3DS2: What Is It?

Implementation of 3DS2 (3D Secure 2.0) has continued to grow worldwide since the 2021 introduction of SCA requirements in the UK and EU. A 2023 report by Ravelin indicates that 17% of global payments are now made with the technology, up from just 1% the previous year. But despite these gains, many merchants around the globe are still wondering what this fraud protection technology can do for them. Below we summarize what 3DS2 is, how it compares to previous versions, and where its limitations lie.

Before we can explain what 3DS2 is, we must cover what 3DS 1.0 – its predecessor – used to do. 3D Secure is a security protocol that protects cardholder payment details from unauthorized use across three domains: the acquirer, the issuer and the infrastructure between them that supports the protocol. The idea behind it is to introduce a strong customer authentication process to reduce card-not-present fraud by verifying the identity of the cardholder with their issuer before they make a purchase.

To use 3D Secure, the customer first registers with their issuing bank and sets up a static password. When the customer checks out on the websites of participating merchants, they are directed to a popup or inline frame belonging to their issuing bank to fill their password to authenticate their identity and enable the bank to authorize the online transaction. Following the authorization, the merchant sends the transaction to their payment service provider for processing.

Merchant pain points specific to subscription chargebacks also exist. For example, there is no proration for a chargeback. The customer can be significantly into their subscription period before requesting a chargeback. As a result, the merchant faces not only chargeback fees but also the expenses related to the product or services already consumed.

Another issue with subscriptions is the use of free trials that auto-convert to paid subscriptions after a specific timeframe. Even if you’ve asked for subscribers’ credit card details during the free trial sign-up it doesn’t mean they are aware that they will automatically be moved to a paid plan after the trial ends. Without a robust chargeback mitigation solution in place, this confusion can quickly escalate into mounting numbers of lost chargebacks.

3D Secure 1 was launched in 2001 as Verified by Visa and MasterCard SecureCode, followed several years later by branded versions for American Express, Discover and JCB as well. Its twenty year run came to an end in October 2022, when it was finally decommissioned by major card schemes.

However, problems existed from the beginning; early adoption of the technology was low in many of the largest Western markets, such as France (19 percent), Germany (46 percent), Spain (17 percent) and the U.K. (29 percent), according to the 2016 Arvato Payments Review. Among the worst was the world’s largest market, the U.S., where adoption stalled at just 5 percent.

Overall adoption was weak because the net benefits of 3D Secure implementation were a mixed bag. The primary benefit to merchants of enrolling in 3D Secure was that it facilitated a  liability shift for fraudulent transactions from them to the issuer. However, this was tempered by significantly lowered customer conversion rates. Customers on a 3D Secure enrolled merchant site would abandon checkout because they weren’t comfortable being dragged in the middle of a transaction to a third-party site to authenticate.

Another factor in low conversion rates over the past decades is that many bank pages weren’t optimized for mobile, and were caught off-guard by the boom in mobile commerce. This left mobile-based customers dealing with long load times and complicated forms to complete, pushing them to abandon transactions.

For card issuers, 3D Secure only represented added costs. For starters, if fraud occurred on an authenticated transaction, it was the bank’s responsibility. This liability issue was exacerbated by the fact that 3-D Secure wasn’t very secure. The use of static passwords was problematic because they weren’t very difficult for motivated fraudsters to compromise and then use to bypass the 3D Secure process.

All the issuing bank would receive to determine the likelihood of fraud was 10 static data elements. Lastly, the issuing banks had to shoulder the cost of implementing and supporting access control servers (ACS) to receive 3D Secure messages, process the messages and authenticate the card user. In short, there were plenty of stakeholders dissatisfied with the original 3D Secure.

3D Secure 2.0 was jointly created by Visa and Mastercard in 2016, and aim to remedy some of the problems with 3DS 1.0. One major change is that the protocol now sends over 100 data elements for each transaction and enables risk-based authentication (RBA) decisions, which benefits both merchants and issuers. RBA means that the decision to challenge the cardholder to authenticate their identity is based on the perceived risk of the transaction as determined by data elements passed through 3DS2.

Transactions that are deemed low risk are passively authenticated through a “frictionless flow” that does not disturb the cardholder, reducing checkout abandonment. 3DS2 was also designed to be mobile responsive with native in-app payment options, instead of iframes or popups, making it easier to retain mobile users. Finally, 3DS 2.0 supports token-based and biometric authentication, and removes static passwords, making it more difficult for fraudsters to compromise credentials.

The adoption of 3DS2 was significantly accelerated by the implementation of the Revised Payments Service Directive (PSD2) in the European Economic Area (EEA). PSD2 set a new standard in European countries for protecting  online payments by mandating Strong Customer Authentication (SCA) for most transactions.

To fulfill the SCA requirement merchants must authenticate a customer’s identity using two of the following three things: something they know, something they have and something they are. “Something they know” includes password, PIN, or personal facts. “Something they have” might be a mobile phone (i.e. SIM card), security token, or smart card. “Something they are” could consist of a fingerprint, facial features, or voice pattern.

Data on adoption numbers is limited, but European issuers and merchants flocked to 3DS2 to meet the SCA requirement that went into effect in January 2021. 3DS2 was also designed with PSD2 in mind, including exemptions from SCA, for example, when dealing with small transaction amounts.

3DS2.2 is the latest iteration of 3D Secure, and is expected to see widespread adoption in 2025. This update builds upon 3DS2’s existing capabilities while introducing several new features designed to further streamline authentication and reduce friction. The protocol now supports an even wider range of devices, including smart TVs and gaming consoles.

3DS 2.2 introduces advanced features like delegated and decoupled authentication, which allow select merchants to authenticate transactions on a customer’s behalf – particularly valuable for recurring subscriptions or split shipments. The system also expands support for 3DS Requestor Initiated (3RI) authentication, enabling verification even when the customer isn’t present, such as for installment payments or buy-now-pay-later transactions.

It’s important to point out that the liability shift from merchant to issuer in cases of 3DS authentication covers fraud chargebacks alone, and not service-related chargebacks. This still leaves merchants exposed to friendly fraud, which comprises over 80%of chargebacks, and continues to rise year on year What is surprising is that, despite the vast majority of chargebacks being illegitimate – and therefore winnable – merchants only win 30% of disputes on average. This can result in devastating financial losses for businesses affected. In worst case scenarios, up to 25% of net income can be lost on chargebacks.

Another significant concern is that all chargebacks on 3DS-authenticated transactions count towards card scheme fraud monitoring programs, regardless of the liability shift. This means that even when merchants aren’t financially liable for fraud chargebacks due to 3DS authentication, these disputes still impact their fraud ratios. High fraud rates can trigger substantial fines from card networks and lead to decreased authentication rates as issuers become more cautious, potentially resulting in higher decline rates or even account termination.

To fight friendly fraud chargebacks, consider using a comprehensive chargeback mitigation service. Justt offers a tailor-made solution designed to maximize the amount of merchant chargebacks won. The service is risk-free, with a success-based fee, and typically doubles chargeback win rates within weeks.  In fact, Justt’s machine learning system subjects every representment to rigorous A/B testing, so your win rate will continue to climb, at any scale.

Unlike template-based solutions, Justt’s AI-driven Dynamic Arguments feature creates unique, precision-tailored responses that account for the preferences of individual issuers examining your evidence, as well as the complex requirements of acquirers and card schemes. Everything from format, to layout, to argument type and style, is optimized for maximal effectiveness. This intelligent approach ensures each dispute is presented in the most compelling way possible, giving you the best chance to catch friendly fraud chargebacks that slips through 3DS2’s defences.