TL;DR: 3D secure authentication is a customer authentication protocol used to identify and authenticate customers. Knowing that fraud prevention and customer security is a major concern and need for many businesses, this post will guide you through the protocol’s most important aspects.

Most e-commerces and businesses face the challenge of ensuring their payment system can deliver an enhanced customer experience and prevent fraudulent transactions. In the past, merchants had to decide between one or the other. As someone who has worked in the payments industry for a while, this is a tough choice no one should make!

The good news is 3D secure authentication is a technical standard protocol that adds a layer of security to the payment process. It gives merchants the best of both worlds: preventing unauthorized charges and providing a seamless experience. 

In this blog, I’ll explain how 3D secure authentication works on your payment platform and why its customized implementation is of utmost importance for your business. I’ll be going over the workings behind 3D secure 2.0 hoping grasping this information will help you make well-informed choices in regards to payment options with which to work.

Why does 3D secure authentication exist?

The concern on everybody’s mind when performing an online transaction is security. As a matter of fact, 70% of Americans cite that security is their biggest worry when making mobile payments. Visa says 3D secure 2.0 can also reduce checkout time by 85% and cart abandonment by 70%.

The entire purpose of such a protocol is to reduce fraud by performing strong customer authentication. It also decreases cart abandonment by reducing friction during the checkout process. 

We’ve mentioned “friction” a couple of times here. To be on the same track, friction in this scenario refers to a series of possible events during the authentication process that may affect a user’s ability to continue a transaction.

By using 3D secure authentication, merchants and issuers can talk to each other. A merchant can send information about a user while performing the transaction. However, there are many cases in which the issuer already has that cardholder’s information. Thus, the issuer can confirm the person’s identity without sharing the user’s personal information. This process reduces the need of a customer entering a high amount of information. This is what we call reducing friction

What’s 3D secure authentication?

As mentioned before, 3D secure authentication (also known as 3D secure 2.0) is a consumer authentication protocol to identify and authenticate a specific cardholder. The main idea behind this process is to ensure that a specific client is indeed performing a valid transaction

In version 1.0 a long while back, users were able to confirm their identity by providing a bank account, ID card, issuing bank, and a sort of passcode. They had to add plenty of information to prove the system they were who they said they were.

Version 2.0 is very different. The newer version reduces friction and fraud. It does so by eliminating the challenge of directly inputting information. However, when a user can not be fully verified, 3D secure still offers a way to step up the level of authentication required. 

3D secure authentication also provides a mobile-friendly protocol that allows a wide range of use cases. One example is mobile-friendly protocol that does not require pushing the user out of their browser.

How 3D secure authentication works

To go deeper into the subject, 3D secure authentication operates by sharing transaction information and consumer metadata with an issuing bank. The idea is to confirm that the legitimate cardholder is the one performing the transaction prior to the transaction even occurring. Once verified, the merchant reaches out to a 3D secure server, which, in turn, relays user information to a directory service. 

Once the information is placed in this directory service, it’s possible to check if the user is in 3D secure 2.0. If they are, the directory service routes that information to an Access Control Server (ACS), which the issuer deploys. The ACS uses the transaction and customer metadatato determine whether or not to go forward and complete the transaction. If the information goes through, the consumer is then authenticated.

A transaction that goes through is commonly known as a frictionless experience. This is called that way because the user doesn’t know that anything has happened, and everything proceeds as expected — with no further input from them.

If the ACS determines that a step-up challenge is required, the merchant then opens a direct channel with the ACS. They may use an One-Time Password (OTP) or a biometric challenge. The transaction will continue once the challenge succeeds. 


Credit: Card photo created by freepik –

What 3D secure authentication offers (that others don’t)

3D secure 2.0 provides a mechanism for direct merchant-to-issuer data exchange. The merchant can collect attributes from the consumer’s device and transfer that data directly to the issuing bank. The issuing bank, in return, can use those markers to determine the level of risk a transaction holds before it takes place. 

This security protocol also provides additional consumer-specific security markers that don’t grant access to your card information. For example, it’s capable of determining the device the person is using to make a purchase. If this person lives in Washington, why are they shopping for an item in any other part of the world? Having more details about the consumer at the time of the transaction helps determine whether or not the action is legitimate.

Combining tokenization for a secure transaction

Aside from 3D secure authentication, another advisable security measure is tokenization. Card tokenization consists of trading important user and card information for an opaque token, which may be used by the issuer or the acquirer. By combining both, we developers can add more levels of security to the shopping experience. 

With this process, a merchant circumvents the need to hold any sort of cardholder information. All a merchant needs to do is hold the token in place while the transaction occurs. In case of a breach, an acquirer-based token protects merchants from exposing cardholder information. 

Issuer-based tokens, on the other hand, imply using tools such as Apple Pay or Google Pay on the issuer side. They work under the same principle; at some point, a token replaces cardholder information, which can also be used on further transactions.

What to bear in mind when implementing

Implementing 3D secure 2.0 in payment services calls for developers who have expertise with a specific understanding that truly grasps not only how payments work, but also all related workflows in the process, as well. However, I don’t think it’s challenging to implement. Knowing how everything operates at a high level makes adding a layer of security an uncomplicated task. 

Also, Europay, Mastercard, and Visa (EMV) provide Software Development Kits (SDKs) for Android, iOS, and Windows. These kits are built and designed for multi-platform support, which supports mobile, desktop, and other devices. In other words, there’s sufficient documentation out there to help developers implement 3D secure 2.0.

It’s essential to comprehend that payment processor providers support 3D secure 2.0. Yet, the service offer truly depends on merchants and the level of customization they provide for a given platform.

In general, customized experiences requires in-depth work into every aspect of every project. And customer security and fraud prevention are sensitive layers. The risk is too high if overlooked or coded incorrectly.

Was this article insightful? Then, don’t forget to look at other blog posts and follow us on LinkedIn, Twitter, Facebook, and Instagram.