Explainer: understanding 3DS authentication

Rohan Shaju, Consultant at Edgar, Dunn & Company (EDC), explains 3DS authentication.

3D Secure, which stands for ‘Three-Domain Secure,’ is an authentication protocol that adds an extra layer of verification for online card transactions. Since its introduction in the early 2000s, 3D Secure (3DS) has become a foundational layer of online payment security, reshaping fraud liability and authentication standards for merchants and banks globally. Studies show that in regulated markets, like Europe and Australia, where majority of card-not-present (CNP) transactions are protected by 3DS, fraud rates are three to six times lower than for all CNP transactions.

For merchants, successful 3DS authentication shifts fraud liability from their balance sheets to card issuers – a critical shield for them as global CNP fraud losses are expected to reach USD 49 billion by 2030. Banks, meanwhile, have seen fraud rates and chargeback volumes drop substantially. While early versions of 3DS reduced fraud drastically, it was often called out for increased checkout friction. Today’s 3DS 2.2 or higher enables frictionless flows that have largely restored conversion rates to non-3DS levels. Let’s dive deeper into how 3DS works, starting from the world before it existed.

Before 3DS, merchants faced a fraud nightmare

In the early 2000s, running an online store meant taking a gamble on every transaction. A customer would enter their card details, the merchant would ship the goods, and weeks later chargebacks could arrive – for example, because the card was stolen or due to friendly fraud (i.e. when customer buys something, then wrongly claims they didn’t). CVV (Card Verification Value) and Address Verification Service (AVS) were the only tools available, and neither was built for the fraud volumes that ecommerce was generating. In high-risk sectors like digital downloads, gaming, and subscriptions, chargeback rates regularly hit 5-10%. Acquirers responded the only way they could – pricing this risk as additional processing fees, squeezing merchant margins further. The real problem was structural: without issuer involvement, there was no way to verify if the cardholder was legitimate.

3DS emergence to solve online payment gaps with issuer authentication

Visa brought the first version of 3DS to market in 2001 in the form of Verified by Visa to address this exact problem. Mastercard quickly followed with SecureCode (later Identity Check), and by 2016, EMVCo – the standards body owned by Visa, Mastercard, American Express, Discover, JCB, and UnionPay – standardised it as EMV 3DS for global interoperability. With 3DS, authentication moved upstream. For the first time, the question of ‘is this really the cardholder?’ could be answered at the source.

The 3DS transaction flow and key players

As in the acronym, a typical 3DS transaction unfolds across three ‘domains’ – the merchant/acquirer domain, the interoperability domain, and the issuer domain. To visualise this better, here’s the story of a USD 50 online purchase from a fashion retailer:

1. The customer adds their favourite sneakers in the cart and enters card details on the merchant’s checkout page.
2. The PSP or acquirer bundles available data points (e.g. card details, amount, customer information) into an Authentication Request (AReq).
3. The acquirer’s 3DS Server sends this to the scheme’s Directory Server (Visa’s, Mastercard’s, etc.)
4. The Directory Server routes it to the relevant issuer’s Access Control Server (ACS).
5. The Access Control Server (ACS) is the central decision-maker in 3DS. It performs real-time risk analysis within milliseconds. In the initial 3DS version (3DS1), most transactions were routed to a challenge (e.g. OTP or static password) by default, resulting in a high-friction experience. With 3DS2, the ACS performs risk-based authentication and can approve low-risk transactions frictionlessly, while only challenging higher-risk ones.
6. The ACS returns the outcome via the Authentication Response (ARes), which is routed back through the scheme (Directory Server) to the merchant or PSP.

Although each component operates within its own domain (merchant/acquirer, scheme, issuer), they form a single end-to-end authentication chain. While it is obvious, it is important to note that 3DS involves only data exchange and no movement of funds. The actual payment decision happens afterward during the authorisation flow, where the authentication result (e.g. CAVV, ECI) is passed to the issuer. 3DS authenticates the user; authorisation approves the payment. While we have now understood the flow, another important aspect is the version number, as most shoppers now complete authentication without even knowing it happened.

The era of frictionless authentication

Frictionless flow is the magic of modern 3DS2. The original version of 3DS (3DS1) relied heavily on browser redirects and static challenges. Most transactions were routed through step-up authentication, leading to longer checkout times, inconsistent user experiences, and increased cart abandonment. At the same time, limited data sharing meant issuers had less context to accurately assess risk, contributing to both unnecessary challenges and higher false declines.

To address these limitations, EMVCo introduced 3D Secure 2.0 (3DS2). While the core architecture remains the same, 3DS2 enhances the flow by enabling the exchange of richer data (100+ parameters) between the merchant and issuer through the Authentication Request (AReq). This allows the issuer’s Access Control Server (ACS) to perform real-time risk-based authentication. As a result, low-risk transactions can be approved frictionlessly within the existing flow, while higher-risk transactions are selectively challenged using methods such as one-time passcodes or biometrics. Visa claims that with 3DS2, shopper checkout transaction time reduced by 85% and cart abandonment reduced by 70%.

Even in the EU, where 3DS is mandatory as part of Payment Services Directives (PSD2 and PSD3), it can paired be with SCA exemptions to enable frictionless flows for low-risk transactions. Such transactions include low value (like below EUR 30), subscriptions, specific corporate payments or trusted beneficiary lists. 3DS 2.0 has since evolved through versions 2.1, 2.2, and the currently 2.3, each enhancing performance, data sharing, and overall UX.

3DS adoption and authentication requirements vary across the globe

Not every market arrived at 3DS the same way. Some were pushed there by regulators, others got there by necessity. A few are still resisting. The clearest case for what strong authentication actually delivers is Europe. The EEA region is a highly mature market for 3DS mainly as Strong Customer Authentication (SCA) was mandated under the Revised Payment Services Directive (PSD2). Even in many other countries such as Australia, Malaysia, India, South Africa, there are SCA requirements in place and 3DS is the primary protocol used by the ecosystem to comply.

A key concern among merchants in Europe during early 3DS adoption was the potential increase in cart abandonment due to added friction at checkout. However, through the combined efforts of regulators, issuers, and payment providers, the ecosystem has evolved to minimise customer disruption. Mechanisms such as Transaction Risk Analysis (TRA), SCA exemptions, and other exclusions allow low-risk transactions to proceed without step-up authentication. As a result, frictionless flows in Europe have exceeded 60% in 2025, demonstrating that strong security can coexist with a streamlined user experience.

At a country level, France, for example, is a highly active 3DS market where issuers challenge transactions at twice the rate of other European markets yet still maintain strong conversion. This is partly driven by issuers approving more SCA exemption requests when transactions are supported by richer data through 3DS. Similarly, the UK represents a mature 3DS ecosystem following the adoption of PSD2-aligned requirements, with authentication success rates estimated to be 5-10% higher than comparable EEA markets. Overall, recent data indicates that 3DS has materially reduced fraud in the region, with USD 13 billion in fraudulent transaction value prevented year-to-date.

Looking beyond Europe, several markets in Asia-Pacific have also introduced strong authentication requirements that drive 3DS adoption. In India, the Reserve Bank of India mandates two-factor authentication for card-not-present transactions. In Australia, AusPayNet requires stronger authentication measures for higher-risk merchants (>0.2% fraud-to-sales ratio). Japan is the newest entrant. In Japan, updated credit card security guidelines introduced by the Ministry of Economy, Trade and Industry and the Japan Consumer Credit Association required merchants to implement 3DS for online payments from April 2025. While the regulatory frameworks differ, the direction is the same.

Beyond regulated markets, 3DS adoption is also increasing in regions where it is not mandated, such as the United States and Canada. In these markets, merchants typically use 3DS more selectively as a risk management tool by applying it to high-risk transactions, cross-border payments, or only when seeking liability shift. 2024 statistics show that US accounts for 40% of all credit card fraud globally, despite handling only 25% of card transactions. As a consequence, 3DS adoption was driven by issuers and payment providers in their aim to improve payment authorisation confidence.

However, early implementations in these markets produced mixed outcomes. Some studies observed lower authorisation rates on transactions where 3DS was requested, even when customer and card characteristics were otherwise comparable. One potential reason is that in non-regulated environments, a 3DS request may associate a transaction as higher-risk, leading issuers to treat it as a negative signal. This dynamic is gradually shifting. With the adoption of newer versions such as 3DS 2.2, which enable the exchange of richer data, and improvements in issuer-side risk models, trust in 3DS is increasing. In recent years, several global merchants supported by EDC on payment optimisation projects have adopted dynamic 3DS strategies in the United States, evolving its use from a standalone fraud control tool into a key component of their broader authorisation strategy.

Final thoughts

For merchants, a one-size-fits-all approach to 3DS will no longer work. In regulated markets, the focus should be on execution i.e. maximising frictionless rates through sending issuers richer data and the smart use of exemptions. In non-regulated markets, leading merchants are increasingly adopting dynamic 3DS strategies such as selectively triggering authentication based on compliance scope, transaction risk, customer profile, and issuer behaviour. Where it makes sense, merchants can also route transactions through internal fraud tools first before authentication to reduce false declines and control costs.

Looking ahead, regulatory momentum is building globally, with more countries expected to introduce stronger authentication requirements for online payments. Fraud, meanwhile, is evolving fast – particularly with generative AI enabling new attack vectors such as synthetic identities and scalable automated fraud.

The growth of agentic commerce will push 3DS to evolve further, requiring it to move beyond verifying users toward validating the relationship between a user and the agents acting on their behalf.

From a customer experience perspective, authentication will become increasingly invisible. Advances in biometrics, tokenization, and real-time risk assessment will reduce the need for explicit interaction, pushing 3DS further into the background of the payment flow. It will become less visible to customers but more critical to how payments are approved. Globally, 3DS still remains one of the most effective tools for enabling secure and profitable ecommerce in an environment of rising fraud.

This article is part of The Paypers’ Explainers section. To access other educational materials from this section, click here. If you have suggestions about other topics that could be included in this section, we invite you to write to us at editor@thepaypers.com.

Want to keep exploring? Check out these other explainers:

• Explainer: understanding merchant pricing models – blended, IC++, and IC+
• Explainer: understanding cross-border fees for cards
• Explainer: the merchant's guide to chargebacks – from reason codes to dispute strategy
• Explainer: understanding FIDA Proposal and Europe’s Open Finance Agenda
• Explainer: when trust becomes the target – understanding APP fraud

About the author

Rohan Shaju is a Consultant in the Paris office. Before joining Edgar, Dunn & Company (EDC), Rohan worked for three years in India and France across technology strategy and transformation projects. Since joining EDC in 2023, he has gained valuable payment strategy expertise working with global card networks, issuers, fintechs, and travel merchants. Rohan holds a Master's in Management from ESSEC Business School in Paris, alongside an Electronics Engineering degree from India. Outside the realm of consultancy, Rohan follows cricket, football, and Formula 1. Additionally, he finds solace in activities like cooking, yoga, and skateboarding.