What is 3D Secure?

3D Secure is a security protocol created to minimize fraud in Card Not Present (CNP) online transactions.  It functions by providing an additional step in the identity confirmation process for the cardholder.  The protocol operates on a three-domain model and uses XML messages over SSL connections to confirm the user’s identity. 

The system was created to address online payment security and is in use by major card networks.  The system also relates to business compliance with regulatory requirements, for instance, the EU’s Strong Customer Authentication (SCA) mandate. 

3D Secure 2.0 offers significant improvements over the first version, focusing on a smoother user experience and broader support.

3D Secure requires an additional security measure by verifying that the person making the purchase is a legitimate cardholder.  It works by prompting the user for additional information during checkout. 

This verification is done through: 

1. A password associated with the card. 
2. A one-time code is sent to the cardholder’s mobile device. 
3. Biometric verification, such as a fingerprint or facial scan on a smartphone. 
4.  

This process makes it more difficult for criminals to use stolen card details for fraudulent purposes.  It should be used as one part of a full fraud prevention strategy.

Here are the advantages that 3D Secure offers SaaS businesses and customers:

For Businesses   

• Fraud Mitigation: Is associated with a potential decline in unauthorized transactions. 
• Liability Shift: For fraudulent purchases that were authenticated through 3D Secure, the financial liability shifts from the merchant to the card-issuer, thus reducing chargeback costs. 
• Lower Fraud Rates: Can affect the terms offered by acquiring banks. 

For Consumers 

Advanced Safeguards: Intended to address concerns related to data leakage, identity theft, and potential financial loss due to card detail theft. 

Increased Security: The presence of an extra security layer can affect consumers’ level of confidence when shopping online.

While effective, 3D Secure has some drawbacks: 

• Checkout Friction: The extra authentication step, especially in version 1.0, can frustrate the user experience and cause abandoned carts. 
• Technical Issues: The process can fail due to delayed messages, poor internet connection, or device incompatibility, causing declined transactions. 
• Cost and Complexity: Implementation and maintenance can be complicated and costly, especially for smaller merchants. 
• Over-Dependence: Relying entirely on 3D Secure can cause businesses to miss other security vulnerabilities in their systems. 

SaaS businesses should communicate 3D Secure in a clear and simple manner that builds trust and prevents confusion. 

• Describe it as a benefit: Present it as an ‘additional security measure’ that offers fraud protection. 
• Be straightforward: Let customers know they may be redirected to their bank’s page for identity verification. 
• Provide support: Use an FAQ page or help section to explain the authentication process to set customer expectations. 

Yes, authentication failures do happen for several reasons: 

• Technical Problems: Customers with a weak Wi-Fi signal might experience timeouts or a delay in receiving the one-time code via SMS. 
• User Error: Customers sometimes enter the wrong password or code. 
• Server Decisions: For low-risk Saas transactions, a merchant’s server might be configured to bypass the 3D Secure challenge to improve the user experience, which is a feature of 3D Secure 2.0’s risk-based approach. 

3D Secure is a global standard, but its adoption is highest in regions with hefty regulatory mandates. 

• Europe: Its use is widespread due to the Strong Customer Authentication (SCA) requirements under PSD2. 
• India and South Africa: It is mandated by law for online transactions in these and other countries. 

Adoption rates depend upon local regulations and market education about its data security benefits in other countries.