What Is 3D Secure Authentication and How Does it Work?

3d secure 1

There was a time when people could only buy and sell physical products face-to-face. But the world evolved with the internet, causing businesses to take their goods and services online. As a result, there are millions of e-commerce websites globally, between 12 to 24 million.

In 2020, over two billion people worldwide purchased goods or services online. The more people turn to online stores for their needs, the more sellers must find ways to protect their buyers. This is because e-commerce transactions do not require physical cards as traditional stores do, making them prone to a higher risk of card fraud and false payments by fraudulent customers.

Thankfully, technological advancements provided ways for e-commerce establishments, debit and credit card companies, and financial institutions to offer protection to their clients and also keep themselves from becoming victims of fraud. This is where 3D Secure (3-domain structure or 3DS) authentication comes in. It is a security protocol merchants and financial institutions utilize to authenticate users.

3DS provides additional online payment protection without a physical credit or debit card. It was created by Visa and MasterCard, leading to the tags Verified by Visa and MasterCard SecureCode.

3D Secure meets the requirements of the European Union’s (EU) Strong Customer Authentication Regulations. 3DS is optional in some countries outside Europe and the EU, but it is a valuable tool for improving security to reduce fraud, chargeback, identity theft, and other illegal acts.

How 3D Secure Works

When 3DS was introduced, it was not user-friendly. For instance, some people could not see the authentication page on their phones or PCs, and there were compatibility problems. Thankfully, all that is in the past with introducing of a Soft Development Kit (SDK) feature.

It allowed effective integration with the mobile applications used by online shopping sites, especially with the introduction of 3D Secure 2. The 3DS 2 required users to use two-factor authentication.

As such, you have to provide two pieces of information. It could be something you are (your fingerprint), something you have (a phone), or something you know (your password). But how does 3D Secure work?


Here’s how the security system functions whether you are using a phone or web browser:

1️⃣ First, you will provide your credit or debit card details.
2️⃣ Second, the seller connects with a directory server belonging to the card issuer to determine whether the card is registered for 3DS.
3️⃣ Third, the 3D Secure authentication page allows you to verify your identity with the bank that issued the card by providing a one-time pin, code, or password.
4️⃣ Fourth, the authentication result goes to the merchant, who sends the transaction information to the acquiring bank.
5️⃣ Fifth, the acquiring bank approves the transaction, and you can see whether it was successful or failed.

The beautiful thing about the upgraded 3DS is that customers ditched carts less. Before the upgrade, people had to go to the issuing bank’s website to certify a transaction. It was cumbersome and discouraged many online shoppers.

But with the 3DS version presented in 2015, e-commerce retailers can send the information for authentication alongside that of the card to confirm the validity of a transaction. If the data conflicts or the customer uses an unknown device, they will get a text or verification code through an app to confirm they authorized the transaction. This improves the user experience, a win-win for merchants and card issuers.

Advantages of 3D Secure

Using 3D Secure for your website as a merchant is pretty advantageous. But cardholders also benefit from it. Below, we listed some benefits users, and business owners enjoy.

βœ”οΈ Frictionless Flow

As mentioned, carrying out transactions before 3DS was cumbersome, as customers got redirected to the issuing bank’s website to verify their information. 3D Secure removed this requirement by allowing people to perform risk-based verifications in the access control server. As a result, you don’t have to deal with pop-up sites or remember passwords, increasing the flow and ease of payments.

βœ”οΈ Non-Payment Authentication

There are several uses of 3D Secure outside of online payments. For example, due to the non-payment authentication feature, you can get verified without buying a product. In addition, this element of the 3DS security protocol makes it easy to add a credit or debit card to e-wallets; it is charge-free.

βœ”οΈ Native Mobile Integration

Most online shopping happens on a mobile phone. Statista projects that 2022 mobile retail e-commerce sales in the United States will surpass 430 billion U.S. dollars, an almost twofold growth since 2019.

