Understanding 3D Secure: safeguarding your online transactions

Understanding 3D Secure: safeguarding your online transactions

The article was last updated on 26 April, 2024

The 3D Secure step of payment verification is a crucial fraud protection tool when it comes to online payments. Today, the Genome team will explain how it works, when and why it was established, and how to have it on the eCommerce website.

What is 3D Secure?

So, what is 3D Secure? Also known as 3DS, it is a security protocol created to improve the safety of card-not-present (CNP) transactions during online payments. Its main goal is to increase security via payment authentication by confirming the identities of cardholders. It does so by requesting additional authentication from people when they make purchases online. 

3DS was first developed in 1999 for the Visa card network. In 2001, the card brand started to use the protocol during e-purchases using the new branding name, such as Verified by Visa, which later became Visa Secure. Today, it has become a key authentication method during the payment process.

Later on, these services were adopted as well by other brands:

Card network or card brand3D Secure service name
VisaVisa Secure
American ExpressAmerican Express SafeKey
JCB InternationalJ/Secure

If you are a company that wants to work within the European Economic Area, the implementation of 3DS should be on your agenda to authenticate cardholders. 3DS is very helpful when it comes to following the EU’s Strong Customer Authentication requirements, as the protocol offers the necessary tools to verify clients’ identity. 

How 3D Secure authentication works

The entities involved

The “3D” mentioned in the term derives from the three-domain model. This model represents the main entities involved in the 3D secure authentication process. These three domains are: 

  • The merchant domain to which funds are paid. Basically, it is a site or an app of a store/service provider where people look for products and services and initiate purchases.   
  • The issuer domain represents a card issuer that provides a payment card to an individual. Such entities are banks, payment service providers, or other financial institutions that provide individuals and companies with credit and debit cards.
  • The compatibility domain, aka interoperability domain, contains the infrastructure established by the card scheme, credit and debit cards, etc., to enable the 3D secure authentication process with a business and a card issuer involved.

The 3D Secure authentication process

Now that we know what the domains represent, we want to describe how the authentication happens during online card payments. 

Here’s an example: Bob is looking for a new pair of sneakers. He goes to the shoe store site, chooses the pair he likes, and goes to the checkout to complete the online purchase. 

3DS will be able to authenticate him once he makes the online payment on the checkout page. So, Bill inputs his details and shipping data on the company’s website, clicks the “pay” button, and, after that, he is redirected to the 3D Secure verification.

Normally, it looks like a new web page with the form that includes the amount to pay, the issuer bank logo, a card network logo, an empty form to be filled in, and a “submit” button. The design of the 3DS form does not depend on a company but on the bank issuer.

The form would require Bob to enter a password or a one-time code that is sent to a personal device such as a smartphone. Sometimes, the process takes place in the banking application. 

Once Bob verifies his identity, the payment proceeds, and he can complete the online purchase.

Benefits of 3D Secure for consumers and merchants

Although not as widely talked about as other banking solutions, 3DS plays an important role by providing an extra layer of protection to both businesses and clients. 

Enhanced security measures against fraudulent transactions

Security is, of course, the most obvious advantage. By checking and confirming the real cardholder during the transaction, the protocol significantly reduces the risk of unauthorized payments, fraudulent activity and phishing scams. Overall, it’s an added security step for both parties.

Boosting consumer confidence in online shopping

As we mentioned previously, 3D Secure is a must for companies that operate in the EU. It is an industry standard now, and when you have 3DS on your website, it shows your clients that they will be secure during online purchases. 

Reduced transaction costs for merchants

When we are talking about an additional layer of protection for merchants, it directly correlates with chargeback protection. Fraud in e-commerce is, unfortunately, pretty common, and 3D Secure is just an additional step to protect your company from it.

Improved approval rates for transactions

Last but not least, 3DS can increase the likelihood of transaction approvals. Of course, it can be tricky to achieve at first, but once a business optimizes all the processes, it will create a smoother and more seamless experience for customers. In turn, this will lead to higher conversion rates and better client experience.

The Evolution of 3D Secure: From 1.0 to 2.0

Businesses currently use the 2.0 version of 3DS, as support for version 1.0 was discontinued in late 2022. The new version of the protocol has definitely improved its overall performance and usability compared to the previous one. Let’s compare the two. 

3D Secure 1.0

3DS version 1.0 was introduced 25 years ago in an impressive fit to improve clients’ safety and prevent fraudulent transactions. But, to be honest, it was pretty limited compared to its modern counterpart. 

First of all, the old version was only available for site versions of e-shops. Thus, businesses that sold merchandise via apps weren’t covered.

Another issue is that client authentication was performed using static (reusable) passwords. Customers had to remember their password for specific websites, which, of course, led to frustration and rising cart abandonment rates. 

Last but not least, there were instances where 3DS 1.0 was unable to handle big transaction volumes, disrupting the stability of payment processing operations. 

