Resource
/
The Complete Guide to 3D Secure Authentication

Contents

Pay by Link: A Smarter Way to Accept Payments in 2025

July 31 2025 | Blog

Most businesses today close sales through conversations, not just via websites or apps. Customers interact with your brand across various channels, including Instagram, WhatsApp, email, and live chat.

How to Choose Best Chargeback Management Solution in 2025?

May 7 2025 | Blog

Chargebacks are a growing concern for online businesses today. A market research report published on Paypers reported that merchants lose 1% of their revenue in chargebacks every year, and this number is increasing, regardless of whether you're in e-commerce,...

What is Payment Orchestration? A complete Guide for Businesses in 2025

April 18 2025 | Blog

If you're running an online business that serves customers worldwide, you've likely encountered the complexities of managing multiple payment platforms, gateways, and processors. Not only that, but merchants are facing high transaction fees, frustrating integration...

Share This Post

The Complete Guide to 3D Secure Authentication

By Chinmay Jain on 11/07/2025

Online payment fraud is one of the fastest-growing risks in digital commerce. Juniper Research forecasts that merchants will lose more than $360 billion to fraud by 2028Despite this, many businesses still rely on outdated verification methods or do not use any verification at all. The result is higher exposure to fraud, chargebacks, regulatory non-compliance, and lost revenue.

3D Secure (3DS) was introduced to solve this problem. Maintained by EMVCo and implemented by card networks under names like Visa Secure, Mastercard Identity Check, American Express SafeKey, and Discover ProtectBuy, 3DS adds an additional authentication layer to online card payments. It verifies the cardholder’s identity before the transaction is approved, reducing fraud and shifting liability away from merchants.

This guide breaks down everything merchants, payment providers, and ecommerce operators need to know about 3DS: how it works, what changed with 3DS2, exemptions under PSD2, liability shift rules, and best practices for smooth implementation.

TL;DR: Everything You Need to Know About 3D Secure

What is 3D Secure? 3D Secure is a payment authentication protocol that adds an extra layer of security to online card transactions by verifying the cardholder’s identity through their bank.

Key Benefits:

It shifts fraud liability from merchants to card issuers for authenticated transactions.
Meets PSD2 Strong Customer Authentication (SCA) requirements in Europe.
It improves approval rates with 3DS2’s frictionless authentication (up to 85% of transactions).
It reduces online payment fraud by up to 70% (based on industry data from major payment processors).

Latest Version: 3DS 2.3.1 was released in October 2022, offering enhanced mobile support, improved risk analysis, and a better user experience compared to the legacy 3DS 1.

What Merchants Need to Know: 3DS2 implementation will be essential for merchants processing online payments in 2025, whether you operate an e-commerce store or subscription services. It provides improved security and regulatory compliance without lowering conversion rates.

What is 3D Secure?

3D Secure (3DS) is a payment authentication protocol created by the major card network Visa and also adopted by Mastercard. Its primary purpose is to help reduce online payment fraud. When enabled, it adds an extra layer of security (two-step verification) to card transactions, verifying the cardholder’s identity using methods such as one-time passwords (OTP), fingerprint, or facial recognition.

The “3D” in 3D Secure refers to the three domains involved in the authentication process:

Acquirer Domain The merchant’s bank or payment processor.
Issuer Domain The bank that issued the customer’s card.
3DS Infrastructure Domain The card network (e.g., Visa, Mastercard)

The system works by verifying the cardholder’s identity using methods such as one-time passwords (OTP), biometrics, or push notifications before the payment is approved.

Merchants typically connect through a 3DS Server, which communicates with the Directory Server operated by the card network. This request is then routed to the issuer’s Access Control Server (ACS), which performs authentication. In mobile apps, a 3DS SDK ensures native, in-app support for smooth user experiences.

Contents

How 3D Secure Works?

When a customer proceeds to checkout and makes a payment online, here’s what happens behind the scenes:

Step 1: Transaction Initiation: Customer enters card details and clicks “Pay”.

Step 2: Risk Assessment: Risk assessment by the issuer using device, account, and transaction data.

Step 3: Authentication Decision:

Low Risk: Transaction proceeds without customer intervention (frictionless flow).
High Risk: Customer is redirected to the authentication challenge.

Step 4: Identity Verification: Customer needs to complete authentication via:

Biometric verification (fingerprint, face ID).
SMS one-time passcode (OTP).
Mobile banking app push notification.

Step 5: Authorisation On successful authentication, the issuer approves the payment. Merchants also receive ECI (Electronic Commerce Indicator) and CAVV (Cardholder Authentication Verification Value) codes, proving authentication took place and securing liability shift.

What is Frictionless vs Challenge in 3DS

Issuers decide whether to allow a frictionless flow or require a challenge. The quality of your data has a direct impact on approval and abandonment rates. Pass as many of these signals as you can:

Account history: account age indicator, number of successful transactions, number of add-card events, and previous chargebacks.
Customer identity: email hash, phone, name match to cardholder, shipping and billing address match indicator.
Device and behaviour: device ID, device channel, IP, velocity signals, prior device seen, time on page, past failures.
Order context: shipping method, digital vs physical goods, same-day shipping flag, gift card indicator, MCC risk, amount, and currency.
Merchant risk indicators: first-time customer flag, reattempt flag, prior risk score if available.

