Getting to grips with 3D Secure

Primer Product Team

share this post

3D Secure (3DS) was created to enhance online transaction security, giving merchants and consumers another layer of protection against fraud.

While the effectiveness of 3DS in reducing fraud is widely acknowledged, the challenge remains in optimizing its application to avoid any detrimental impact on conversion rates and the customer experience.

As 3DS evolves to address new payment channels, shifting consumer behaviors, and emerging threats, merchants need to stay informed about how to implement and leverage 3DS strategically.

With the right approach, it’s possible to strike the optimal balance between fraud prevention and a seamless, friction-free customer journey.

This article explores 3D Secure, covering its benefits, potential challenges, and strategies for optimizing your 3DS processes.

In this article:

Want to talk to a payment expert about optimizing your 3DS strategy? Book a call

What you need to know about 3D Secure

The growth in online payments has led to a significant rise in payment card fraud—projected to cost merchants an estimated $38.5 billion by 2027. To counteract this trend, 3DS was developed to enhance the security of online credit and debit card transactions.

3D Secure requires cardholders to authenticate their purchases during checkout, typically through their banking application on their mobile device or by entering a One-Time Passcode (OTP).

The implementation of 3DS has proven effective; studies indicate it can reduce unauthorized or fraudulent card-not-present transactions by up to 40% while enabling approval for 95% of legitimate transactions.

3DS is a security protocol that provides additional protection for online credit and debit card transactions. When used, cardholders must authenticate their purchases during checkout, typically by entering a One-Time Passcode (OTP) sent to their mobile device or through their banking app.

The implementation of 3DS has proven effective, with estimates suggesting that it has saved European merchants around €900 million worth of fraud annually.

Why is it called 3D Secure?

3D Secure gets its name from the three domains involved in the authentication process, with "3D" standing for the three domains that interact using the protocol.

Issuer Domain

The Issuer Domain refers to the bank or financial institution that issued the cardholder’s credit or debit card. Its role is to authenticate the cardholder’s identity during an online transaction.

Acquirer Domain

The Acquirer Domain represents the merchant’s bank or payment service provider, which processes payments on the merchant’s behalf. This domain communicates with the issuer to confirm the transaction’s validity.

Interoperability Domain

The Interoperability Domain serves as the infrastructure that facilitates communication between the Issuer and Acquirer Domains. It standardizes the 3DS process, ensuring seamless interoperability across banks and merchants.

Are customers aware of 3DS?

Consumers who are asked to authenticate transactions use 3DS, though they may not recognize it by that name. Card networks deploy 3DS under their own branded terms to reassure cardholders that the authentication request is from a trusted source.

Names consumers may be more familiar with are:

Visa Secure (formerly Verified by Visa)
JCB J/Secure
Discover ProtectBuy
Mastercard Identity Check
American Express SafeKey

Consumer awareness of 3DS and its branded versions has been growing, particularly in regions where its use is mandatory, such as Europe. However, this wasn’t always the case. During early implementation in Europe, 3DS led to conversion rate drops of up to 50% in certain countries due to unfamiliarity and friction in the checkout process.

This is an important insight for merchants operating in regions where 3DS isn’t mandatory, as a lack of consumer knowledge about the authentication flow may lead to higher cart abandonment rates.

How does the 3DS authentication flow work?

The 3DS authentication flow typically involves four steps:

Cardholder enters payment details: The cardholder provides their payment details for an online purchase. The transaction may require 3DS authentication due to regulatory mandates (e.g., PSD2 in Europe) or risk assessments from the merchant or issuer.
Redirect to issuer: The cardholder is redirected to their issuing bank’s authentication platform, often within the bank’s app.
User authentication: The cardholder authenticates using the bank’s chosen method, which may include approving the transaction within the bank’s app, entering an OTP sent via SMS/email, or answering a security question.
Transaction confirmed or declined: If authentication is successful, the issuer decides whether to authorize the transaction based on additional risk assessments. If unsuccessful, the transaction may be declined, and the cardholder may be advised to contact their bank for further assistance.

Should 3DS be applied to all online payments?

3D Secure is designed primarily for online card transactions, including those made via digital wallets like Apple Pay and Google Pay. However, cardholders using digital wallets typically won’t encounter a 3DS challenge, as these payment options inherently include two-factor authentication, which meets the security standards without requiring additional steps.

Can merchants choose where to use 3DS?

