How Does 3D Secure Work?Explaining how a 3-D Secure Transaction Works
In a Nutshell
3-D Secure is a security tool deployed at checkout. During the transaction, 3DS returns an authentication response indicating one of three outcomes. The most common response is frictionless authentication, meaning the transaction is approved without cardholder interaction. The other two responses are that a challenge is required, or that authentication failed.
How Does 3D Secure Work? Outlining the Standard Workflow
With the latest version of 3-D Secure, nearly 150 points of transaction data are sent to the issuing bank, automatically and in real time. This includes things like IP address, merchant category code, shipping address, and so on.
3D Secure also involves adding an additional authentication step during the checkout process. Typically, the cardholder would be asked to provide either a pre-established password, a one-time passcode sent to their mobile phone or email, or the answer to a unique security question.
3D Secure
Is 3D Secure the security solution you’ve been searching for or a one-way street to higher friction and abandoned carts? Here, we’ll explain everything you need to know about 3D Secure: what it is, how it works, how it’s branded differently across each card network, why you need it… and why it won’t be enough on its own.
How a 3D Secure Transaction Works
Let’s say a cardholder enters their payment details at checkout. What happens next?
The 3D Secure process starts when a merchant’s payment system initiates the 3DS authentication flow. This happens before authorization gets requested, involving three core nodes communicating in sequence:
The 3DS Server compiles transaction data — we’re talking the card number, transaction amount, device fingerprint, billing address, and dozens of other data points — and sends an Authentication Request (AReq) to the Directory Server. The Directory Server identifies the card’s issuing bank, then routes the request to the correct ACS.
The ACS evaluates transaction risk using the data provided. Based on this assessment, the ACS returns an Authentication Response (ARes) indicating one of three outcomes. The most common response is frictionless authentication, meaning the transaction is approved without cardholder interaction. The other two responses are that a challenge is required, or that authentication failed.
If a challenge is required, the cardholder is presented with a verification prompt. This is typically a one-time passcode, banking app confirmation, or biometric check. The cardholder's response travels back through the ACS, which validates it and returns the final authentication result. Here’s a basic breakdown of how that works:
With successful authentication, the ACS generates a cryptographic value: the CAVV (Cardholder Authentication Verification Value) for Visa or the AAV (Accountholder Authentication Value) for Mastercard. The merchant includes this value in the subsequent authorization request, signaling to the issuer that authentication was completed.
The entire authentication exchange typically completes in one to three seconds for frictionless transactions. Challenge flows add time depending on how quickly the cardholder responds, but the technical handshake between servers remains the same.
Not all transactions will require 3D Secure measures. Acquirers may deploy transaction risk analysis to identify “low-risk” transactions, such as payments below a certain limit or recurring payments. These will not require 3DS verification.
Benefits of 3-D Secure
The primary benefit of 3D Secure technology is security and fraud prevention.
The 3DS2 protocol uses Risk-Based Authentication (RBA) to analyze data and assess the fraud risk of each transaction in real-time. Because the risk level is backed by so much information, the process provides a high level of security and lowers the risk of criminal fraud.Learn More About Fraud Prevention
The technology offers multiple other benefits as well, though. Using the latest version of 3D Secure can help regardless of whether you’re upgrading from the original protocol or deploying 3D Secure payment verification for the first time:
The cryptogram generated by the ACS is what triggers the fraud liability shift. Without it, the merchant remains liable for fraud disputes.
How to Set up 3D Secure Authentication
To implement 3-D Secure, merchants need to follow a few steps:
Step #1 | Consult With Acquirer or PSP
Merchants should start by speaking with their acquiring bank or payment service provider. This entity can provide detailed information about how to enable 3D Secure and the costs.
Step #2 | Integration with 3-D Secure
Most payment gateways and platforms provide support for 3-D Secure. Merchants may need to integrate the protocol into their online payment systems. This could involve updating software or adding new plug-ins.
Step #3 | Enrollment in 3D Secure Program
The merchant needs to enroll in a 3D Secure program provided by the card networks they accept, such as Verified by Visa, Mastercard SecureCode, or American Express SafeKey.
Step #4 | Testing
After implementation, rigorous testing should be conducted to ensure the system works as expected without disrupting the customer experience. Verifying that low-risk transactions are handled smoothly, and that high-risk ones trigger the appropriate additional authentication steps, are both essential.
Step #5 | Customer Education
Finally, it's advisable for merchants to educate their customers about the new security feature. Clear communication can help alleviate customer concerns about additional authentication steps and positively influence the perception of enhanced security.
Implementation details may vary based on the specific platforms and tools used by the merchant. It's always a good idea to consult with experts or seek professional assistance to ensure a smooth implementation process.