So, it’s not surprising that 3D Secure has a mobile SDK element. With it, online business owners can natively combine the 3DS process with mobile apps, improving the user experience during checkout.

βœ”οΈ Liability Shift

Having strong customer authentication means being able to shift liability for every successfully confirmed payment. Based on the 3DS rules, fault moves from the business owner to the card issuer if the card owner complains of a fraudulent transaction or chargeback.

βœ”οΈ No Extra Cost

Another benefit of 3D Secure is no extra cost for validating your card. However, note that this largely depends on the used payment gateway.

βœ”οΈ Easy to Set Up and Control

Setting up and controlling 3DS security is pretty easy, and merchants can instantly add custom rules to verify cards with 3DS registration.

Disadvantages of 3D Secure

It is not all sunshine and rainbows when using 3DS; some drawbacks exist. Here are the two most common limitations of using this security protocol:

ℹ️ Information

Most people are unaware of how 3D Secure works or what it is. As a result, many fail to authenticate transactions. Therefore, card issuers, financial institutions, and retailers must educate customers on the usefulness and importance of  3DS in protecting the usage of their cards for fraudulent transactions.

❌ Lack of Recognition

Another downside of 3D Secure is that consumers who want to use MasterCards on 3DS-compliant e-commerce websites cannot recognize them. This is mainly because 3DS requests are hidden with small icons or at the bottom of the checkout page.

How to Activate 3D Secure Visa

With 3D Secure Visa card protections, cardholders can shop online with less risk of fraud. If you own a Visa card, you can ask for a password known only to you to use to make purchases. The unique password lets the bank know you are using the card for payment and not a third party.

So, how do you activate the 3DS security support provided by Visa?

The financial institution issuing the Visa card activates 3DS. They do this immediately after you get the Visa card and ask for 3D Secure. Once activated, the software protects your data whenever you use it at a participating e-commerce shop.

Secondly, you will get a one-time password from the bank or create one yourself. This password confirms that you are the cardholder and input it in a separate window when buying online.

Thirdly, you will receive a 3D Secure code to complete your transaction after entering the password. Also, Visa will verify your entries, and the purchase will go through if everything checks out.

Disputed Payments and Liability Shift

When a fraudster uses a card or the cardholder buys a product but does not receive it, the person will dispute the transaction with their bank and the seller. When this happens, the issue of liability comes up. So the question becomes who bears liability: the cardholder, the card providers, or the merchant.

Generally, every payment verified with 3DS is protected by a liability shift. When the cardholder contests an expense, the fault shifts to the body that issued the card. Liability shift applies to card schemes, including MasterCard, Visa, UnionPay, JCB, American Express, etc.

If you use Stripe, the rules of liability shift also apply. Note that the transaction must have been successfully authenticated for the regulation to apply, and it does not support recurring transactions.

Aside from payment authentication, another example where liability shift arises is when 3DS is unavailable for a card network that needs it. This common problem occurs when a lousy internet connection affects the 3D Secure server or the card issuer does not support the network.

As a result, the cardholder will not get a prompt to conduct 3DS authentication because their card is not registered. Furthermore, liability shift does not affect every industry. For instance, Visa does not provide liability shifts for businesses that conduct wire transfers or take money orders.

Finally, as a cardholder, you cannot dispute successfully authenticated payments. Instead, the card issuer will start an inquiry with the merchant to get information about the transaction. If the business owner fails to provide the data needed, the issuer can ask for a no-reply chargeback.

Chargeback Liability of 3D Secure

If a cardholder does not recognize a transaction on their account or does not get the product they purchased, it will give rise to a chargeback dispute and liability. As mentioned, the liability shift for fraudulent transactions lies with the card issuer. It means that they cannot automatically initiate chargeback proceedings against the merchant.

As a result, a retailer has protection from misleading chargebacks. In addition, the 3DS rules allow card issuers to communicate with the seller to request evidence after the customer raises a dispute. After reviewing the submitted evidence, the bank’s decision may favour the merchant or the cardholder.

