What Is 3D Secure and SCA?

What Is 3D Secure?

3D Secure (3DS) is an authentication protocol designed to add an extra layer of security to online card payments. When a customer makes a purchase on a website, 3D Secure may prompt them to verify their identity -- typically through their banking app, a one-time passcode sent via SMS, or biometric authentication -- before the payment is approved.

The "3D" refers to the three domains involved in the authentication process: the merchant's domain, the card network's domain (such as Visa or Mastercard), and the issuing bank's domain. These three parties work together to verify that the person making the payment is the legitimate cardholder.

The Evolution from 3DS1 to 3DS2

3D Secure 1 (3DS1)

The original version of 3D Secure -- branded as "Verified by Visa" and "Mastercard SecureCode" -- launched in the early 2000s. It required customers to set up a static password with their card issuer and enter it during online checkout. This approach had well-documented problems:

• Customers frequently forgot their passwords, leading to abandoned transactions
• The redirect to a separate authentication page looked suspicious and caused confusion
• It did not work well on mobile devices
• Conversion rates dropped significantly for merchants who implemented it

3D Secure 2 (3DS2)

3DS2, launched in 2019, was a complete redesign. Instead of relying on static passwords, it uses risk-based authentication. The system analyses over 100 data points -- including device type, location, transaction history, and spending patterns -- to assess whether a transaction is likely to be legitimate.

Low-risk transactions are approved seamlessly without any customer interaction (known as "frictionless flow"). Higher-risk transactions trigger a "challenge flow" where the customer is asked to authenticate -- usually through their banking app or a one-time code. This approach balances security with a smooth customer experience.

What Is Strong Customer Authentication (SCA)?

Strong Customer Authentication is a regulatory requirement introduced by the Payment Services Directive 2 (PSD2) in Europe and the UK. It requires that electronic payments are authenticated using at least two of the following three factors:

• Something you know A password, PIN, or security question
• Something you have A mobile phone, hardware token, or smart card
• Something you are A fingerprint, face scan, or other biometric

3D Secure 2 is the payment industry's primary mechanism for delivering SCA compliance in online card payments. When a transaction requires SCA, the 3DS2 protocol handles the authentication challenge.

SCA Exemptions

Not every transaction requires SCA. The regulations include several exemptions:

• Low-value transactions Payments under 30 GBP (though issuers may still apply SCA after a series of low-value payments)
• Trusted beneficiaries Customers can whitelist merchants they trust, skipping SCA for future payments
• Recurring payments After the first authenticated payment, subsequent recurring charges of the same amount may be exempt
• Transaction risk analysis Payment providers with low fraud rates can request exemptions for transactions their risk engine deems low-risk
• Corporate payments Payments made with corporate cards through dedicated payment processes

Applying for exemptions can improve conversion rates, but if an exempt transaction turns out to be fraudulent, the liability shifts to the party that requested the exemption.

3D Secure, SCA, and Telephone Payments

Here is where things get interesting for businesses that take payments over the phone. Telephone payments are explicitly exempt from SCA requirements. The FCA and European Banking Authority classify telephone orders as MOTO (Mail Order / Telephone Order) transactions, and MOTO is carved out of the SCA mandate.

This means that when a customer pays over the phone, the merchant does not need to trigger 3D Secure authentication. The payment is processed as a standard card not present transaction with CVV verification but without the additional SCA step.

This exemption exists because telephone payments already involve a form of interaction between the merchant and customer -- the live phone conversation provides context that is absent in a purely online transaction. However, MOTO exemption does not reduce the need for PCI DSS compliance. While the authentication requirements are simpler, the obligation to protect card data remains in full force.

Liability Shift

One of the key incentives for merchants to implement 3D Secure is the liability shift. When a transaction is successfully authenticated through 3DS, liability for fraudulent chargebacks shifts from the merchant to the card issuer. If a customer claims they did not authorise an authenticated transaction, the issuer bears the cost rather than the merchant.

For MOTO transactions -- which cannot use 3D Secure -- this liability shift does not apply. The merchant retains liability for fraudulent chargebacks, which makes other fraud prevention measures (such as AVS checks, CVV verification, and agent training) all the more important.

Adoption and Impact

Since 3DS2 and SCA became mandatory in the UK in 2022, the payment industry has seen measurable improvements. Fraud rates on online card payments have declined, while the feared negative impact on conversion rates has been smaller than expected -- largely because the frictionless flow means most legitimate customers never see a challenge. Merchants who have optimised their 3DS2 implementation report that well over 90% of transactions are approved without customer interaction, making the security gains essentially invisible to the buyer.