What is 3-D Secure?

3-D Secure is an authentication protocol used by major payment card networks (Visa, Mastercard, American Express) to verify cardholder identity during online transactions, significantly reducing fraud and enhancing transaction security.

Originally developed by Visa under the name "Verified by Visa," 3-D Secure adds an extra security layer by requiring cardholders to verify their identity during checkout. Key features include:

• Enhanced Security: Protects online transactions from fraud by verifying the cardholder’s identity through methods such as passwords, SMS-based OTPs (one-time passwords), biometrics, and increasingly advanced methods like passkeys.
• Liability Shift: Transfers liability for fraudulent transactions away from merchants to card issuers when transactions pass 3-D Secure verification.
• Improved Checkout Experience (with 3-D Secure 2.0 and above): Modern implementations utilize risk-based authentication, providing frictionless checkout for low-risk transactions and seamless integration of modern authentication methods.

3-D Secure is continually evolving, now widely integrating with advanced authentication standards like passkeys, WebAuthn, and biometrics, enhancing both security and user experience.

---

The 3-D Secure authentication process involves three primary entities (thus "3-D"): the merchant/acquirer, the card issuer, and the payment network (e.g., Visa or Mastercard). The typical flow is as follows:

1. Transaction Initiation: The cardholder initiates an online transaction by entering card details at checkout.

2. Authentication Request: The merchant’s payment gateway communicates with the card issuer through the payment network's Access Control Server (ACS), initiating the authentication request.

3. Risk-Based Authentication:

   • For low-risk transactions, the issuer’s ACS might authenticate automatically without user interaction ("frictionless authentication").
   • Higher-risk transactions prompt additional verification (password, OTP via SMS, biometric check, or passkey authentication).

4. Authentication Confirmation: Upon successful authentication, the issuer's ACS confirms the cardholder’s identity and authorizes the transaction to proceed.

5. Transaction Completion: The transaction is finalized securely, significantly reducing fraud risk and liability for merchants.

The original version, 3-D Secure 1.0, faced criticism due to a suboptimal user experience, causing customer frustration and transaction abandonment. In response, EMVCo developed 3-D Secure 2.0, introducing several critical improvements:

• Frictionless User Experience: 3-D Secure 2.0 leverages advanced analytics and device fingerprinting to authenticate low-risk transactions seamlessly without additional user steps, dramatically reducing cart abandonment.

• Better Mobile and Cross-Device Support: Optimized for mobile devices and native applications, ensuring consistent, user-friendly authentication across various platforms.

• Advanced Authentication Methods: Supports modern authentication methods like biometric verification (fingerprint, facial recognition) and passkeys, greatly improving security and convenience.

Integrating passkeys into the 3-D Secure authentication process provides numerous benefits:

• Phishing-Resistant Security: Passkeys leverage public-key cryptography, eliminating vulnerabilities associated with passwords and traditional OTPs.

• User-Friendly Authentication: Passkeys provide fast, intuitive authentication, reducing friction and significantly improving the online checkout experience.

• Compliance with Regulations: Passkey integration aligns with regulations like PSD2's Strong Customer Authentication (SCA), ensuring regulatory compliance and robust security.

3-D Secure is implemented extensively across industries:

• E-commerce Platforms: Retailers like Amazon or Zalando integrate 3-D Secure to protect their customers and themselves from fraud liability.

• Subscription-Based Services: Companies like Netflix or Spotify use 3-D Secure authentication to verify customers during initial subscription sign-ups, securely storing credential-on-file tokens for future recurring payments.

• Online Booking and Travel Sites: Platforms like Booking.com or Expedia leverage 3-D Secure to securely process high-value travel purchases, significantly reducing chargebacks and fraud losses.

As e-commerce and digital transactions continue to grow, 3-D Secure combined with advanced authentication methods like passkeys is becoming essential in providing secure, trustworthy, and user-friendly online payment experiences.

The main purpose of 3-D Secure is to protect online transactions by verifying the cardholder's identity, significantly reducing fraud risk and enhancing transaction security.

When a transaction is successfully authenticated via 3-D Secure, liability for fraud-related chargebacks typically shifts from the merchant to the card issuer, protecting merchants from financial loss.

3-D Secure 2.0 introduced frictionless authentication, better mobile support, improved user experience, and advanced authentication methods like biometrics and passkeys, addressing major limitations of version 1.0.

Passkeys provide strong, phishing-resistant authentication, significantly improving user convenience, reducing transaction abandonment, and aligning with modern security and compliance requirements.

Not all transactions require explicit user authentication; low-risk transactions often benefit from frictionless authentication, automatically processed in the background without additional user action.