If the decision favours the seller, you can raise a second chargeback. Once you do, the merchant will provide additional supporting proof. For each chargeback raised, you might pay an admin fee to the acquiring bank, which is non-refundable.

Again, if the merchant fails to respond to the request for evidence, the issuing bank can commence a financial chargeback. A retailer can only avoid this by providing all the relevant details. Usually, the information covers what the customer bought, when and delivery occurred, the recipient of the product, and whether the person bought digital or physical goods or services.


As the name implies, the 3-domain structure is divided into three: the card issuer, the retailer or acquirer, who gets the payment, and the 3D Secure infrastructure platform. The latter is the secure in-between for the customer and the merchant.

However, the 3-domain structure has certain restrictions. The most common ones include the following:

Not All Cards Participate in the Program

Some cards are not part of the authentication payment scheme. For example, 3DS works with Visa and MasterCard, JCB, and American Express cards.

Similarly, not all sellers’ websites are 3DS compliant. For example, a complaint site has Verified by Visa and Mastercard SecureCode logos.

It Does Not Restrict Chargebacks

Although 3D Secure reduces the incidences of chargebacks, users might still experience them. This is because there is no assured liability shift, and sellers must confirm the terms of a liability shift from their bank.

Displaying the 3D Secure Flow

When using 3DS, the authentication user interface (U.I.) appears in a pop-up mode. For example, you’d see ‘confirm card payment’ and ‘handle card action.’ You might have to utilize an iframe or get redirected to the bank’s website if you don’t see the pop-up.

It is noteworthy that during 3DS authentication, most payment platforms gather basic device information. Then, they send the data to the issuing bank to analyze risks.

The following are the two ways of displaying the 3DS flow:

Redirect to the Bank’s Website

Customers are redirected to the 3D Secure authentication page using the ‘return_url.’ The seller sends ‘return_url’ to PaymentIntent when confirming the purchase on their server. It is also possible to send ‘return_url’ when designing the PaymentIntent.

After the customer confirms the purchase action, the PaymentIntent might display a ‘requires_action’ message. If this happens, the merchant will check the PaymentIntent’ next_action’ for a ‘redirect_to_url.’ The latter means the transaction needs 3DS authentication.

The redirect URL sends the customer to the authentication page, where they complete the verification process. Afterwards, the buyer will return to the page where they will complete the transaction.

Display in an iframe

Online business owners do not constantly develop the authentication U.I. to match their website design. Instead, the card issuer controls the fonts and the colours users see. However, the merchant can decide when and how the 3DS U.I. will appear.

Generally, this could be in the modal dialogue above the payment page. Merchants who own their modal component can use it for the 3DS frame. The authentication can also appear alongside the payment format.

Here’s how the display in the iframe works.

Confirm the PaymentIntent

For a customer to conclude a buy, the merchant must verify the PaymentIntent. This kicks off the payment process. Then, the seller controls the 3D Secure display by providing a ‘return_url’ redirecting the buyer once they finish the authentication process.

Furthermore, if your site has a content security policy as a merchant, review the iframe from the card issuer and the origin of the ‘return_url’ to see if they both have permission.

Check the PaymentIntent Status

The next step for the merchant is checking the ‘status’ property of the verified PaymentIntent to see if there was a successful payment.

Render the 3D Secure iframe.

Sometimes, the payment does not instantly go through. Instead, the ‘status’ property requires more action before the buyer can finish the transaction. For example, if the PaymentIntent status is ‘requires-action,’ the customer will get redirected to the authentication page.

In such an instance, the payload has an URL the merchant must open in an iframe for the 3DS page to appear. If the seller is using 3DS 2, the issuing bank will support the 3D Secure content with a full screen or one of the following sizes:

●   250×400

●   390×400

●   500×600

●   600×400

The user interface of the 3DS is potentially better when the iframe is accessed with any of these sizes.

