What is 3D Secure 2?

What Is 3D Secure 2?

3D Secure 2 — 3DS2 for short — is the protocol that verifies a cardholder during an online purchase. When your bank pings your phone with a push notification asking you to approve a £127 payment to ASOS, that's 3DS2 doing its job. The "3D" refers to the three domains involved: the merchant, the card issuer, and the card network sitting between them. Together they exchange data over a secure channel so the issuer can decide whether the person typing the card number is genuinely the cardholder.

3DS2 took over from the original 3D Secure protocol (3DS1), which most shoppers remember as Verified by Visa or Mastercard SecureCode. 3DS1 worked, more or less, but it was hated by everyone. 3DS2 was designed from scratch to fix that.

What Was Wrong With 3DS1?

To understand why 3DS2 matters, it helps to remember how painful 3DS1 was. The flow looked like this: a customer fills in their card details, gets bounced off the merchant's site to a separate bank-controlled page, and is asked to enter a password they set up years ago. A few things went wrong with that design:

• Customers forgot the password. They'd used it twice in 2017 and couldn't remember it in 2019.
• The redirect looked dodgy — it felt like phishing, and plenty of shoppers bailed at that point
• The bank's authentication page rarely matched the merchant's branding, reinforcing the "something's wrong" feeling
• Mobile was an afterthought. The page didn't reflow, the inputs were tiny, and entry on a phone was miserable
• There was no risk-based logic. Every transaction got the same prompt, whether it was a £4 coffee subscription or a £4,000 sofa

The damage showed up in cart abandonment. We've seen merchants report 20-30% drops in checkout completion the moment 3DS1 went live. Plenty of them just switched it off and absorbed the fraud cost.

How 3DS2 Works

3DS2 throws out the one-size-fits-all approach. Instead of interrupting every transaction with a password prompt, it uses risk-based authentication — the issuer's system weighs up the data behind the transaction and decides whether the cardholder needs to do anything at all.

The Frictionless Flow

When a payment kicks off, 3DS2 sends over 100 data points to the card issuer: the device, the IP address, the transaction history, the time of day, the merchant's fraud track record, and a lot more. If the issuer's system reckons the risk is low, the transaction gets approved silently. The customer doesn't see a thing. This is the frictionless flow, and it's the whole point of the upgrade.

The Challenge Flow

If the issuer wants a second factor — high value, new device, weird behaviour — it triggers a challenge. Usually that's a push to the banking app ("Approve this £450 payment to Wayfair?") or, less commonly now, a one-time code by SMS. Crucially, the challenge happens inside the merchant's checkout via an embedded iframe or in-app SDK. The customer never leaves the page, which kills the phishing vibe of 3DS1.

Why 3DS2 Matters for Businesses

3DS2 finally answers the security-vs-conversion question that haunted 3DS1. The wins line up like this:

• Lower cart abandonment — the frictionless flow means most customers complete authentication without realising it happened
• Reduced fraud liability — once a transaction is authenticated through 3DS2, the chargeback liability shifts from the merchant to the issuer. If it later turns out to be fraud, you're not the one paying
• PSD2 compliance — 3DS2 is how merchants meet the Strong Customer Authentication requirement that came in under PSD2 for EEA online payments
• Mobile-first design — 3DS2 was built with phones in mind, so in-app authentication and small-screen flows feel native
• Richer data exchange — issuers get far more information, which means fewer false declines on legitimate transactions

3DS2 and Telephone Payments

Here's where it gets interesting for anyone running a contact centre. 3DS2 is built for electronic, customer-initiated transactions — checkout in a browser or in an app. Phone payments are classified as MOTO (mail order/telephone order), and MOTO is exempt from the SCA requirements of PSD2.

That exemption exists for a practical reason. There's no clean way to do two-factor authentication during a voice call. You can't ask the customer to tap an iframe that doesn't exist. So when a UK customer rings up to settle an invoice and reads out their card number, 3DS2 simply isn't part of the picture.

The catch is liability. Because MOTO transactions aren't 3DS2-authenticated, there's no liability shift. The merchant carries the loss on every fraudulent phone payment, full stop. That makes the rest of your fraud stack do extra work — AVS, CVV checks, velocity rules, risk scoring on the order itself.

It also creates a channel-shift problem. Criminals notice when an online channel gets harder to hit. If your website is locked down with 3DS2, the next place they try is the phone line. We've seen this pattern across our customer base — a merchant tightens online checkout, and three months later the contact centre starts seeing odd orders from new accounts on burner mobiles. Phone payment security isn't optional just because 3DS2 takes care of the web.

Practical Considerations

If you sell online, 3DS2 isn't a choice — it's required for SCA compliance under PSD2, with some narrow exemptions for low-value and low-risk transactions. Your payment gateway handles the integration, but you should keep an eye on a few things:

• Talk to your payment provider about how 3DS2 is configured and whether you're making the most of the frictionless flow
• Watch your authentication rates — track the split between frictionless and challenge flows, and the success rate of each. A high challenge rate usually means you're not sending the issuer enough data to make a confident decision
• Send all the data you can — the more context you provide during 3DS2, the more likely the issuer will wave the transaction through frictionlessly. Empty fields make issuers nervous
• Test on mobile properly — most online purchases happen on phones now. Don't let the authentication step be the place your checkout falls over
• Don't forget the phone channel — if 3DS2 has hardened your web checkout, make sure your telephone payments have equivalent fraud controls. Otherwise you've just funnelled the fraudsters toward your contact centre