What is 3D Secure 2?

What Is 3D Secure 2?

3D Secure 2, commonly written as 3DS2, is the current version of the authentication protocol used to verify a cardholder's identity during online card payments. When you buy something online and your bank asks you to confirm the purchase through your banking app, or to enter a one-time code sent to your phone, that is 3DS2 in action.

The "3D" stands for three domains -- the merchant's domain, the card issuer's domain, and the interoperability domain (the card network that sits in between). The protocol creates a secure channel between these three parties to exchange authentication data, allowing the card issuer to verify that the person making the payment is genuinely the cardholder.

3DS2 replaced the original 3D Secure (sometimes called 3DS1), which was introduced in the early 2000s under brand names like Verified by Visa and Mastercard SecureCode. The original version was functional but widely criticised for being clunky, slow, and a significant source of cart abandonment. 3DS2 was designed from the ground up to fix these problems.

What Was Wrong With 3DS1?

To understand why 3DS2 exists, it helps to understand why the first version was so problematic. 3DS1 typically worked by redirecting the customer to a separate webpage controlled by their bank, where they had to enter a password they had previously set up. This had several major issues:

• Many customers forgot their 3DS1 passwords because they used them so rarely, leading to failed transactions and frustration
• The redirect to a separate page was jarring and made the checkout process feel less trustworthy -- customers sometimes assumed it was a phishing attempt
• The bank's authentication page often looked completely different from the merchant's website, reinforcing the impression that something was wrong
• The protocol was not designed for mobile devices, and the user experience on phones was particularly poor
• There was no way to assess risk silently -- every transaction required the same cumbersome authentication step, regardless of how clearly legitimate it was

The result was high abandonment rates. Some merchants saw checkout completion drop by as much as twenty to thirty percent when 3DS1 was enabled, leading many to disable it entirely and accept the higher fraud risk.

How 3DS2 Works

3DS2 takes a fundamentally different approach. Instead of interrupting every transaction with a password prompt, it uses a risk-based authentication model that analyses a rich set of data to decide whether the cardholder needs to actively verify their identity, or whether the transaction can be approved silently.

The Frictionless Flow

When a customer makes a payment, 3DS2 sends over 100 data points to the card issuer -- including the device being used, the customer's transaction history, the time of day, the merchant's fraud rate, and much more. The issuer's system analyses this data and, if it determines the risk is low, approves the transaction without asking the customer to do anything additional. The customer may not even realise that authentication happened. This is called the "frictionless flow," and it is the key innovation of 3DS2.

The Challenge Flow

If the issuer determines that additional verification is needed -- because the transaction is high value, the device is unrecognised, or the behaviour is unusual -- it triggers a "challenge." In 3DS2, this challenge is typically handled through the customer's banking app (a push notification asking them to approve the payment) or through a one-time passcode sent via SMS. Unlike 3DS1, the authentication happens within the merchant's checkout experience (through an embedded iframe or an app-based SDK), so the customer is not redirected to a different website.

Why 3DS2 Matters for Businesses

3DS2 addresses the fundamental tension between security and user experience that plagued its predecessor. The business benefits are significant:

• Lower cart abandonment -- the frictionless flow means many customers complete authentication without any interruption, keeping conversion rates high
• Reduced fraud liability -- when a transaction is authenticated with 3DS2, the liability for fraudulent chargebacks shifts from the merchant to the card issuer. This means that if a 3DS2-authenticated transaction later turns out to be fraudulent, the merchant does not bear the financial loss
• PSD2 compliance -- 3DS2 is the primary mechanism for meeting the Strong Customer Authentication (SCA) requirements introduced by PSD2 for online payments. Using 3DS2 ensures your business complies with this regulation
• Better mobile experience -- 3DS2 was designed with mobile commerce in mind, supporting in-app authentication and a smooth user experience on smartphones and tablets
• Richer data exchange -- the protocol shares significantly more data between merchants and issuers, leading to better fraud detection and fewer false declines

3DS2 and Telephone Payments

Here is where things get interesting for businesses that take payments over the phone. 3DS2 is designed for electronic, customer-initiated transactions -- primarily online and in-app payments. Telephone payments are classified as MOTO (mail order/telephone order) transactions, and MOTO transactions are exempt from the Strong Customer Authentication requirements of PSD2.

This means that when a customer calls your business and provides their card details over the phone, you do not need to implement 3DS2 authentication for that transaction. The MOTO exemption recognises that it is impractical to perform two-factor authentication during a voice call in the same way you can during an online checkout.

However, this exemption has important implications. Because MOTO transactions are not authenticated with 3DS2, the liability shift does not apply -- the merchant bears the liability for any fraudulent MOTO transactions. This makes it especially important for businesses that take telephone payments to have other fraud prevention measures in place, such as AVS checks, CVV verification, velocity monitoring, and risk scoring.

It also means that the telephone payment channel can be attractive to fraudsters specifically because it lacks the authentication layer that 3DS2 provides for online payments. If your online channel is well-protected by 3DS2, criminals may try to place fraudulent orders by phone instead. Businesses need to be aware of this channel shift and ensure their telephone payment security is solid.

Practical Considerations

If your business takes online payments, 3DS2 is not optional -- it is required for SCA compliance under PSD2 (with some exemptions for low-value and low-risk transactions). Your payment gateway or payment service provider should handle the technical integration, but you should understand a few things:

• Work with your payment provider to ensure 3DS2 is properly implemented and that you are taking advantage of the frictionless flow where possible
• Monitor your authentication rates -- track what percentage of transactions go through the frictionless flow versus the challenge flow, and what your authentication success rate is. High challenge rates may indicate that the data you are sending to issuers is insufficient
• Provide as much data as possible -- the more information you send during the 3DS2 process, the more likely the issuer is to approve the transaction through the frictionless flow. Missing data fields reduce the issuer's confidence and increase the chance of a challenge
• Test on mobile -- ensure the 3DS2 experience works smoothly on mobile devices, as a growing proportion of online purchases are made on phones
• Do not neglect telephone payment security -- if 3DS2 is protecting your online channel effectively, make sure your phone channel has equivalent protection through other measures