A complete guide to 3D secure authentication.

Futre Of Card Payments

A complete guide to 3D secure authentication.

Down arrow

If you’re operating an eCommerce website, having a secure online payment gateway is fundamental to keeping business flowing.

That’s where 3D secure authentication comes in. As well as protecting your customers’ card data when they make a purchase, it can help to reduce the risk of online fraud and gives potential shoppers the confidence they need to know your storefront is legitimate.

Whether you’re looking to implement 3D secure authentication on your website or you want to brush up on your knowledge, our guide reveals everything you need to know about what it is, how it works, and what to do when it fails.

What is 3D secure authentication?

3D secure authentication, or 3D secure (3DS), is a card-not-present fraud prevention measure launched in 2001 by Visa as Verified-by-Visa. It is one of the key security features when you take online payments through a payment gateway and works by requesting cardholder authentication during the check-out process. 3D secure provides an additional layer of security for online card transactions to help protect against card payment fraud.

It’s called 3DS as it’s short for ‘three domains’, which refers to the three separate domain servers which are required to complete the protocol. These are:

  • The merchant domain – Your business’s acquiring bank
  • The issuer domain – Your customer’s bank that is issuing the payment
  • The interoperability domain – The payment network provided by the card scheme (e.g. Visa or Mastercard) to support the 3D secure protocol

Since the successful launch of Visa’s Verified-by-Visa 3D secure measures, several prominent credit and debit card providers have developed their own versions using 3DS protocols, such as Mastercard as SecureCode and American Express as SafeKey.

How does 3D secure work?

3D secure works by incorporating another step within the check-out process to authenticate the payment. They will usually be asked to provide:

  • the password that they’ll have previously set up with their bank
  • a one-time passcode that’s sent to their mobile phone or email address
  • a unique security question

Here’s how it works in more detail:

  1. A customer will go to pay on a merchant’s website and enter their payment details.
  2. The merchant’s website will check if 3D secure has been enabled.
  3. If enabled, they will get redirected to their debit or credit card provider’s 3D secure web page.
  4. The 3D secure web page will request their online banking passcode, a one-time authentication code, or a security question to verify their identity.
  5. Once the customer enters the information, their card provider will check if the details are correct.
  6. If verified, the payment will be authorised.
  7. The customer will be directed back to the check-out page on the merchant’s website.

Customers won’t always be subject to 3D secure measures and may not be asked to provide any details at all. This could be the case for transactions that are seen as ‘low-risk’, like payments under a certain amount or regularly recurring payments. After entering the correct information and once the card provider approves the payment, they will automatically be sent back to the merchant website with an order confirmation message. It’s a quick and simple process.

What are the benefits of 3D secure?

The main benefit of 3D secure is that it gives an added level of security to help stop card details from being stolen and used online. For customers, it can help to limit online card fraud when they make a transaction. For merchants, it can reassure customers that their payment to your business is secure.

It also protects against any unauthorised transaction chargebacks. Once the transaction has passed the 3D secure authentication process, you, the merchant, are no longer liable for the purchase. The liability is passed to the card payment provider, who will be responsible for sorting any customer refunds. This means you can save time and money with fewer settlement disputes with your customers.

In summary, 3D secure authentication can help:

  • Protect both merchants and customers from online payment fraud
  • Prevent customers’ credit and debit card details from being stolen
  • Safeguard merchants from unauthorised chargebacks
  • Pass purchase liability to customers’ payment providers

In which countries is 3D secure authentication used?

3D secure is implemented on eCommerce platforms all around the world in Europe, the US, Australia, China, India, and Singapore.

While 3D secure is not a legal requirement, the PSD2 legislation — a regulation for electronic payment services — was passed by the EU in 2018-2019 with the aim of increasing the safety of online card transactions and reducing the chances of fraud. As part of the PSD2, the Strong Customer Authentication (SCA) requirement was introduced and became mandatory on websites accepting credit and debit transactions. It came into effect in September 2021 for countries in the European Economic Area and the UK.

To comply with SCA regulations, banks must carry out two checks to confirm a customer’s identity for certain online payments and bank transfers. Also known as two-factor authentication, a customer must provide at least two elements of identity authentication to complete an online transaction.

Businesses can meet SCA requirements by implementing 3D secure as it covers the two levels of Strong Customer Authentication required to confirm their identity.

