What Is 3-D Secure Authentication?

The EMV® 3-D Secure payment protocol is designed to provide an additional layer of protection to help prevent fraud. 3-D Secure authentication is a process where customers verify their identity with their payment card issuers when making purchases in digital channels.

Businesses use the 3-D Secure protocol to protect from fraud without impacting their customers or slowing down legitimate transactions. The latest version of 3-D Secure authentication uses frictionless flow, which preserves the customer experience by only intervening when a transaction is highly suspicious.

Why Is 3-D Secure Authentication Important?

The more consumers and businesses continue to shift to e-commerce and digital payment methods, the more cybercriminals look to exploit card-not-present (CNP) transactions. Without traditional safeguards such as chip readers or PIN-pad devices, card issuers and merchants leave themselves and consumers at higher risk of fraud. In 2021, CNP fraud loss topped $15.3 billion, and could exceed $17.2 billion by 2023.

Payments that have been successfully authenticated using the 3-D Secure (3DS) protocol are covered by liability shift. Liability shift is how banks and processors handle fraud and incentivize all parties to follow best fraud prevention practices.

As CNP transactions continue to gain popularity, more merchants and issuers stay ahead of regulatory requirements such as SCA by using 3-D Secure authentication. In 2021, Outseer noted a continuous rise in 3-D secure authentication in the United Kingdom, Australia, Europe, New Zealand, and the western world. While SCA isn’t mandatory in the United States, many believe it’s only a matter of time before similar regulatory requirements are put in place.

What Kind of Fraud Does 3-D Secure Authentication Protect Transactions from?

3-D Secure authentication helps combat CNP fraud by ensuring the legitimate cardholder is the one making a purchase.

With the dark web awash with breached credit card data, fraudsters can easy acquire high volumes of credit card numbers and other personal information—or steal it through phishing scams. So 3-D Secure transparently authenticates cardholders by assessing as many as 100 different data elements.

In the rare instance additional scrutiny is warranted, one-time passcodes (OTPs) or other out-of-band authentication can be used to verify the relationship between the cardholder and a transaction. OTPs are typically sent via text, email, or push notification but can also be generated through two-factor authentication apps. This process uses separate channels to verify the identity of the customer further.

In addition to OTPs, businesses can also use biometric data in 3-D Secure authentication. For example, voice print verification can be used while on the phone, while a fingerprint scan can be used during a touchless transaction.

How 3-D Secure Authentication Works

3-D Secure involves three different parties or “domains” to function, the acquiring bank, the issuing bank, and the infrastructure used to support the protocol. Together these three parties share information about the transaction, known fraud, and the cardholder to determine the risk of a transaction and prevent fraud.

Authentication Request

During checkout, the customer enters their card details and submits their payment details. In mere seconds the 3-D Secure provider sends a data-rich request to the card issuer. This request contains over 100 different data points that help the issuer understand the risk associated with the transaction. These data points include:

  • Device age
  • Account age
  • Device ID
  • IP address
  • Transaction amount and history
  • Session statistics (browser type, typing speed, etc.)

This contextual data is key to securing transactions, and helps pave the way for more robust forms of payment authentication.


The request is received by the issuer’s 3-D Secure provider and assigns the transaction a risk score. This score is generated by comparing the data in the request to statistical threat models. Thanks to machine learning algorithms, this process only takes a few seconds.

Authentication or Challenge Flow

If there is enough data to determine the cardholder’s identity, the customer proceeds through checkout without additional steps. This ensures legitimate customers receive a frictionless experience when shopping and helps improve conversion rates and reduce cart abandonment.

If the transaction is deemed high risk, the customer is sent through a challenge flow for additional verification. This is where the merchant’s 3D-Secure authentication kicks in. The user will be required to authenticate themselves via OTP or biometric scan. If the customer passes the authentication challenge flow, they proceed to checkout.

Fraud Protection Doesn’t Have to Cost You Conversions

3D-Secure providers can make highly accurate risk assessments that streamline checkout, prevent fraud, and build brand loyalty by leveraging the latest statistical models, partner insights, and threat intelligence.

Outseer 3-D Secure, for example, is an Access Control Server (ACS) that provides the best in 3DS-enabled payment authentication without sacrificing user experience. With the Outseer Risk Engine at its core and informed by intelligence from our global data network partners, Outseer 3-D Secure transparently evaluates each transaction in real time to prevent 95% of all fraud, with only 5% of transactions ever requiring intervention.

By seeing what others can’t, Outseer 3-D Secure protected more than $100 billion in payment transactions in just the first half of 2021. As more card issuers and merchants embrace the gold standard of payment authentication technology, Outseer will be there to support them, every step of the way.

To learn how you can protect your customers through the power of frictionless fraud prevention, request a free demo today.

Armen Najarian

CMO + Chief Identity Officer

Armen is a 15-year Silicon Valley veteran with deep experience leading the marketing function for fast-growing fraud prevention, predictive analytics, and cybersecurity companies. His most recent leadership roles include CMO positions at Agari and ThreatMetrix, the latter of which he established as the definitive category leader for digital identity solutions.