3D Secure 2.0 Explained: The Developer's Guide to Strong Customer Authentication
You’ve seen it a hundred times: you click “Pay,” and suddenly your bank is asking you to confirm the purchase with a one-time code or a biometric scan. That extra step isn’t friction for friction’s sake — it’s 3D Secure, the protocol that has been quietly preventing billions of dollars in online card fraud since 2001. And its latest version, 3D Secure 2.0, is the engine behind Europe’s Strong Customer Authentication mandate.
What is 3D Secure?
3D Secure (3DS) is an authentication protocol designed by EMVCo (originally by Visa) that adds an extra verification layer during online card-not-present (CNP) transactions. The “3D” stands for three domains — the three parties that participate in every authentication:
| Domain | Party | Role |
|---|---|---|
| Issuer Domain | Card-issuing bank | Authenticates the cardholder |
| Acquirer Domain | Merchant’s bank / PSP | Initiates the authentication request |
| Interoperability Domain | Card network (Visa, Mastercard, etc.) | Routes messages between domains |
The goal is simple: prove the person making the purchase is the legitimate cardholder, not someone who stole their card number.
Related: Our PCI DSS Compliance Guide covers the broader security standards that protect cardholder data at rest and in transit.
Also Known As
Each card network brands 3D Secure differently, which causes endless confusion:
| Card Network | 3DS 1.0 Brand | 3DS 2.0 Brand |
|---|---|---|
| Visa | Verified by Visa | Visa Secure |
| Mastercard | Mastercard SecureCode | Mastercard Identity Check |
| American Express | SafeKey | SafeKey 2.0 |
| Discover | ProtectBuy | ProtectBuy 2.0 |
| JCB | J/Secure | J/Secure 2.0 |
| UnionPay | — | UnionPay 3DS |
Despite the different marketing names, they all implement the same underlying EMVCo 3DS protocol. When you hear any of these terms, they mean 3D Secure.
3D Secure 1.0: The Original (and Its Problems)
3D Secure 1.0 launched in 2001 as Visa’s “Verified by Visa.” It worked, but it had major user experience issues:
- Full-page redirects — The cardholder was bounced to their bank’s website in a pop-up or iframe
- Static passwords — Many banks used memorized passwords, which cardholders frequently forgot
- No mobile support — The protocol pre-dated smartphones entirely
- High cart abandonment — Studies showed 10-15% of shoppers abandoned checkout at the 3DS step
- No risk intelligence — Every transaction got the same clunky challenge, regardless of risk level
The result? Many merchants chose not to implement 3DS 1.0, preferring to eat the fraud costs rather than lose sales.
3D Secure 2.0: The Modern Standard
3D Secure 2.0 (also called EMV 3DS or 3DS2) was released by EMVCo in 2016 and is a ground-up redesign. It solves nearly every problem with 1.0:
3DS 1.0 vs 2.0 Comparison
| Feature | 3DS 1.0 | 3DS 2.0 |
|---|---|---|
| User experience | Pop-up / redirect | Inline / in-app |
| Authentication method | Static password | OTP, biometrics, push notification |
| Mobile support | None | Native SDKs (iOS, Android) |
| Data points shared | ~15 fields | 150+ data elements |
| Risk-based authentication | No | Yes (frictionless flow) |
| Cart abandonment impact | High (10-15%) | Low (< 5%) |
| Liability shift | Yes (attempted) | Yes (attempted + frictionless) |
| Protocol owner | Visa | EMVCo (all networks) |
| Spec version | 1.0.2 | 2.1.0, 2.2.0, 2.3.1 |
The single biggest improvement is risk-based authentication: 3DS 2.0 sends over 150 data elements to the issuer (device fingerprint, transaction history, shipping address, etc.), allowing the issuer to approve low-risk transactions without ever challenging the cardholder.
How 3D Secure 2.0 Works
Here’s the step-by-step flow of a 3DS 2.0 transaction:
Step 1: Checkout Initiated
The cardholder enters their card details and clicks “Pay.” The merchant’s payment page collects device and browser data using the 3DS Method (a hidden iframe that gathers device fingerprinting data).