Find out more about SCA and card payment security measures here.

How businesses can set up 3D secure authentication

There are a few ways that small businesses can set up 3D secure authentication:

  1. Connect a 3DS API to your shopping cart – This is easily done with leading eCommerce platforms like Shopify and Magento.
  2. Selecting a payment gateway solution that includes 3D secure – Here at takepayments, 3D secure authentication is included as standard in our online payment gateway solution, along with IP address, AVS and CV2 checks. Our gateway can be easily linked with your site, giving you access to a range of UK shopping carts, like Magento, Prestashop and WooCommerce. You can check our developer support for our helpful guides on website integration and shopping cart options.

To accept credit or debit card payments with 3D secure authentication, you will also need to set up a merchant account. This is separate from your business bank account. It’s like a holding area where your payment funds are checked and processed before being sent to your account for you to access. Find out how we can help you set up a merchant account here.

Do your customers need to activate 3D secure for online purchases?

Once you’ve got 3D secure integrated and set up with your payment gateway, you’re all set. But what about your customers?

As 3D secure is a SCA protocol, it’s the responsibility of banks and businesses to build it into their check-out flow. This means that customers don’t need to worry about activating 3D secure with their card or provider.

It’s more than likely that their bank has already enrolled their credit or debit card into 3D secure when it was issued to them. This is generally the case with cards from top payment providers like Visa, MasterCard, and Amex.

What does ‘3D secure authentication error’ mean?

A ‘3D secure authentication failed’ error during the 3DS process usually means that the customer has entered their details incorrectly. It could be because they have typed in their card details — like the long card number or expiry date — or the additional authentication passcode wrong.

When this occurs, the customer's debit or credit card provider will reject the payment and prevent the transaction from going any further. This safety mechanism prevents scammers from using stolen card details, as they may not be able to get past the 3D secure authentication.

What to do when 3D secure authentication fails?

If a customer has checked their card details and entered the correct 3DS security requirements but still receives a failure message, they will need to contact their card provider for help.

It’s worth noting that some browser extensions can interfere with the 3D secure page, like pop-up blockers, which can prevent the 3DS page from working properly. Disabling browser extensions or trying the payment again from a different browser can sometimes fix the error message.

What is 3D secure 2.0 (3DS2)?

While the information required to verify 3DS adds more security to the transaction process, it increases the steps in the check-out flow and can make a shopper’s experience less seamless.

Despite payment providers being able to request exceptions to which transactions require 3DS, for example, for low-risk payments under a certain amount of money, these requests are ultimately decided by the cardholder’s bank and are not always guaranteed.

To streamline the 3DS payment process, 3D secure 2.0 was introduced to provide a better overall experience for customers across mobile devices as well as on desktops. Just like its predecessor, it also meets the requirements of PSD2 and classes as a method of Strong Customer Authentication.

3DS2, or EMV 3D Secure, works by harvesting and sending more data to the customer’s issuing bank. This might include an IP address, browser language, and a merchant category code. As more information is collected, the banks can make informed decisions on whether to approve a cardholder’s transaction without needing to trigger 3D secure security requirements – eliminating the need for the cardholder to input data and creating a frictionless experience, without compromising on security.

Here’s a quick overview of how it works:

  1. The customer goes to make a purchase online.
  2. Certain data points are collected, sent to a 3DS server, and diverted to the cardholder’s issuing bank for approval.
  3. Their bank uses the data points to decide whether further security measures to validate the customer’s identity are necessary.
  4. After evaluating the data, the bank will either:
    Approve the transaction straightaway without the cardholder needing to do anything else.
  5. Request more information from the cardholder to finish the transaction. For example, a biometric like a fingerprint or a PIN code.

Get PCI compliant

Although 3D secure authentication helps add another layer of security to online payments, you'll still need to make sure that you're meeting the PCI compliance security measures. This makes sure that you're storing, processing, and transmitting customer data in the correct way.

If you need help getting PCI compliant, we can help with this. We have a team of PCI specialists who will guide you into getting your business fully compliant over the phone for a small one-off fee.

Ready to take online payments? Just fill in our quote form or give us a call today at 0808 274 2017.


Jodie Wilkinson

Head of Strategic Partnerships

Get your FREE quote today.

We will use your information in accordance with our Privacy Policy.

Back to blogs

takepayments Barclaycard
Chat with us!