3D Secure

3DS involves three domains: the merchant's acquiring domain, the interoperability domain (the card network infrastructure), and the issuer's domain. When a transaction is initiated, the merchant's payment system sends transaction context data to the card network's directory server, which routes it to the issuer's access control server (ACS) for a risk decision.

3DS 2.x, the current baseline, supports two authentication flows. In the frictionless flow, the issuer's ACS uses the transaction context data (device fingerprint, browser characteristics, transaction history, behavioural data) to authenticate the cardholder without presenting any additional challenge. This is the preferred outcome for both merchant and cardholder. In the challenge flow, the issuer determines the risk is insufficient to approve frictionlessly and presents the cardholder with an authentication challenge, typically a one-time passcode, biometric, or banking app notification.

The volume of data sent to the issuer in 3DS 2.x is significantly greater than in 3DS 1.0. Over 100 data elements can be passed, giving issuers far more signal for their risk assessment than was possible under the original protocol. More data generally results in higher frictionless rates and fewer false-positive challenges.

3DS 2.x is the baseline requirement for SCA compliance in Europe under PSD2. Merchants processing card transactions in the European Economic Area must implement 3DS 2.x for in-scope transactions, with SCA exemptions available for eligible low-risk transactions.

Liability shift is the core risk management benefit: when a transaction is authenticated via 3DS and subsequently results in a chargeback claiming fraud, liability shifts from the merchant to the issuer. Merchants without 3DS authentication bear the fraud chargeback liability themselves.

Frictionless rate determines conversion impact: 3DS only reduces conversion if it triggers a challenge. Merchants sending rich transaction context data to the issuer achieve higher frictionless rates, meaning authentication completes without any cardholder interaction. Poor 3DS data quality leads to unnecessary challenges that reduce conversion.

SCA compliance is mandatory in EEA: merchants processing card payments in the European Economic Area must implement 3DS 2.x for transactions in scope of PSD2 SCA. Non-compliance results in issuers declining transactions at the network level.

3DS 1.0 is deprecated: most card networks have ended support for 3DS 1.0. Merchants still running 3DS 1.0 flows are non-compliant with current SCA requirements and experience lower frictionless rates because issuers receive less transaction data.