Merchants have flexibility in how they implement 3DS. In regions without mandatory 3DS requirements, merchants can choose to prompt customers with a 3DS challenge, though they are not obligated to do so.

In markets where 3DS is mandated, merchants can still apply exemptions to bypass the 3DS challenge for their customers. However, it’s important to note that by doing so, the merchant assumes liability in the event of fraud.

The latest versions of the 3DS protocol support adaptive Risk-Based Authentication (RBA), which assesses the fraud risk of each transaction to determine the appropriate level of customer authentication. RBA can help reduce 3DS-related friction and cart abandonment, as most transactions will not require a challenge to verify the customer.

Where is 3D Secure mandated?

3D Secure (3DS) is mandated in several regions to enhance the security of online transactions. In the European Economic Area (EEA) and the United Kingdom, 3DS is required for online transactions, with certain exemptions and out-of-scope scenarios.

Beyond Europe, countries such as Australia, Bangladesh, India, Malaysia, Nigeria, Singapore, and South Africa have implemented varying levels of 3DS requirements. Notably, Japan has recently mandated the use of 3DS for online transactions, with compliance required by April 1, 2025.

How are the 3DS protocols evolving?

3D Secure (3DS) protocols continually evolve to enhance usability and align with market trends. Here’s a look at each major iteration:

3DS v1 (now sunsetted in most countries)

Launched in 2001 for PC-based online commerce, this initial version used static passwords and was primarily browser-dependent.

3DS v2.0 (now sunsetted in most countries)

Released in 2016, 3DS v2.0 aimed to reduce friction for users, introducing mobile compatibility to support the rise of mobile commerce.

3DS v2.1 (now sunsetted in most countries)

Introduced in 2017, this update enhanced the user experience further, enabling frictionless flows by allowing low-risk transactions to proceed without additional authentication.

3DS v2.2

Building on v2.1, this version supports Strong Customer Authentication (SCA) exemptions through advanced risk analysis. It also enables authentication across various devices, including IoT, and incorporates advanced methods such as biometrics.

3DS v2.3

The latest version expands channel coverage and streamlines app-based authentication. It allows issuers to store device data (device binding) for a smoother, more secure experience.

What benefits does 3D Secure offer merchants?

Merchants using 3DS to process card payments can benefit in several key areas:

Reduction in card fraud: With the rise of sophisticated fraud tactics, such as AI-driven account takeovers, 3DS helps protect merchants by authenticating user identity and payment method before completing a sale. This added layer of security safeguards both merchant reputation and revenue.
Liability shift: When 3DS is used, liability for fraudulent chargebacks shifts from the merchant to the card issuer. This shift minimizes merchant losses and helps avoid chargeback fees.
Lower processing costs: Using 3DS can also qualify merchants for reduced interchange fees, lowering overall payment processing costs.

However, there are potential drawbacks to using 3DS. It can introduce friction to the checkout process, causing customer drop-off. It can also create an additional point of failure in the payment flow. Consequently, some merchants may prioritize a frictionless customer experience over these benefits.

Ultimately, there is no one-size-fits-all approach. Merchants should conduct thorough testing and analysis to understand the impact of 3DS (where it’s not mandated) on their overall payment performance.

For a deeper dive, explore our blog post: Mastering 3DS: why it pays to take a strategic approach to 3DS application.
‍

How Primer helps merchants optimize their 3DS strategy

Primer is a unified payments infrastructure, enabling businesses to accept, optimize, and manage payments through multiple providers with a single API integration. By eliminating technical complexities, we empower businesses to unlock and accelerate growth without the typical constraints tied to payment technology.

As we’ve built our solution, we’ve focused on addressing pain points across the entire payment journey—including authentication.

With our agnostic 3DS solution, merchants gain complete control over their authentication strategy, allowing them to balance security and a seamless customer experience on their terms.

Remove complexity using processor-agnostic 3DS

Imagine a 3DS solution that is entirely agnostic and seamless, where you don’t need to think about which processor manages the 3DS or the technology behind it. With Primer, that future is here.

Our agnostic 3DS solution lets you focus solely on your 3DS strategy. As a merchant, you don’t need to integrate separately for each processor or worry about different coding or logic for each one—our solution handles that for you.

You choose when and how to deploy 3DS directly in a Primer Workflow with no code. Here, you can apply exemptions, conditional logic, and set rules that work across any combination of processors, reducing operational complexity and saving development time.