Step 2: Authentication Request (AReq)
The merchant’s server (via their 3DS Server) sends an Authentication Request (AReq) to the card network’s Directory Server (DS). This message contains:
- Card number (PAN) and expiry
- Transaction amount and currency
- Device/browser fingerprint data
- Merchant risk indicators
- Cardholder name, email, phone
- Billing and shipping addresses
- Transaction history metadata
Step 3: Risk Assessment
The DS routes the AReq to the issuer’s Access Control Server (ACS). The ACS analyzes the 150+ data points and makes a risk decision:
| Decision | What Happens | Result |
|---|---|---|
| Frictionless | Low risk — approve silently | Cardholder sees nothing |
| Challenge | Higher risk — verify identity | OTP, biometric, or push notification |
| Deny | Very high risk | Transaction declined |
Step 4: Challenge Flow (If Required)
If a challenge is triggered, the ACS presents an authentication interface:
- One-Time Password (OTP) — Sent via SMS or email
- Biometric — Fingerprint or face recognition in the banking app
- Push notification — Approve/deny in the banking app
- Knowledge-based — Security questions (rare in 2.0)
Step 5: Authentication Response (ARes)
The ACS returns an Authentication Response (ARes) containing the critical values:
| Field | Description |
|---|---|
| Transaction Status | Y (authenticated), N (not authenticated), A (attempted), U (unavailable), R (rejected) |
| ECI | Electronic Commerce Indicator — liability shift evidence |
| CAVV / AAV | Cardholder Authentication Verification Value — cryptographic proof |
| DS Transaction ID | Unique identifier for the 3DS transaction |
Step 6: Authorization
The merchant submits the authorization request (ISO 8583 0100 message) to the acquirer with the 3DS results embedded. The ECI and CAVV travel in the authorization message, proving authentication occurred.
Try it yourself: Use our ISO 8583 Studio to parse authorization messages containing 3DS fields.
Strong Customer Authentication (SCA)
Strong Customer Authentication is a regulatory requirement under the European Union’s Payment Services Directive 2 (PSD2), effective since September 2019 (with enforcement deadlines extended to December 2020 in most EU countries and March 2022 in the UK).
SCA requires that electronic payments be authenticated using at least two of three factors:
| Factor | Category | Examples |
|---|---|---|
| Knowledge | Something you know | Password, PIN, security question |
| Possession | Something you have | Phone (OTP), hardware token, banking app |
| Inherence | Something you are | Fingerprint, face recognition, voice |
3D Secure 2.0 is the primary mechanism merchants use to satisfy SCA requirements, because it supports all three factor categories natively.
Who Must Comply?
SCA applies when:
- The cardholder’s bank is in the European Economic Area (EEA) or UK
- The transaction is electronic and customer-initiated
- Both the issuer and acquirer are within the EEA/UK (one-leg transactions have different rules)
SCA Exemptions
Not every transaction requires a full challenge. PSD2 defines several exemptions that allow transactions to proceed without SCA — and knowing them is critical for reducing checkout friction:
| Exemption | Condition | Who Requests It |
|---|---|---|
| Low Value | Transaction ≤ €30 (cumulative limits apply) | Acquirer or Issuer |
| Transaction Risk Analysis (TRA) | Fraud rate below threshold for the amount band | Acquirer |
| Trusted Beneficiary | Cardholder whitelisted this merchant | Issuer |
| Recurring / Subscription | Fixed-amount recurring with same merchant | Acquirer |
| Merchant-Initiated (MIT) | No cardholder present (e.g., delayed charges) | Not applicable (out of scope) |
| Mail Order / Telephone Order | MOTO transactions | Not applicable (out of scope) |
| One-leg Transaction | Issuer or acquirer outside EEA | Not applicable |
| Corporate Cards | Lodged / virtual corporate cards | Issuer |
TRA Thresholds
The Transaction Risk Analysis exemption has specific fraud rate requirements:
| Transaction Amount | Max Fraud Rate |
|---|---|
| Up to €100 | 0.13% |
| Up to €250 | 0.06% |
| Up to €500 | 0.01% |
Acquirers and issuers must maintain fraud rates below these thresholds to qualify for the exemption.
3D Secure in ISO 8583 and EMV
For payment engineers, 3D Secure results flow through several key fields in ISO 8583 authorization messages:
| ISO 8583 Field | Data Element | 3DS Content |
|---|---|---|
| Field 44 | Additional Response Data | ECI value |
| Field 48 | Additional Data | CAVV / AAV |
| Field 55 | ICC Related Data | DSRP cryptogram (for digital wallets) |
| Field 126 (Visa) | Private Data | 3DS authentication results |
| DE 48, SE 43 (Mastercard) | UCAF | AAV data |
Key 3DS Data Elements
| Abbreviation | Full Name | Purpose |
|---|---|---|
| CAVV | Cardholder Authentication Verification Value | Visa’s cryptographic proof of authentication |
| AAV | Accountholder Authentication Value | Mastercard’s equivalent of CAVV |
| ECI | Electronic Commerce Indicator | Indicates authentication level and liability shift |
| XID | Transaction Identifier | Unique ID for 3DS 1.0 transactions |
| DS Trans ID | Directory Server Transaction ID | Unique ID for 3DS 2.0 transactions (replaces XID) |
ECI Values
The Electronic Commerce Indicator is critical for understanding liability shift:
| ECI | Visa Meaning | Mastercard Meaning |
|---|---|---|
| 05 | Fully authenticated (3DS) | Fully authenticated (SecureCode) |
| 06 | Attempted authentication | Attempted authentication |
| 07 | Non-3DS / e-commerce | Non-authenticated |
| 01 | — | Mastercard fully authenticated (some regions) |
| 02 | — | Mastercard attempted authentication |
An ECI of 05 (Visa) or 02 (Mastercard) means the liability for chargebacks shifts from the merchant to the issuer — one of the primary business motivations for implementing 3DS.