Handle the Redirect

Finally, after the buyer completes the 3DS authentication, the iframe sends them back to the page where they confirm the PaymentIntent. The merchant’s top-level page gets a message that shows the completion of the 3D Secure authentication. In addition, the top-level page shows if the payment was successful or if the customer needs to perform more actions.

Costs for 3D Secure 2

There is no fixed cost for 3DS; the amount usually depends on the payment service provider (PSP) and the transaction magnitude. However, expect the 3D Secure 2 to cost between $.10 and $.30 for each purchase, but Stripe does not have an extra charge for 3DS.

What Cards Can Be Accepted Through 3D Secure?

3DS is primarily used by Visa and MasterCard holders. When broken down, this covers the following:

●   Visa Delta

●   MasterCard Debit

●   International Maestro

●   UK Maestro

●   Visa Electron

Testing the 3D Secure Flow

Merchants can test the 3D Secure to check for any authentication challenge. But first, they must integrate the test API keys for the authentication process to show the mock verification page.

The seller can either deny or approve a payment on the authentication page. An approval means the customer had a successful verification. If the seller clicks the failure icon, the authentication will be unsuccessful.

Controlling When to Present the 3D Secure Flow

Some websites or payment gateways automatically trigger 3D Secure if required by law or a mandate like Strong Customer Authentication. Also, merchants can use APIs or Radar rules to manage when to ask customers to conduct 3D Secure authentication.

Usually, they decide which user to ask for 3DS verification based on laid down parameters. Also, tracking if 3D Secure was attempted on a card is possible by reading the ‘three_d_secure’ property on the card data in the ‘payment_method_details.’

Aside from the above, there are other ways to control when to present the 3DS flow. Here are the two standard options.

Use Radar Rules in the Dashboard

Some payment platforms like Stripe have three default rules for demanding 3D Secure when making or verifying a PaymentIntent or SetupIntent. In addition, you can disable the default guidelines and create custom rules. Finally, if you use Radar for Fraud Teams, the software will only demand authentication for transactions conforming to the regulations.

Manually Request 3D Secure With the API

Here, the merchant can activate 3D Secure using Radar to demand 3DS authentication based on the user’s risk level and other requirements. Manual activation of 3D Secure is for advanced users integrating a payment gateway with their fraud engine.

To do this, the merchant has to set ‘payment_method_options(card)’ ‘request_three_d_secure’ to ‘any’ when making or verifying a PaymentIntent or SetupIntent. Finally, by providing this parameter, the payment gateway will conduct the 3D Secure and override the Radar rules on PaymentIntent or SetupIntent.


What is a Mastercard SecureCode?

A MasterCard SecureCode (MCS) is a code you use once. It protects a cardholder when buying online, and they must present it to verify their identity before checkout. The cardholder gets the code through an SMS on their mobile phone.

How does 3D Secure protection work?

3DS protects cardholders when shopping online with their credit cards. Generally, 3D Secure is activated if the card issuer suspects a transaction might be fraudulent. If this happens, they redirect the cardholder to a 3D Secure page for verification. The cardholder will provide a PIN or password to authenticate the purchase.

What available 3DS platforms are there?

The two prominent 3DS platforms are Visa Secure and MasterCard SecureCode. There are others like JCB and America Express. These platforms use 3D Secure technology to protect cardholders from counterfeit transactions, chargebacks, and fraud.

How do I get my Mastercard SecureCode?

You will get the MasterCard SecureCode when there is a prompt to authenticate a purchase at the checkout point. Note that you cannot use the code more than once and can only receive it via an SMS, not an email.

How do I know if a merchant is 3D Secure?

If you want to know whether an e-commerce merchant has 3DS protection, check their website, usually on top of the payment page, to see if it has the logos for MasterCard SecureCode or Verified by Visa.

We will be happy to meet and discuss your business case and how we can help.
Please feel free to contact us here.
We’re here to assist you.

Please, improve your experience!

You’re using an unsupported web browser. As Wallester supports the latest versions, we highly recommend you use an up-to-date version of one of these browsers: