What is 3-D Secure?
3-D Secure (often also referred to as EMV 3DS) is a security protocol that provides an additional layer of authentication for online card transactions. It is designed to help prevent unauthorized transactions and reduce fraud for card-not-present (CNP) transactions. At its core it is a way how merchants and card issuers can authenticate the cardholder seamlessly during an online transaction.
Each card scheme has its own service that implements the EMV 3DS protocol. For example, Visa has "VISA Secure", Mastercard has "Mastercard Identity Check", and American Express "Safekey".
As of today there is one relevant version in the markets, which is 3-D Secure 2 (3DS2). This version is designed to address the shortcomings of the original EMV 3DS protocol (3DS1) and to improve the user experience for cardholders and merchants.
The benefits of 3DS2 include:
-
Regulatory compliance: 3DS2 is designed to meet the requirements of the Payment Services Directive 2 (PSD2) in Europe and the Strong Customer Authentication (SCA) requirements.
-
Acceptance rates: 3DS2 is designed to reduce friction in the checkout process and improve the user experience, which can lead to higher conversion rates.
-
Enhanced trust: 3DS2 provides additional data points that can be used to authenticate the cardholder, which can help reduce fraud and build trust with customers.
-
Liability shift: 3DS2 supports the liability shift for transactions that are authenticated using the protocol, which can help protect merchants from fraud-related chargebacks.
Hellgate® provides a simple and convenient but also secure way to integrate 3DS2 into your payment flows. Our services are designed to make it easy to authenticate cardholders and reduce fraud across all your acquirers, while still providing a seamless user experience for your customers.
One of the key aspects why 3DS2 is so convient is that it is designed to work based on data collected from the merchant, the customer and the device. This allows the card issuer to selectively challenge transactions based on the risk profile of the transaction. This means that in many cases the cardholder will not be challenged at all, which can help reduce friction in the checkout process and improve the user experience.
Challenge Flows
In case the card issuer decides to challenge the transaction, the cardholder will be redirected to the card issuer's authentication page to complete the challenge. The challenges typically include entering a one-time password (OTP) or accepting a push notification on their mobile device. This process effectively implements a two-factor authentication (2FA) mechanism to verify the cardholder's identity.
Frictionless Flows
In some cases, the card issuer may be able to authenticate the cardholder without requiring any action on their part. This is known as a "frictionless flow" and is designed to provide a seamless user experience for the cardholder. The card issuer may use data collected from the merchant, the customer, and the device to authenticate the cardholder without requiring any additional input.
Authentication Results
At the end of the 3DS2 authentication a so-called electronic commerce indicator (ECI) is returned. This ECI indicates the result of the authentication and can be used by the merchant to determine the next steps in the payment flow. The ECI can have different values, such as "authenticated", "attempted", or "not authenticated", depending on the outcome of the authentication.
- VISA, American Express, and others
- Mastercard
| ECI Value | Description | Liability Shift |
|---|---|---|
| 05 | Cardholder authentication was successfully completed. | Yes |
| 06 | Authentication was attempted but was not available at the issuer's end. | Sometimes |
| 07 | Authentication was rejected or could not be attempted. | No |
| ECI Value | Description | Liability Shift |
|---|---|---|
| 00 | Authentication was rejected or could not be attempted. | No |
| 01 | Authentication was attempted but was not available at the issuer's end. | Sometimes |
| 02 | Cardholder authentication was successfully completed. | Yes |
Exemptions (PSD2 / SCA)
Specific transactions may be exempt from the 3DS2 authentication process. These exemptions are designed to reduce friction and improve the user experience for cardholders.
| Exemption Type | Conditions | Limits/Notes |
|---|---|---|
| Low-Value Transactions | Amount ≤ €30 | Max 5 consecutive transactions or cumulative total ≤ €100 before SCA is triggered |
| Recurring Transactions | Same amount and same payee | SCA required only for the first transaction |
| Trusted Beneficiaries | Payee added to whitelist maintained by customer’s bank | Future payments to that payee can be exempt from SCA |
| Corporate Payments | Uses secure, dedicated corporate processes not available to the general public | Must meet security requirements equivalent to SCA |
| Transaction Risk Analysis (TRA) | Low fraud risk assessed by PSP based on transaction data | Value limits depend on PSP's fraud rate: ≤€500/€250/€100 based on thresholds |
| Secure Corporate Processes | Applies to large-scale, internal payment systems | Must be isolated from consumer payment channels |
Additionally specific transaction types are excluded:
| Transaction Type | Description | Reason for Exclusion |
|---|---|---|
| MOTO (Mail Order / Telephone Order) | Payments made via phone or mail, not electronically initiated by the payer | Not considered electronic payment initiation |
| Anonymous Prepaid Cards | Gift cards or prepaid cards with no identifiable customer | Payer identity cannot be authenticated |
| Merchant-Initiated Transactions (MIT) | Transactions initiated by the merchant without payer’s active involvement | Not triggered by the customer at the time of payment |
| Direct Debits (e.g., SEPA) | Mandate-authorized debits, not initiated by the customer at each occurrence | No real-time action from the payer |
| Inter-PSP Transfers | Transfers initiated by a payment service provider or bank on behalf of the user | Not customer-initiated |
| One-leg-out Transactions | Where either the payer’s or payee’s PSP is outside the EEA | PSD2 applies only partially outside the EEA |