Of the many approaches to reducing payment fraud, the 3D Secure security protocol sits directly within the purchasing flow. With 3D Secure, credit card networks allow a card issuer to directly authenticate the shopper.

Third-party credit card fraud is a huge, global problem, estimated to reach $43 billion by 2026. But with global e-commerce sales exceeding $6 trillion annually, merchants and card issuers must carefully balance clamping down on abuse with facilitating swift transactions.

3D Secure 2 aims to balance convenience and security by using lots of data from the transaction and the buyer’s device to authenticate the cardholder, in most cases with no user involvement. 3DS costs merchants money and adds occasional interruptions, but it also shifts liability to the card issuer in case the transaction is later found to be fraudulent.

What is 3D Secure?

3D Secure (often abbreviated 3DS) is a final step in the online checkout process to verify that the purchaser is the legitimate cardholder. It reduces third-party fraud—that is, when someone uses someone else’s card without their knowledge or approval.

The 3D in 3DS stands for “three domains,” which refers to:

• Issuer: the bank that operates the credit card account
• Acquirer: the company that processes credit card transactions for the merchant
• Interoperability: the card network that facilitates communication between issuer and acquirer

Each credit card network has its own implementation of the 3DS protocol, such as Visa Secure (formerly Verified by Visa), Mastercard Identity Check, and American Express’s SafeKey.

From 3DS to 3DS 2.0

The original 3D Secure required manual user verification, such as logging into an account or a one-time password (OTP), at every use. This approach proved burdensome and led to more abandoned transactions, and was also subject to phishing and spoofing.

3D Secure 2, also known as EMV 3-D Secure, allows for situational context, including transaction information and device intelligence, to factor into the transaction approval decision. Most transactions (95% is a commonly claimed number, but we could find no original source!) will go through in a few seconds with no extra input; otherwise, the 3DS system will present a challenge screen for an OTP or other verification.

When is 3DS used?

3DS balances security and convenience for merchants and shoppers. The current version uses many signals, such as the user’s location and details about the device they’re using, to evaluate the trustworthiness of the transaction.

Another balance to consider is that while 3DS shifts liability to the card issuer, it comes with a per-transaction fee, so merchants may choose to run some but not all transactions through 3DS. (For instance, they may skip 3DS for smaller amounts or credit cards already successfully used by the same account.)

However, sometimes it’s not a choice. Many jurisdictions, such as India and the European Economic Area, require strong customer authentication, such as 3D Secure by statute; in others, banks or networks may require it in certain circumstances. As with many financial regulations, there are complications and exceptions: for instance, the EEA excepts low-value transactions or recurring payments after the first one.

How 3DS works

3D Secure requires participation from both the card issuer and the payment processor. Here’s a high-level overview of how the process works:

1. The merchant optionally runs internal fraud and risk checks to decide whether to trigger 3D Secure authentication (or it may be required anyway by regulations).
2. The merchant sends transaction details to the payment eGateway (e.g., Stripe).
3. The gateway initiates a 3D Secure authentication request via a 3DS service.
4. The service routes the request through the card network (e.g., Visa, Mastercard) to the card issuer (e.g., Chase Bank, HSBC).
5. The issuer evaluates the risk and chooses between a frictionless or challenge flow.
   • Fingerprint can make a big difference here: our device intelligence helps distinguish trusted users from fraudsters, reducing unnecessary friction by allowing the confidence to make more decisions without a challenge.
6. If a challenge is required, the issuer prompts the customer to authenticate (e.g., via OTP, banking app, biometric). If it’s frictionless, the buyer sees nothing.
7. The issuer returns the authentication result through the 3DS system back to the merchant via the payment gateway.
8. If authentication is successful (or if the merchant makes the request properly, even if they don’t get a response from the card issuer), the merchant proceeds with payment authorization. As the delegated verifier, the bank takes on liability if the cardholder later disputes it as fraud.

Challenges and limitations

3D Secure 2 (the latest version is in fact 2.3.1) has meaningfully reduced online transaction fraud, especially in places where its use is mandatory, such as Europe and India. It’s not a perfect solution, though.

As one more step in the checkout, it can add friction. At best, and most commonly, the few seconds of waiting it adds is tolerable. When it does present a challenge, the extra hassle of processes like waiting on and typing an OTP or logging into a banking app to authenticate increases the chances that a buyer will abandon the transaction.

3DS also adds complexity for the merchant. E-commerce stacks are already complicated, and 3DS introduces another layer to be implemented, maintained, and occasionally repaired. 3DS also costs money per transaction, 3DS services charge between 10 and 30 cents apiece. The expense cuts into margins, and the assessment of whether it’s worth paying in order to shift liability complicates risk decisions.

Finally, while 3DS is a global standard, it doesn’t always work seamlessly and isn’t adopted universally. For instance, some US-based prepaid Visa or Mastercard issuers don’t support it, rendering their cards unusable where either regulation or seller policy requires 3DS.

3D Secure authentication inputs

It’s up to the issuing bank to determine if the user is trusted, but the merchant can help optimize the process.

The 3DS protocol allows for the merchant (as represented by the payment gateway) to send lots of information to the issuer, everything from the details of the transaction at hand to order history, demographics from the account, and even device details. The merchant’s incentive is to contribute to the issuer’s confidence in skipping a challenge and allowing a frictionless transaction.

The issuer can then run their own “frictionless or challenge” (or simply decline!) risk assessment across many factors, including the card’s shopping patterns, merchant category, user location, and device intelligence.

How device intelligence works with 3D Secure

Device intelligence is the technique of analyzing dozens or hundreds of data points about the user’s specific browser and device, ranging from easily gathered info like device model and time zone to more esoteric factors like minute differences in graphics rendering.

In the context of 3D Secure, the issuer can use device intelligence to determine whether they’ve seen the device before (i.e., logged into the bank’s website). Additionally, a service like Fingerprint’s Smart Signals can help decide whether a device’s profile is suspicious.

Financial institutions and fintechs make up many of Fingerprint’s 6,000+ customers. Our industry-leading accuracy gives them the confidence to decide whether they’re dealing with an authentic user—their core responsibility in the 3D Secure process. (Many merchants also use Fingerprint to protect user accounts and their in-house fraud prevention programs.)

Issuers take on liability when approving 3D Secure transactions, but they benefit because they want their cardholders to find it as easy as possible to spend. Device intelligence can be an important part of optimizing competing priorities and keeping users, merchants, and issuers safer from fraud.