Complete Evolution of 3D Secure from 3DS1 to 3DS 2.3.1

What Exactly Changed From 3DS1 vs 3DS2, the Latest Version

Feature	3DS1	3DS2
User Experience	High friction, static passwords	Frictionless for 85%+ transactions
Mobile Support	Poor, desktop-focused	Native mobile and in-app support
Data Exchange	15 data points	100+ data points for risk analysis
Authentication Methods	Static passwords only	Biometrics, OTP, push notifications
Integration	Complex iframe redirects	Modern SDK and API integration
Approval Rates	60-70%	85-95%
Average Auth Time	45-60 seconds	Under 5 seconds
Abandonment Rate	15-25%	2-5%

Regulatory Compliance: PSD2 and Strong Customer Authentication

Understanding PSD2 Requirements

The Revised Payment Services Directive (PSD2), implemented across Europe in 2021, mandates Strong Customer Authentication (SCA) for online payments. SCA requires authentication using at least two of three factors:

Knowledge Factor (something you know): PIN, password, security question.
Possession Factor (something you have): Mobile device, hardware token, card.
Inherent Factor (something you are): Fingerprint, facial recognition, voice.

3DS2 and SCA Compliance

3DS2 is the industry-standard method for meeting SCA requirements because it:

Supports all three authentication factors.
Enables dynamic linking between transactions and authentication.
Provides transaction risk analysis (TRA) exemptions.
Maintains detailed audit trails for regulatory reporting.

SCA Exemptions Under 3DS2

Not all online transactions require Strong Customer Authentication (SCA). Under PSD2, 3DS2 allows certain exemptions that help reduce friction while staying compliant. Here are the key exemptions:

Low-Value Transactions
Payments under €30 may be exempt from authentication. However, if a cardholder exceeds five consecutive exempt payments or a total of €100 in exempted spend, authentication will be required again.
Trusted Beneficiaries
Customers can whitelist trusted merchants via their bank. Future payments to these merchants may skip authentication, provided the bank honours the whitelist.
Corporate Transactions
Payments made with dedicated corporate cards (not personal cards) can qualify for exemption if issued under a secure, limited-use corporate setup.
Transaction Risk Analysis (TRA)
If a payment service provider maintains a low fraud rate, low-risk transactions can be exempt from SCA. The threshold varies by transaction amount:
- ≤ €100: fraud rate must be below 0.13%.
- ≤ €250: below 0.06%.
- ≤ €500: below 0.01%.

Banks may still choose to challenge the transaction.

Want to know more about exemptions?

Check out our dedicated guide, 3DS2 Exemptions Explained for detailed use cases, regulatory thresholds, and implementation tips.

Complete 3D Secure Authentication Implementation Guide for Merchants

Choose the Right Payment Gateway
Select a gateway like Celeris that supports the most up-to-date #DS version and offers advanced risk tools, multiple authentication options, and full compliance support. This ensures smoother integration, better fraud control, and regulatory readiness.
Optimise for Frictionless Flows
To maximise approval rates:
- Use device fingerprinting and behavioural analytics.
- Keep fraud rates low to build issuer trust.
- Leverage SCA exemptions where possible.
These strategies help qualify for more frictionless authentications and reduce user drop-off.
Build a Seamless User Experience
Create a fast, mobile-friendly authentication flow:
- Clear progress indicators.
- Multiple verification methods (e.g. biometrics, OTP).
- Smart fallback routes for failed attempts.
- Clear error messages to reduce cart abandonment.
Track Key Performance Metrics
Monitor and improve your 3DS performance with:
- 95% authentication success rate.
- 85% frictionless flow rate.
- <5% false declines.
- <3% cart abandonment during auth.
- <0.1% fraud post-authentication.
Prioritise Smooth Technical Integration
Ensure:
- Mobile SDKs are properly integrated.
- Comprehensive error handling and recovery processes.
- Regular testing across different card issuers and devices.
- Compliance with data privacy regulations.

Ready to implement 3D Secure authentication into your payment flow?

At Celeris, we offer flexible 3DS for high-performing authentication that balances compliance and user experience, ensuring your payment flow stays smooth and secure.

Conclusion: Why 3DS2 is Essential for Modern E-commerce

After working with merchants across industries, from high-volume retailers to niche B2B platforms, we can confidently say that 3DS2 implementation is no longer optional. It’s an essential solution that provides:

Enhanced Security: Dramatically reduces payment fraud and chargebacks.
Regulatory Compliance: Meets PSD2 SCA standards and upcoming regulations.
Improved User Experience: Increases approval rates and decreases cart abandonment.
Competitive Advantage: Stronger fraud protection for expanding into new markets.
Cost Reduction: Cuts fraud losses and minimises manual review needs.

Sources and Data:

Juniper Research: Online Payment Fraud Report 2024.
PCI Security Standards Council: 3DS2 Implementation Guidelines.
European Banking Authority: PSD2 Regulatory Technical Standards.
Industry analysis based on aggregated client data & market research.

Chinmay Jain

Chief Technical Officer

Chinmay Jain is the CTO at CelerisPay with 10+ years of experience in fintech, fraud detection, and IT infrastructure. He leads technology and platform innovation, and he is a gold medalist from NIT Uttarakhand and a state award winner.

Frequently Asked Questions

What is 3D Secure (3DS) authentication?

3D Secure is a security protocol designed to add an extra verification step during online card transactions. It helps confirm the cardholder’s identity through their bank, reducing fraud and chargebacks while improving regulatory compliance.

How does 3D Secure work during an online purchase?

What are the key differences between 3DS1 and 3DS2?

Is 3D Secure mandatory for all online payments?

How does 3DS2 help merchants comply with PSD2 and Strong Customer Authentication (SCA)?

What benefits does 3D Secure offer merchants?

Let's Connect

Just a few quick details. Our team will reach out to explore how our platform fits your payment stack and objectives.

Talk with one of our payment experts

Ready to elevate your business to new heights? Schedule a call with our experts to discuss your unique needs and uncover tailored solutions. Don’t let questions linger – seize the opportunity to pave your path to success!