--- url: 'https://www.corbado.com/glossary/3d-secure' title: '3-D Secure' description: 'Discover what 3-D Secure is, how it protects online transactions, reduces fraud risks, and integrates seamlessly with modern authentication methods like passkeys.' lang: 'en' keywords: '3-D Secure' --- # 3-D Secure ## What is 3-D Secure? **3-D Secure** is an authentication protocol used by major [payment](https://www.corbado.com/passkeys-for-payment) card networks (Visa, [Mastercard](https://www.corbado.com/blog/mastercard-passkeys), American Express) to verify cardholder identity during online transactions, significantly reducing fraud and enhancing transaction security. Originally developed by [Visa](https://www.corbado.com/blog/visa-passkeys) under the name "Verified by [Visa](https://www.corbado.com/blog/visa-passkeys)," 3-D Secure adds an extra security layer by requiring cardholders to verify their identity during checkout. Key features include: - **Enhanced Security:** Protects online transactions from fraud by verifying the cardholder’s identity through methods such as passwords, SMS-based OTPs (one-time passwords), biometrics, and increasingly advanced methods like passkeys. - **Liability Shift:** Transfers liability for fraudulent transactions away from [merchants](https://www.corbado.com/glossary/merchant) to card [issuers](https://www.corbado.com/glossary/issuer) when transactions pass 3-D Secure verification. - **Improved Checkout Experience (with 3-D Secure 2.0 and above):** Modern implementations utilize risk-based authentication, providing frictionless checkout for low-risk transactions and seamless integration of modern authentication methods. 3-D Secure is continually evolving, now widely integrating with advanced authentication standards like passkeys, WebAuthn, and biometrics, enhancing both security and user experience. > **Key Takeaways:** > > - **3-D Secure** is an authentication protocol designed to secure online card transactions > by verifying cardholder identity. > - It significantly reduces online fraud and shifts liability from > [merchants](https://www.corbado.com/glossary/merchant) to card [issuers](https://www.corbado.com/glossary/issuer) for authenticated > transactions. > - The latest versions (3-D Secure 2.0 and later) integrate smoothly with modern, > frictionless authentication methods such as passkeys and biometrics. --- ## How 3-D Secure Works The 3-D Secure authentication process involves three primary entities (thus "3-D"): the [merchant](https://www.corbado.com/glossary/merchant)/[acquirer](https://www.corbado.com/glossary/acquirer), the card [issuer](https://www.corbado.com/glossary/issuer), and the [payment](https://www.corbado.com/passkeys-for-payment) network (e.g., [Visa](https://www.corbado.com/blog/visa-passkeys) or [Mastercard](https://www.corbado.com/blog/mastercard-passkeys)). The typical flow is as follows: 1. **Transaction Initiation:** The cardholder initiates an online transaction by entering card details at checkout. 2. **Authentication Request:** The [merchant](https://www.corbado.com/glossary/merchant)’s [payment](https://www.corbado.com/passkeys-for-payment) gateway communicates with the card [issuer](https://www.corbado.com/glossary/issuer) through the payment network's Access Control Server (ACS), initiating the authentication request. 3. **Risk-Based Authentication:** - For low-risk transactions, the [issuer](https://www.corbado.com/glossary/issuer)’s [ACS](https://www.corbado.com/glossary/acs) might authenticate automatically without user interaction ("frictionless authentication"). - Higher-risk transactions prompt additional verification (password, OTP via SMS, biometric check, or passkey authentication). 4. **Authentication Confirmation:** Upon successful authentication, the [issuer's](https://www.corbado.com/glossary/issuer) [ACS](https://www.corbado.com/glossary/acs) confirms the cardholder’s identity and authorizes the transaction to proceed. 5. **Transaction Completion:** The transaction is finalized securely, significantly reducing fraud risk and liability for [merchants](https://www.corbado.com/glossary/merchant). ## Evolution from 3-D Secure 1.0 to 2.0 The original version, 3-D Secure 1.0, faced criticism due to a suboptimal user experience, causing customer frustration and transaction abandonment. In response, EMVCo developed 3-D Secure 2.0, introducing several critical improvements: - **Frictionless User Experience:** 3-D Secure 2.0 leverages advanced analytics and device fingerprinting to authenticate low-risk transactions seamlessly without additional user steps, dramatically reducing [cart abandonment](https://www.corbado.com/blog/ecommerce-authentication). - **Better Mobile and Cross-Device Support:** Optimized for mobile devices and native applications, ensuring consistent, [user-friendly authentication](https://www.corbado.com/faq/passkey-user-experience-benefits-non-technical-audience) across various platforms. - **Advanced Authentication Methods:** Supports modern authentication methods like biometric verification (fingerprint, facial recognition) and passkeys, greatly improving security and convenience. ## Benefits of Integrating Passkeys with 3-D Secure Integrating passkeys into the 3-D Secure authentication process provides numerous benefits: - **Phishing-Resistant Security:** Passkeys leverage public-key cryptography, eliminating [vulnerabilities](https://www.corbado.com/glossary/vulnerability) associated with passwords and traditional OTPs. - **User-Friendly Authentication:** Passkeys provide fast, intuitive authentication, reducing friction and significantly improving the online checkout experience. - **Compliance with Regulations:** Passkey integration aligns with regulations like [PSD2's](https://www.corbado.com/blog/psd2-passkeys) [Strong Customer Authentication](https://www.corbado.com/faq/sca-psd2-importance) (SCA), ensuring [regulatory compliance](https://www.corbado.com/blog/cybersecurity-frameworks) and robust security. ## Real-world Use Cases 3-D Secure is implemented extensively across industries: - **E-commerce Platforms:** Retailers like Amazon or Zalando integrate 3-D Secure to protect their customers and themselves from fraud liability. - **Subscription-Based Services:** Companies like Netflix or Spotify use 3-D Secure authentication to verify customers during initial subscription sign-ups, securely storing credential-on-file tokens for future recurring [payments](https://www.corbado.com/passkeys-for-payment). - **Online Booking and Travel Sites:** Platforms like Booking.com or Expedia leverage 3-D Secure to securely process high-value [travel](https://www.corbado.com/passkeys-for-travel) purchases, significantly reducing chargebacks and fraud losses. As [e-commerce](https://www.corbado.com/passkeys-for-e-commerce) and digital transactions continue to grow, 3-D Secure combined with advanced authentication methods like passkeys is becoming essential in providing secure, trustworthy, and user-friendly online payment experiences. ## 3-D Secure FAQs ### What is the main purpose of 3-D Secure? The main purpose of 3-D Secure is to protect online transactions by verifying the cardholder's identity, significantly reducing fraud risk and enhancing transaction security. ### How does 3-D Secure affect transaction liability? When a transaction is successfully authenticated via 3-D Secure, liability for fraud-related chargebacks typically shifts from the [merchant](https://www.corbado.com/glossary/merchant) to the card issuer, protecting merchants from financial loss. ### What's the difference between 3-D Secure 1.0 and 2.0? 3-D Secure 2.0 introduced frictionless authentication, better mobile support, improved user experience, and advanced authentication methods like biometrics and passkeys, addressing major limitations of version 1.0. ### Why integrate passkeys with 3-D Secure? Passkeys provide strong, [phishing](https://www.corbado.com/glossary/phishing)-resistant authentication, significantly improving user convenience, reducing transaction abandonment, and aligning with modern security and compliance requirements. ### Do all transactions require 3-D Secure authentication? Not all transactions require explicit user authentication; low-risk transactions often benefit from frictionless authentication, automatically processed in the background without additional user action.