3D Secure 2.0

Now, to the updated version. 3D Secure 2.0. was implemented in 2016, taking into account the complaints businesses and financial institutions had. Moreover, it was very much tuned to the upcoming rules of the EU’s Strong Customer Authentication, which we mentioned earlier. 

The issue with mobile app compatibility was finally addressed. Businesses that choose to trade using mobile applications gained access to 3DS authentication. 

Another important update was made to the process itself. Static passwords are gone now, replaced by far more convenient one-time passwords and biometric authentication to confirm the cardholder’s identity. 

The new protocol version also became more effective in detecting fraud, as it adopted fraud and risk assessment tools to better analyze additional data points per transaction. Now, 3DS is able to better protect a customer from criminals.

Implementing 3D secure in e-commerce transactions

If your e-commerce website requires 3DS to enhance the protection and safety of your clients, as well as comply with existing regulations, it is not that difficult to organize. 

  1. The easiest way to implement 3D Secure on your website is to partner with a financial solution that offers the protocol and completely handles its integration on the client’s website or application. 
  2. If your company is high-risk, make sure that you select a financial institution that can work with your particular industry. Inquire about a merchant account and if it comes with 3DS and other perks you require.
  3. If such an option is not available, your team might need to work with code and install additional plugins, APIs, or SDKs for 3DS to work properly. Additionally, you might need to configure the work of the protocol by setting up specific parameters within the account according to your needs.
  4. Once the 3DS is implemented on a technical level – either by the company or their bank – it is time to start testing how it works. You want to ensure that you can authenticate clients without disrupting any processes and stay secure. 
  5. When the tests are completed, we advise you to inform your existing clients of the changes and also provide some blogs or other educational materials to explain why using 3DS is crucial for their security. 
  6. The company will also need to monitor the work of the 3D Secure service and watch out for the implementation of new regulations that will require an update of the existing protocol. 

Also, if you are looking for a business account to grow your company, try Genome. Our electronic money institution has everything you need for your corporate financial operations – from a multi-currency account and dedicated IBANs to batch SEPA transfers and physical/virtual corporate cards

Common Challenges and Solutions with 3D Secure

No system is perfect, the same goes for the 3DS protocol. Some clients still encounter transaction delays due to additional authentication steps. This can be frustrating and lead to cart abandonment situations. This, however, is the price of secure transactions.

To handle such risks, a company needs to develop a strategy on how to optimize its checkout flow, providing clear instructions to clients and minimizing redirects. It also needs to learn the whole checkout process to figure out where the potential delays can happen, how often they occur, and what can be done about it.  

Future of 3D secure and online payment security

3DS usage is on the rise in Europe as more and more companies try to adhere to the regulations and the requirements of card issuers. And, as there are plans to revise the current Payment Services Directive, the protocol also may undergo some updates to adhere to it. 

Moreover, the demand for 3D Secure services will only increase, as more regulations will be enforced to better protect customers. According to the report published by Allied Market Research, the global 3DS pay authentication industry is expected to generate $3,96 billion by 2032. In comparison, in 2022, this figure was $1,29 billion. 

3D Secure: key takeaways

At the end of the day, 3D Secure adds an extra layer of security to online transactions, reducing the risk of fraud and protecting sensitive cardholder data. Customers benefit from enhanced security and peace of mind, while companies safeguard their businesses from unauthorized transactions and chargebacks. 


What exactly does 3D Secure stand for?

It stands for three domains, which represent the participants of the 3DS authentication process: the company that sells products (merchant domain), the bank that issued the card to a consumer aka a card issuer (issuer domain), and the intermediaries, that provide the necessary infrastructure to enable the successful authentication process between a card issuer and a company.    

Is 3D Secure required for all online transactions?

The use of 3DS is not mandatory worldwide, as different countries and regions are not on the same page when it comes to regulations on client authentication. However, in places where companies are required to implement the secondary authentication of customers, the protocol is widely adopted. The best example is the EU, where the Strong Customer Authentication rules led to many businesses implementing 3DS on their websites. 

Does 3D Secure add extra steps to the checkout process?

Yes, it does. After filling out the card details, clients are redirected to a page where they must pass the additional verification step. Usually, they need to enter a one-time code or answer security questions. Once the process is complete, they can proceed with the transaction. Although it may take an additional minute or two, the authentication is important to confirm the cardholder’s identity and reduce fraudulent cases during online card transactions.   

How can I tell if a website uses 3D Secure?

The first sign that indicates that a company uses 3DS is a logo of a supported authentication method, such as “Verified by Visa” from Visa Secure, or “Mastercard SecureCode” on its website. And, of course, if you’re asked to verify your purchase with a one-time password, you are taking part in the 3DS authentication process. 

What should I do if my 3D Secure authentication fails?

You first need to check if you have entered the correct card details and an OTP and try again. The issues can also be caused by poor internet connection or technical problems on the store’s websites. Finally, if nothing helps, contact the bank that has issued your bank card so that they can help you deal with the issue.