What Is 3D Secure (3DS)?
3D Secure is the authentication protocol behind Visa Secure, Mastercard Identity Check and Amex SafeKey. The modern 3DS2 version uses risk-based authentication to approve low-risk transactions silently while challenging only suspicious ones, fulfilling PSD2 Strong Customer Authentication requirements.
3D Secure: Definition
3D Secure (3DS) is an EMVCo-standardised XML-based protocol that adds a payer authentication step to card-not-present transactions. The three domains are the issuer (cardholder's bank), the acquirer (merchant's bank) and the interoperability domain (the card network). It is mandatory for online card payments in the European Economic Area under PSD2 Strong Customer Authentication rules.
Liability Shift
Successfully 3DS-authenticated transactions shift chargeback liability from the merchant to the card issuer, protecting merchants from fraudulent disputes.
Frictionless Authentication
3DS2 passes over 100 data points to the issuer's risk engine. Low-risk transactions are approved in milliseconds with no customer interruption.
PSD2 SCA Compliance
3DS2 is the primary mechanism for meeting PSD2 Strong Customer Authentication obligations in the EEA, combining possession, inherence and knowledge factors.
3DS1 vs 3DS2
3DS1 (Legacy)
Being phased out- Full redirect to issuer page
- High cart abandonment
- Static password challenge
- No data sharing with issuer
- Poor mobile experience
- No frictionless flow
3DS2 (Current Standard)
PSD2 / SCA compliant- Inline challenge or frictionless
- 100+ data points shared
- Risk-based authentication
- Native mobile SDK support
- Merchant-initiated transaction support
- SCA exemption handling
3D Secure Questions Answered
01 What is 3D Secure?
3D Secure (3DS) is an XML-based authentication protocol developed by EMVCo that adds an extra identity verification step for online card-not-present transactions. It is branded as Visa Secure, Mastercard Identity Check and American Express SafeKey. The three domains are the issuer domain, the acquirer domain and the interoperability domain (the card scheme).
02 What is the difference between 3DS1 and 3DS2?
3DS1 required a full redirect to the issuer authentication page, disrupting checkout and causing high cart abandonment. 3DS2 uses a risk-based authentication engine, passing over 100 data points to the issuer. Low-risk transactions are approved frictionlessly without any customer interaction, while only high-risk ones trigger a challenge step.
03 Is 3D Secure mandatory under PSD2?
Yes. PSD2 Strong Customer Authentication (SCA) mandates two-factor authentication for online card transactions in the EEA. 3DS2 is the primary mechanism for SCA compliance. Exemptions exist for low-value transactions, merchant-initiated transactions and trusted beneficiaries.
04 What is the liability shift in 3D Secure?
When a transaction is authenticated via 3D Secure and a chargeback occurs, liability shifts from the merchant to the card issuer. Merchants are not held responsible for fraudulent chargebacks on successfully 3DS-authenticated transactions.
05 How does PCI Proxy work with 3D Secure?
PCI Proxy stores the PAN in a secure EU vault and issues a token. When 3DS authentication is needed, PCI Proxy can pass the raw PAN to the 3DS server on your behalf, keeping your PCI DSS scope minimal while supporting full 3DS2 authentication flows.
Support 3DS2 Without Touching Raw Card Data
PCI Proxy passes the PAN to your 3DS server from our EU vault, so your systems stay out of PCI DSS scope while remaining fully SCA compliant.