Protocol 3D Secure
What is 3D Secure?
3D Secure (Three‑Domain Secure) is an authentication protocol developed by EMVCo to verify the identity of a cardholder during online payments. The three domains involved are the issuer (the buyer’s bank), the acquirer (the entity processing the payment), and the interoperability infrastructure of the card schemes.
It is the mechanism that enables compliance with Strong Customer Authentication (SCA), mandatory in the European Economic Area under the PSD2 Directive. Each card network operates its own implementation: Verified by Visa, Mastercard Identity Check, and American Express SafeKey.
How 3D Secure works
The current version, 3DS2, operates natively within the checkout without redirects. The flow executes in milliseconds:
- The buyer enters their card details on the payment page.
- The gateway queries the scheme’s Directory Server to confirm whether the card is enrolled in the protocol.
- The issuer receives the request along with more than 100 contextual data points (IP, device, history, geolocation).
- The issuer’s Access Control Server (ACS) applies RBA (real‑time risk‑based authentication). If the risk is low, approval is frictionless. If anomalies are detected, a challenge is triggered: OTP, banking‑app confirmation, or biometrics.
- The result is returned to the acquirer, which proceeds with authorization.
With 3DS2, up to 95% of transactions are approved without a visible challenge thanks to contextual risk analysis, reducing cart abandonment compared to the older 3DS1.
Regulatory impact and security requirements of 3D Secure
The legal framework for 3D Secure in Europe is built on three pillars.
PSD2 and EBA RTS. Article 97 of Directive (EU) 2015/2366 requires SCA for electronic payments. Delegated Regulation (EU) 2018/389 defines the applicable exemptions:
- Low‑value transactions (below 30 €, with cumulative limits of 100 € or 5 consecutive operations).
- Transaction risk analysis (TRA), applicable if the provider’s fraud rate is below EBA thresholds.
- Trusted beneficiaries, where the cardholder marks the merchant as a trusted recipient.
Royal Decree‑Law 19/2018. Transposes PSD2 into Spanish law and limits the cardholder’s liability to 50 € for unauthorized transactions.
PCI DSS v4.0. Requires encryption, access control, and continuous monitoring across all 3DS components (ACS, Directory Server, 3DS Server).
Advantages and disadvantages of 3D Secure
| Advantages | Disadvantages |
|---|---|
| Reduced fraud in CNP transactions | Friction if the issuer triggers a challenge |
| Liability shift: chargeback responsibility moves to the issuer after authentication | Dependence on ACS availability |
| Direct compliance with SCA/PSD2 | Complex integration in legacy gateways |
| Higher approval rates with 3DS2 and RBA | Issuers outside the EEA may not support 3DS2 |
For ecommerce, the optimal strategy is to apply smart SCA: enable 3D Secure by default and use exemptions (TRA, low‑value) in coordination with the acquirer to protect conversion.
Was this term useful?
Leave a Comment