Decode your data: Use the EMV Tag Inspector to parse Field 55 data in contact and contactless transactions that include 3DS-related DSRP cryptograms.
Implementation Considerations
Frictionless vs. Challenge
The holy grail of 3DS 2.0 is the frictionless flow: the cardholder is authenticated silently based on risk analysis, with no visible challenge. Best practices for maximizing frictionless rates:
- Send all optional data fields — The more data the issuer has, the better its risk model
- Use the 3DS Method — Device fingerprinting improves risk scoring
- Maintain low fraud rates — Qualifies you for TRA exemptions
- Request exemptions correctly — Flag low-value and recurring transactions
Liability Shift
When 3DS is used (even if the challenge fails or isn’t available), the fraud liability can shift:
| Scenario | Liability |
|---|---|
| Merchant uses 3DS, cardholder authenticated | Issuer bears fraud liability |
| Merchant uses 3DS, authentication attempted | Issuer bears fraud liability |
| Merchant does NOT use 3DS | Merchant bears fraud liability |
| Issuer’s ACS is unavailable | Issuer bears fraud liability |
This liability shift is a powerful incentive — even if you’re outside the EU and SCA doesn’t apply, 3DS can save you from chargeback losses.
What 3D Secure Does NOT Do
Understanding the limitations prevents over-reliance:
Not a Silver Bullet for Fraud
- Doesn’t prevent friendly fraud — Legitimate cardholders disputing charges
- Doesn’t validate the merchant — Only authenticates the cardholder
- Doesn’t protect stored data — That’s PCI DSS’s job
- Doesn’t work for all transactions — MOTO, merchant-initiated, and some recurring payments are out of scope
Not a Replacement for Other Security
3DS works alongside other security measures, not instead of them:
| Layer | What It Does |
|---|---|
| 3D Secure | Authenticates the cardholder at purchase |
| PCI DSS | Protects stored cardholder data |
| EMV Chip | Prevents card-present counterfeiting |
| Tokenization | Replaces PANs with non-sensitive tokens |
| Luhn Check | Catches typos in card numbers |
Learn more: See our Luhn Algorithm Guide for how basic card number validation works.
Quick Reference
| Term | Definition |
|---|---|
| 3DS | 3D Secure — authentication protocol for online payments |
| 3DS2 / EMV 3DS | 3D Secure 2.0 — current version with risk-based auth |
| SCA | Strong Customer Authentication — EU regulatory requirement |
| PSD2 | Payment Services Directive 2 — EU regulation mandating SCA |
| ACS | Access Control Server — issuer’s authentication system |
| DS | Directory Server — card network routing component |
| 3DS Server | Merchant-side component that initiates authentication |
| AReq / ARes | Authentication Request / Response messages |
| CReq / CRes | Challenge Request / Response messages |
| CAVV | Cardholder Authentication Verification Value |
| ECI | Electronic Commerce Indicator |
| Frictionless | Silent authentication without cardholder challenge |
| TRA | Transaction Risk Analysis — exemption type |
Next Steps
Now that you understand 3D Secure and Strong Customer Authentication:
- Verify cryptograms with the ARQC Calculator — The same HSM principles apply to CAVV generation
- Decode EMV data with the EMV Tag Inspector — Parse Field 55 including DSRP cryptograms
- Parse authorization messages with the ISO 8583 Studio — See where 3DS fields live in real messages
- Look up response codes in the Reference Database — Understand
05,14, and other declines - Review PCI compliance in our PCI DSS Guide — Protecting the data that 3DS authenticates
- Learn about HSMs in our HSM Basics Guide — The hardware behind cryptographic verification
- Explore tokenization in our Payment Tokenization Guide — 3DS + network tokens together boost approval rates by 2-6%
- Understand digital wallets in our Digital Wallet Guide — how Apple Pay and Google Pay use 3DS for wallet provisioning and online payments
- Explore biometric payments in our Biometric Payments Guide — biometrics provide inherence + possession to satisfy SCA requirements
This post is part of the ISO 8583 Mastery series. Follow along as we explore payment messaging in depth.
Related Posts
💬 Discussion
Have a question or feedback? Leave a comment below — powered by GitHub Discussions.
What is 3D Secure (3DS)?
3D Secure is a security protocol used for online credit and debit card transactions. It provides an extra layer of authentication, often requiring the cardholder to enter a one-time password or use biometric app approval before authorization.
What is the liability shift in 3D Secure?
When a merchant successfully authenticates a transaction using 3D Secure, the liability for chargebacks related to fraud is shifted from the merchant to the cardholder’s issuing bank.
What is SCA (Strong Customer Authentication)?
SCA is a regulatory requirement under Europe’s PSD2 directive. It mandates that electronic payments use multi-factor authentication. 3D Secure 2.0 is the primary technical method merchants use to comply with SCA regulations.