Authentication
3-D Secure
Also: 3DS, 3DS2, EMV 3DS
A card-network authentication protocol that shifts fraud liability from the merchant to the issuer when a cardholder is verified.
3-D Secure (3DS) is an authentication protocol designed by EMVCo to reduce fraud and provide added security to online card-not-present (CNP) transactions. Supported by major schemes including Visa and Mastercard, the protocol acts as an additional layer between the merchant and the issuer to verify the identity of the cardholder before an authorisation request is processed. Under the Strong Customer Authentication (SCA) requirements of the Revised Payment Services Directive (PSD2) in Europe, 3DS is often mandatory for most electronic payments. The current iteration, 3DS2, allows for a data-heavy exchange between the merchant and the issuer, enabling risk-based authentication where many transactions are approved without a user challenge. When a transaction is successfully authenticated or the issuer does not support the protocol, the liability for fraudulent chargebacks typically shifts from the acquirer and merchant to the card issuer. This protection helps lower the effective cost of merchant service charges by reducing fraud loss and administrative overhead related to disputes.
Frequently asked
How does 3-D Secure 2 improve the user experience compared to the original version?
3DS2 supports risk-based authentication by sharing extensive data points, such as device IDs and transaction history, with the issuer. This allows for a frictionless flow where the cardholder is not required to take any action for low-risk payments. If a challenge is required, it can now be completed via biometrics or app-based notifications rather than old-fashioned static passwords.
Does 3-D Secure eliminate all types of chargebacks for a merchant?
No, 3DS only provides a liability shift for specific fraud-related reason codes. It does not protect the merchant against disputes related to goods not received, service quality, or administrative errors. Merchants must still manage their internal processes to prevent non-fraud chargebacks which are not covered by the protocol.
Related terms
Ready for velocity?
Tell us about your business. We'll match you with the right acquiring partners and the right route, typically inside a week.
