Understanding 3D Secure and 3D Secure 2

Get to grips with 3D Secure authentication methods and explore how 3D Secure 2 can help your business

Spiderman’s Peter Parker Principle states that ‘with great power, comes great responsibility’. The triarchy of payment systems: American Express, Mastercard, and Visa certainly hold a lot of power and they take their responsibilities seriously. In 1999 (lead by Visa) they decided to improve the security of internet payments with 3D Secure.

This article will walk you through everything you need to know about 3D Secure and explain why you need to care. You’ll learn:

  • What 3D Secure is
  • Why 3D Secure matters
  • The difference between 3DS1 and 3DS2
  • The benefits of Dynamic 3D Secure
  • How to implement 3D Secure 2

What is 3D Secure?

Traditionally, 3D Secure was that additional authentication step where a customer is directed to a page hosted by their bank. They’d enter a code or trigger an SMS to complete the purchase and were then redirected back to the merchant’s site. Things have moved on since then, which we’ll explore below.

Which card schemes support 3D Secure?

3D Secure is supported by most of the major schemes including Visa, Mastercard, Amex, Discover, JCB, and UnionPay.

Why is 3D Secure important?

3D Secure has always been a powerful means for helping prevent fraud. But now, with PSD2 ramping up the authentication standards enforced by issuers in the EU, 3D Secure is essential. Note: There are some exemption categories.

When does 3D Secure become mandatory?

In the UK, the PSD2 deadline is currently March 2022. You can learn more about PSD2 timelines and other regional nuances here.

3D Secure 1: A history lesson

The first iteration of 3D Secure was the redirect to Verified-by-Visa or Mastercard SecureCode. Over the years, it’s helped make online shopping much safer and reduced fraudulent chargebacks. But, like any new protocol, it’s had a mixed reception.

The good

Before 3D secure, an online payment process looked like this:

Illustration of traditional payment flow

Issuers could still run a check on the card’s three-digit CVC and shopper address, but they were weak and tended to be information fraudsters had access to. So, if the card was stolen, fraudsters could run riot. 3D Secure brought the issuer into the process by hosting the authorisation on their domain. So, as well as keeping fraudsters in check, 3D Secure has the added benefit of shifting the liability from the seller to the card issuer.

The bad

Every region has different security requirements and legislations, which meant the adoption of 3D Secure varied hugely by country and industry. In one year for example, 34% of small and medium merchants used 3D Secure whereas only 12% of large merchants did. In the Netherlands, adoption was almost 90%, while in the US, it was only 3%. This was confusing and far from watertight.

The ugly

Cardholders hated it. The extra step in the process was clunky, and no one could ever remember their 3D Secure code. Consequently, 3D Secure was quickly dubbed the ‘conversion-killer’. Plus, the simplistic web pages were easy to copy and customers couldn’t tell the difference between a legitimate 3D Secure authorisation page or a phishing site.

Enter 3D Secure 2.0

3D Secure 2 (3DS2) brings a new approach to authentication with a wider range of data points, biometric authentication, and an improved experience (optimised for mobile). It not only addresses the many issues of 3D Secure 1, it brings a whole host of new benefits.

Better experiences

With 3DS2, device information is enough to authenticate a customer and in most cases authentication is ‘passive’ with all necessary information exchanged in the background.

Passive 3D secure authentication

Example of passive authentication

However, some transactions are higher risk, or are subject to regulations like PSD2. In this case, the issuer may choose to ramp up the authentication with one of the following methods: This comes in several forms, for example:

Two-Factor - The user is asked to provide a two-factor authentication code sent via email or SMS.

Illustration of 3D Secure two-factor authentication

Two-factor authentication

Biometric - An app-switch to an issuing-bank app is facilitated by the SDK. The user can use their fingerprint or face in the issuing bank app.

Illustration of 3D Secure biometric authentication

Biometric authentication

Better authorisation rates

As well as authentication, 3DS2 can also be used as a tool to share up to 100 data points with the issuer. This can be used alongside your risk engine to make better risk decisions and boost authorisation rates.

Managing compliance with Dynamic 3D Secure

Regulatory frameworks like PSD2 can be confusing, especially when different countries have different deadlines. And, if you're operating across several regions, you’ll need to know which transactions fall within regulated areas and which don’t. You’ll also need to know in which regions 3DS2 will help boost your authorisation rates and in which it will damage your conversions.

The best approach is to apply Dynamic 3D Secure. This works in real-time to apply or avoid 3D Secure based on conditions like: payment method, transaction value, and location of the shopper. Below is the flow:

Diagram of Adyen's Dynamic 3D Secure flow

Adyen's Dynamic 3D Secure flow

How to implement 3D Secure 2 with Adyen

Our Authentication Engine can help you build authentication flows natively into your apps and will automatically apply the correct authentication to comply with regulations such as PSD2.

The technical bit

When setting up 3DS2, there are two core components of the integration to consider: The front-end SDK and the 3D Secure server.

The job of the SDK is to securely collect and transmit device information and display authentication flows. As a result there is a strict certification process on these libraries with EMVCo and the Schemes, which we’ll take care of. The SDKs weren’t a component of 3DS1 so, if you’re migrating from 1 to 2, you’ll need to introduce them into your frontend payment flows.

The 3DS2 SDK works together with our 3D Secure server (3DSS) to exchange information and request authentication. You can see more information on how these calls work in our documentation.

Illustration of Adyen's 3DS SDK flow

Adyen's 3DS SDK flow

See our libraries on GitHub

Recommended reading:

Curious to learn more?

If you have any questions about anything you’ve read in this article, or would like to explore how we can help you get set up with 3D Secure 2, we’d love to hear from you.



Are you looking for test card numbers?

Would you like to contact support?