3D Secure (3DS) is an authentication protocol designed to reduce fraud in card-not-present (CNP) transactions by verifying the identity of the cardholder before a payment is authorized. When a customer makes an online purchase, 3DS prompts them to confirm their identity  via a one-time password (OTP), mobile app push notification, biometric scan, or another method  before completing the transaction.

‍

Branded by card networks as Visa Secure, Mastercard Identity Check, American Express SafeKey, and others, 3DS helps merchants and payment providers ensure that the person using the card is the legitimate account holder.

‍

The protocol has evolved with 3DS 2.0, which supports mobile-first experiences, biometric verification, and “frictionless” flows for low-risk transactions. These improvements make 3DS more compatible with modern e-commerce and less likely to cause cart abandonment.

From a risk management standpoint, 3DS provides two major advantages:

• Reduced fraud by authenticating the customer in real time
  
• Liability shift: In many cases, if the transaction is authenticated via 3DS, the fraud liability shifts from the merchant to the card issuer
  
  

3DS is also a key tool for achieving compliance with Strong Customer Authentication (SCA) regulations in regions such as the EU.

Strong Customer Authentication (SCA): Strong Customer Authentication (SCA) is a regulatory requirement under the EU’s Revised Payment Services Directive (PSD2) that mandates two-factor authentication for many online and contactless card payments. The purpose of SCA is to enhance security and reduce payment fraud by ensuring that the person initiating a transaction is the legitimate account holder.

‍

To comply with SCA, authentication must use at least two of the following three elements:

• Something the customer knows (e.g., password or PIN)
  
  
• Something the customer has (e.g., phone or device)
  
  
• Something the customer is (e.g., fingerprint or facial recognition)

‍

SCA applies primarily to electronic payments within the European Economic Area (EEA) and has become a central part of risk and compliance strategies for payment providers and merchants operating in Europe.

‍

In practice, 3D Secure (3DS) is the most widely used method to meet SCA requirements for card payments. When used correctly, it ensures compliance while enabling a secure checkout flow.

‍

SCA shifts liability for fraud in many cases to the card issuer, reducing risk exposure for merchants. However, it can also add friction to the checkout process, which is why merchants and acquirers often utilize SCA exemptions  such as for low-value transactions, recurring billing, or trusted beneficiaries  when permitted.

‍

For acquirers, PayFacs, and ISOs, ensuring that merchants adopt compliant authentication methods is critical to maintaining transaction approval rates, avoiding regulatory penalties, and minimizing fraud losses.

‍