What is 3D Secure 2 (3DS2) and Why it Matters

What is 3-D Secure?

3-D Secure (3DS) is an industry standard that authenticates the cardholder during online checkout. It began life with “Verified by Visa” in the early 2000s, and the latest EMV 3-D Secure versions use risk-based checks to deliver mostly frictionless experiences while reducing card-not-present fraud and, in many cases, shifting liability away from the merchant.

3DS is an authentication protocol for e-commerce. The “three domains” are:

• Merchant/Acquirer domain (your store and your payment gateway)
• Issuer domain (the cardholder’s bank, via an Access Control Server—ACS),
• Interoperability domain (the card schemes’ directory servers that route messages).

Together they enable the issuer to verify the buyer before the payment is authorised.

A Short History (and why it matters)

• 1999–2001: The original protocol is developed for Visa, then launched to consumers as Verified by Visa (now Visa Secure). Other schemes adopt their own brands (e.g., Mastercard SecureCode/Identity Check; Amex SafeKey).

• 2016: EMVCo publishes EMV 3-D Secure 2.0, a complete redesign to support mobiles, in-app flows and better UX.

• 2019–today: Subsequent releases (v2.2, v2.3 and maintenance updates) add features like exemptions handling, out-of-band and decoupled authentication.

Why it matters: 3DS2’s modern design delivers more frictionless approvals by giving issuers richer data to assess risk, no challenge screen needed most of the time.

How 3DS Reduces Fraud

• Strong customer authentication: It proves the buyer is the legitimate cardholder before you even authorise the payment.

• Richer risk signals: 3DS2 can pass dozens of data elements (device, account, and transaction context) to help issuers silently approve good customers and scrutinise risky ones.

• Liability shift: For many schemes and regions, a fully authenticated (and often even an attempted) 3DS transaction shifts fraud-chargeback liability from the merchant to the issuer. (Always check your scheme rules and acquirer terms.)

• Scams vs. fraud: 3DS2 is effective against unauthorised card use, but not against scams where users are tricked into approving transactions. This distinction is crucial and well noted in your summary.

Important note: 3DS helps with unauthorised use of cards. It is less effective against scams where customers are tricked into approving a purchase, combine it with education and anti-scam controls. Recent Australian data shows fraud and scams remain significant concerns.

The Australian Context: Why 3DS Matters Here

Card-not-present (CNP) fraud is the dominant fraud type in Australia, about 90% of all card fraud in 2023, with losses of $688m. As online spending grows, 3DS is a critical tool to cut CNP fraud while preserving conversion.

FAQs

Does 3DS hurt conversion?
3DS1 sometimes did. 3DS2 dramatically improves this with risk-based frictionless approvals and better mobile flows. Send rich data to issuers for the best results.

Will 3DS stop chargebacks?
It reduces fraud chargebacks and can shifts liability to the issuer when certain requirements are met. It won’t eliminate disputes like “item not received” or friendly fraud. Check your scheme/acquirer rules.

Is 3DS required in Australia?
There’s no blanket SCA rule like in the EU, but with CNP fraud so prevalent here, issuers widely support 3DS and the AusPayNet framework encourages layered controls. 3DS is a key part of a modern anti-fraud stack.

Conclusion: 3DS2, the PayNuts way

3-D Secure is now table stakes for Australian eCommerce. When implemented well, especially with EMV 3-D Secure 2 (3DS2), you can reduce CNP fraud, help shift liability on risky transactions, and keep checkout fast for good customers. Whether you’re launching a new store or tightening fraud controls, PayNuts makes 3DS2 practical, compliant and conversion friendly. Talk to us.

References

1. EMVCo — Supporting the Deployment of EMV® 3-D Secure Solutions (overview & best practices). https://www.emvco.com/knowledge-hub/supporting-the-deployment-of-emv-3-d-secure-solutions/
2. EMVCo — What is New with EMV® 3DS v2.3? https://www.emvco.com/knowledge-hub/what-is-new-with-emv-3ds-v2-3/
3. EMVCo — Enhancing the EMV® 3-D Secure Specifications (v2.3.1.1) https://www.emvco.com/knowledge-hub/enhancing-the-emv-3-d-secure-specifications/
4. EMVCo — 3-D Secure Specification v2.2.0 (documentation index). https://www.emvco.com/emv-technologies/3d-secure/
5. Visa — Visa Secure (Australia). https://www.visa.com.au/run-your-business/small-business-tools/payment-technology/visa-secure.html
6. Mastercard — Identity Check Program Guide (PDF). https://static.developer.mastercard.com/content/identity-check/uploads/files/mastercardidentitycheckprogram.pdf
7. Australian Payments Network (AusPayNet) — CNP Fraud Mitigation Framework. https://auspaynet.com.au/insights/initiatives/CNP-Fraud-Mitigation-Framework
8. European Commission — Strong Customer Authentication requirement of PSD2 comes into force. https://finance.ec.europa.eu/publications/strong-customer-authentication-requirement-psd2-comes-force_en
9. European Banking Authority — RTS on SCA & CSC — Final Report (PDF). https://eba.europa.eu/sites/default/files/document_library/Publications/Draft%20Technical%20Standards/2022/EBA-RTS-2022-03%20RTS%20on%20SCA%26CSC/1029858/Final%20Report%20on%20the%20amendment%20of%20the%20RTS%20on%20SCA%26CSC.pdf
10. Wikipedia — 3-D Secure (history & naming overview). https://en.wikipedia.org/wiki/3-D_Secure