SecurityCents Blog

Insights on payment data security, payments news and trends

Understanding 3-D Secure


As counterfeit card fraud becomes more difficult and online payments become more popular, fraudsters are shifting their focus away from the traditional channels and focusing on the card not present environment. In addition to the usual security measures there are additional steps that merchants can take to ensure their security as well as that of the cardholder. One such example is the implementation of the 3-D Secure standard.

What is 3-D Secure?

There are three parties that are involved in this standard: the merchant and its bank, the issuing bank, and the card associations. The protocol was originally developed by a predecessor company of CA Technologies and was first deployed by Visa. Other card brands eventually adopted services based on the same protocol. This authentication protocol is designed to add an extra layer of protection to the payment process and reduce the risk of fraudulent transactions in e-commerce (card-not-present transactions) by implementing an additional authentication process for the cardholder.

What are the benefits?

3-D Secure provides security for both the individual shopping online and the merchant. The benefit for cardholders is in the ability to ensure that their cards cannot be used to purchase goods or services online by someone who is not them. For the merchant, the main benefit for implementing 3-D Secure is the liability shift to the issuer  — reducing or eliminating chargebacks when  the merchant complies with the acquirer’s legal requirements. These requirements can differ between acquirers and should be understood before implementing 3-D Secure.

Why is 3-D Secure not being widely implemented in the US today?

The original 3-D Secure standard (3-D Secure 1.0) relied on a process through which the card holder is required to authenticate themselves though a re-direct to their issuing bank. This confirmation is accomplished by entering a password that the user previously created with their bank. Although 3-D Secure 1.0 has provided consistent security for those that have implemented it, the initial activation requirements, the extra steps in the checkout process, the need for a user to remember an additional password, and the lack of mobile support have negatively impacted transaction abandonment rates, causing merchants to ask the question “Is the extra security worth it or is negatively impacting my bottom line?” 

How is 3-D Secure 2.0 different and why should Merchants implement it?

The new standard is being introduced by EMVCo and the major credit card brands.  The payments industry needed a standard that would support app-based and browser-based payments, combined with robust security and a frictionless consumer experience. 3-D Secure 2.0 does this by enabling intelligent, risk-based decision-making by the issuer using behind-the-scenes risk-based authentication to assure the legitimacy of a cardholder’s transaction, including the use of token-based and biometric authentication instead of static passwords. Going forward, a cardholder will only be prompted to provide additional identification in limited circumstances, such as if the issuer determines the transaction to be high-risk based on the data provided. If the transaction is identified as high risk, the cardholder could opt to receive a onetime passcode via SMS or opt for an out-of-band authentication through their issuer’s mobile app.

What’s next?

Merchant Link is working on implementing the new 3-D Secure 2.0 standard, with support for Visa and MasterCard coming first. Please contact your Account Manager if you have any questions or are interested in implementing 3-D Secure 2.0.