authentication – using password, fingerprint/face recognition, or SMS verification
  1. Redirection to merchant’s website
  1. Payment confirmation at checkout

Three parties are involved in the 3DS protocol: the acquiring bank (the merchant’s bank), the issuing bank (the cardholder’s bank), and the domain server, also known as the interoperability domain.

3DS 2.X: the next generation 

The original version of 3DS was introduced in 2001. Nearly two decades later, 3DS 2.0 was introduced to answer to future market requirements and new payment channels. The new version supports mobile-based authentication and digital wallets integration.  It replaces the need for static passwords, instead using dynamic verification methods such as biometrics (face or voice recognition) or token-based authentication

to confirm a customer’s identity. The main purpose of 3DS 2.0 is to better facilitate the flow of information. 3DS 2.X supports non-browser-based payment methods, including wearables, in-app purchases, and digital wallets.

3DS 2.X is relevant for merchants who need to be compliant with the European PSD2 regulation. It mandates strong customer authentication (SCA), or two-factor authentication for electronic payments on certain intra-European CNP transactions.

Strong customer authentication pros and cons 

The key benefits for online merchants using 3DS are the reduction in fraud and the liability shift from merchants to banks. By having the customers authenticate themselves with their credit card issuer, in most cases, responsibility for covering chargebacks moved away from the merchant.

While 3DS reduces fraud levels, relying on this protocol alone is an insufficient fraud-protection tactic. Excessive use of 3DS and reliance on the fraud-detection systems and risk rules of payment service providers (PSPs) could lead to more fraudulent transactions being approved. Moreover, the added friction could cause an increase in drop-off due to failed authentication and cart abandonment.