3D Secure Overview
Enhance security and compliance with a streamlined, processor-agnostic 3DS authentication process.3DS (3D Secure) is an online payment authentication protocol that enhances anti-fraud efforts. It requires cardholders to undergo an additional layer of verification, such as a one-time password or biometric scan, during online transactions. This extra step helps verify the cardholder's identity, reduces the risk of unauthorized payments, improves overall payment security, and allows merchants to shift chargeback liability to the Issuing Bank, providing additional protection.
By integrating with Basis Theory, merchants can securely authenticate transactions using Agnostic 3DS, independent of payment processors, or utilize processor-specific 3DS implementations when required.
Start with a Guide
This page introduces key 3DS concepts and best practices. For hands-on implementation, refer to the guides below:
3DS Setup
3DS Implementation (CIT)
3DS Implementation (MIT)
Take 3DS Live
Understanding 3DS Authentication
Customer-Initiated Transactions (CIT)
- Applies when a customer is directly involved in the transaction
- Is active on a webpage or application during the purchasing scenario
- The authentication process follows a challenge-based or frictionless flow:
- Device fingerprinting collects risk data.
- 3DS authentication verifies the transaction.
- Frictionless authentication completes automatically if the risk is low.
- Challenge authentication prompts cardholders to verify their identity (e.g., OTP, biometrics).
- Upon success, an authentication result can be generated and sent to the processor for authorization.
Merchant-Initiated Transactions (MIT)
- Used for recurring or stored card payments without customer involvement.
- Requires 3DS authentication only during initial setup.
- When necessary, the challenge is handled in a 'decoupled' manner—without a cardholder being present at the time of the transaction.
- Subsequent charges can bypass authentication using the initial authorization result.
- Ensures compliance while optimizing conversion rates.
Key Concepts and Glossary
- 3DS Server / Provider: Coordinates communication among all parties in the 3DS ecosystem (issuer, merchant, and card networks).
- ACS (Access Control Server): The bank system verifies the cardholder's identity.
- Frictionless Authentication: When authentication is automatically approved without user interaction.
- Challenge Authentication: When additional verification (e.g., OTP, biometrics) is required.
- Authentication Value: The authentication cryptogram sent to the processor. Commonly known as CAVV.
- Liability Shift: When the liability for fraud moves from the merchant to the card issuer after successful 3DS authentication.