3D Secure and 3D Secure 2 authentication: A guide

We take a closer look at 3D Secure authentication and the opportunities it can create for your business.

Updated September 2021

Keeping customers secure when they’re paying online is the first rule of ecommerce. And with many new ways to pay and new regulations coming to light such as PSD2, it’s vital to understand customer authentication beyond the regulatory standards.

In this article we're going to take a closer look at 3D Secure authentication, exploring the original 3D Secure 1 (3DS1.0.2), the newer 3D Secure 2 (3DS2.1.0 and 3DS2.2.0), and the opportunities it can create for your business.

What is 3D Secure?

Chances are, you've experienced it as a shopper. Before you could finalize a payment, 3DS1 would redirect you to your bank for card authentication, often prompting a password or an SMS (one-time-password). By completing this step successfully, issuing banks, rather than the business you were buying from, became liable to fraudulent chargebacks. It was a consistent security step but not exactly conducive to a smooth shopping experience.

3DS1 lacked native in-app flows and introduced confusing, difficult-to-remember authentication prompts. The result: countless shoppers dropping out of the payment process.

Each region has its own security requirements and legislation, and adoption of the protocol was inconsistent from bank to bank and country to country. This made things especially challenging for businesses with a global footprint.

To combat this, we built Dynamic 3D Secure, which stops fraud and routes payments through 3D Secure when necessary. And while it continues to be effective, it didn't address the underlying issues of the 3DS1 protocol itself.

That's enough of the doom and gloom though, let's explore the opportunity. 3D Secure 2 is here. Well, to be precise - versions 2.1.0 and 2.2.0

3D Secure 2 explained

3DS2 is the improved standard introduced by EMVCo and the major card schemes. It provides a new approach to authentication through a wider range of data, biometric authentication, and an improved online experience, especially for mobile. It addresses many of 3DS1's issues while bringing benefits across a broader set of use cases for businesses worldwide.

Benefits for you and your customers

Let's take a look at some of the benefits 3DS2 can bring to your business:

Increased authorization rates with data sharing

3DS2 allows for better risk-based analysis, all within your native shopper flow. The combination of certified SDKs and iframes in the checkout flow, paired with data-sharing APIs, makes it the data conduit between businesses and banks. Over 100 potential data points are shared, meaning better risk decisions drawn from the information you and card issuers know about your mutual customers. And as we all know, the more information you have to support authentication cases, the higher the chances of a successful transaction.

You can increase authorization rates with no perceivable change to the checkout flow. Our Authentication Engine guides you when regulatory requirements such as PSD2 enter the equation. This is interesting for businesses that don't require 3DS2 for fraud prevention alone. For example, you might have low fraud rates, so you'll instead benefit from authorization uplift. Meanwhile, the seamless checkout flow your customers enjoy remains unchanged.

Enhanced authentication experiences

Passive - The SDK and servers exchange all necessary information in the background. The customer sees nothing.

3DS 2.0 passive authentication

Two-Factor - The user receives a request to provide two-factor authentication. Typically by an SMS code and a password.

3DS 2.0 two-factor authentication

Biometric - The SDK facilitates an app switch to the issuing bank's app. The user can use their fingerprint or face for authentication.

3DS 2.0 biometric authentication

More authentication flows and consumer choice means increased security while reducing drop-off rates seen in older solutions based on static passwords. What's more, our 3DS2 SDK will help you quickly build these authentication flows natively.

They also offer more flexibility so banks can continue to innovate, making it simple and more secure. It's excellent news for businesses in higher-risk industries that already use 3D Secure. It's also a plus for those operating in regions introducing new requirements, like the aforementioned PSD2 in Europe.

Managed compliance with Dynamic 3D Secure

We'll be the first to admit that the EU PSD2 SCA regulatory frameworks can be confusing. Global enterprise businesses will be looking for solutions to identify which transactions require authentication and which don't. In 2019 it became even more complex with shifting timelines and delivery roadmaps from different EU countries.

Our solution can play a key role in managing PSD2 compliance on your behalf. We'll take care of triggering the PSD2 and SCA exceptions automatically when applicable so you can focus on your core business. These compliance rules will work together with other Dynamic 3DS rules, targeting fraud-prevention and performance optimization to make sure that you're always using 3DS when it makes sense and avoiding it when it doesn't. Below you'll see how it works:

Dynamic 3D Secure flow

Integration with our solution works with any partner that follows 3DS2 specifications. This way, businesses can have their authentication solution in one place, while keeping the flexibility and freedom around which partners they choose.

Setting up 3DS2

When setting up 3DS2, there are two core components of the integration to consider: the frontend libraries and the 3D Secure server.

The job of the SDK is to securely collect and transmit device information and display authentication flows. As a result, there is a strict certification process on these libraries with EMVCo and the schemes. Adyen takes care of this. SDKs were not a component of 3DS1 so businesses migrating from 1 to 2 will need to introduce them into their frontend payment flows.

The 3DS2 SDKs work together with our 3D Secure server (3DSS) to exchange information and request authentication. You can see more information on how these calls work in our documentation.

3DS 2.0 - Architectural overview

See our libraries on GitHub

When does 3D Secure 2 become mandatory?

The biggest driver for businesses and issuing banks to implement 3DS2 is the enforcement of Strong Customer Authentication (SCA) requirements under PSD2. As PSD2 is enforced by issuers across Europe, SCA is becoming a key element to accept payments in the region. You can rest assured that we'll continue to build and release the latest 3DS2 versions. As of publication, the latest update is 3DS2.2.

As for the rest of the world, both Brazil and Australia have SCA mandates in place which will encourage the adoption of 3D Secure 2.

Prepare for Strong Customer Authentication with 3DS2

The biggest driver for business and issuing banks to implement 3DS2 is the upcoming enforcement of Strong Customer Authentication (SCA) requirements under PSD2. Many EU national regulators have indicated that they expect to be live by 31 December 2020. For us, we continue to build and release to the latest 3DS2 versions (currently at 2.2) so you get the best performance and innovations.

As for the rest of the world, both Brazil and Australia have mandates in place which will encourage the adoption of 3D Secure 2 .

Recommended reading:


Sign up for the newsletter

By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.


Are you looking for test card numbers?

Would you like to contact support?