Additionally, Agnostic 3DS works in harmony with our Fallbacks solution. If an initial authorization attempt fails, Primer reuses the original 3DS challenge data, allowing you to retry the transaction without needing the customer to complete 3DS again.

Execute a tailored 3DS strategy directly within a Primer Workflow

Primer’s 3DS solution is fully embedded within our payment workflows.

What does this mean?

Using Primer, you can build complex 3DS authentication rules based on criteria like region, transaction amount, or card network—automatically applying the right authentication strategy at the right time. This allows you to adapt to shifting fraud risks, regional regulations, and customer preferences without custom coding or manual intervention.

Primer Workflows also allow you to A/B test various payment routes, giving insights into which configurations perform best. With this data, you can refine your payment flows to align with your risk tolerance and optimize for customer experience.

‍

‍

By automating your 3DS strategy within Primer’s Workflow tool, you streamline your payment processes, enhance fraud prevention, and ensure a frictionless customer experience across every transaction.

‍

Automate 3DS with Primer’s Adaptive 3DS

Deciding when to trigger 3DS can be complex. With differing rules by country, varying transaction amounts, and distinctions like recurring purchases or trusted merchants, setting up the correct logic requires specialized expertise and often demands considerable engineering resources.

Primer’s Adaptive 3DS offers a smarter approach to payment authentication.

With Primer’s Adaptive 3DS, customers only encounter a 3DS challenge when the issuing bank mandates it, ensuring minimal disruption to the payment experience. For example, if a customer uses a U.S.-issued card to make a purchase with a European merchant, this transaction falls outside the scope of the SCA mandate and does not require 3DS. Adaptive 3DS will recognize this and prevent an unnecessary 3DS prompt, allowing the transaction to proceed seamlessly.

By intelligently determining when 3DS is needed, Adaptive 3DS optimizes your payment flow, reducing customer friction and ensuring compliance with regional regulations without the complexity of manual rule-setting.

This approach enhances customer satisfaction and minimizes cart abandonment, providing a smoother, smarter authentication process.

See our full guide on configuring 3DS on Primer: Configure 3D Secure for your Primer account.

How FerryHopper uses Primer 3DS to increase conversion rates and prevent declines

Ferryhopper, an online travel agency transforming the ferry booking experience, needed a more strategic approach to managing 3D Secure across multiple markets. The introduction of SCA in Europe forced them to apply 3DS to every transaction, negatively impacting its conversion rates.

Recognizing the need for a new payments strategy, Co-Founder and Chief Product Officer Panagiotis Sarafis and his team faced two options: expand their internal team to build and maintain their authentication logic or use the services of a third party like Primer.

"The latter was the clear path forward," says Sarafis. "And Primer was the ideal partner. It stood out as the most modern, flexible, and innovative solution on the market."

Using Primer’s Adaptive 3DS feature, Ferryhopper fine-tuned when to trigger 3DS challenges, ensuring that only transactions requiring SCA mandates were challenged. This resulted in a 2% increase in conversion rates for transactions in Europe.

In addition, Primer’s Agnostic 3DS allowed Ferryhopper to manage authentication across multiple processors without the hassle of configuring each one separately. This simplified their 3DS setup, reducing the operational load on their team and ensuring a smooth and consistent payment experience for customers.

Through Primer, Ferryhopper successfully optimized its 3DS strategy, striking the right balance between security and user experience while increasing conversions across different regions.

Read the full case study: Charting a new course for payments at Ferryhopper

Use Primer to optimize your 3DS strategy based on your business needs

3D Secure is a powerful tool for mitigating fraud, but efficiently managing it across different markets and payment providers can be complex.

Primer simplifies this with solutions like Adaptive 3DS, which adjusts authentication based on transaction risk, and Agnostic 3DS, ensuring consistent 3DS management across all processors.

These tools empower businesses to save time, reduce complexity, and enhance the customer experience while upholding compliance and security.

Ready to optimize your 3DS strategy? Book a call with our expert team.

Sources:

https://www.pymnts.com/fraud-prevention/2022/pymnts-intelligence-how-3d-secure-2-0-can-help-merchants-banks-and-issuers-put-a-stop-to-card-fraud/

https://www.pymnts.com/news/retail/2023/will-consumers-pay-50-for-drugstore-brand-sunscreen

https://www.globalbankingandfinance.com/the-real-impact-of-psd2/

‍