3D Secure: your guide to safer transactions

• Securing online payments
• What is 3D Secure?
• How does 3D Secure work?
• What 3D Secure solutions does Visa offer?
• Use cases
• FAQs

Digital commerce has unlocked enormous opportunities for merchants, with global spending projected to surpass $8 trillion by 2028. But as online shopping expands, so does exposure to fraud and cybercrime. To stay ahead, businesses need advanced authentication tools that protect revenue and customer data without adding unnecessary friction. That’s where 3D Secure (3DS) comes in.

Originally developed by Visa, 3DS helped lay the foundation for today’s global authentication standards. It enables a secure exchange of data between merchants and issuers before a transaction is authorized, helping reduce fraud, improve approval accuracy and shift liability for authenticated or attempted-authentication transactions. While Visa continues to advance the technology with Visa Secure, many other financial institutions and payment networks now use 3DS as an essential part of their own authentication systems.

With Visa Secure, Visa’s EMV 3DS program, merchants can confirm customer identities through intelligent, data-driven verification to deliver a secure, smooth checkout experience. According to Visa data, Visa Secure has demonstrated a powerful impact on fraud prevention and transaction performance. Authenticated transactions show approximately a 45% reduction in fraud — just 11 basis points (bps) of fraud compared with 20 bps for non-authenticated eCommerce transactions.¹

3DS adds an extra layer of protection to online payments by helping ensure that the person using a card online is the legitimate cardholder. It’s a global authentication protocol designed to prevent unauthorized use and reduce fraud losses for merchants.

The story of 3DS begins with Visa, which originally developed the technology to make online card payments safer. The first generation of 3DS introduced a standardized way to authenticate cardholders before authorization, setting the foundation for secure digital commerce. Although the early version relied on static passwords that sometimes added friction at checkout, it marked a major step forward in fighting eCommerce fraud. Over time, 3DS has evolved into an industry-wide standard, adopted by many other financial institutions and payment networks that recognize its effectiveness in protecting card-not-present (CNP) transactions.

The latest version — known as Visa Secure or EMV 3DS — builds on those early innovations to deliver smarter, faster and more seamless authentication across devices. With enhanced data exchange, adaptive risk-based decisioning and full support for compliance standards like PSD2 (the second Payment Services Directive, a European regulation), Visa Secure helps merchants offer frictionless, secure payments that protect both customers and revenue.

How does 3D Secure protect online payments?

In recent years, there’s been a rise in CNP transactions. This is where checkout is completed remotely, like when a customer makes a purchase online, in-app or over the phone without physically presenting their card. Without a physical card present, these payments are more vulnerable to fraud. According to Visa data, CNP fraud rates are 7.5 times higher than those for card-present transactions, accounting for nearly 89% of all payment fraud.²

3DS addresses this fraud risk by authenticating the cardholder before the payment is authorized. To do this, it uses hundreds of data points — such as device type, location and historical spending — to help issuers identify legitimate customers and flag suspicious activity in real time.

What’s the difference between authentication and authorization?

Authentication and authorization are two distinct steps in the payment journey:

• Authentication: Confirms the cardholder’s identity before the transaction is approved.
• Authorization: Determines whether the transaction can proceed, based on available funds and account status.

A typical payment lifecycle follows four stages:

1. Authentication — to verify identity: This is the security checkpoint that confirms the person making the transaction is the legitimate cardholder. Technologies like EMV 3DS (delivered through Visa Secure) help authenticate the customer before the payment is processed. Successful authentication reduces fraud risk and can shift liability away from the merchant.

2. Authorization — to approve or decline the payment: Once authentication is complete, the transaction request is sent to the card issuer to verify details such as available funds, account status and potential risk indicators. The issuer then approves or declines the transaction in real time.

3. Clearing — to exchange transaction details: After authorization, the transaction moves into the clearing stage, where detailed payment information is exchanged between the acquirer, issuer and card network. This ensures that all parties record the same transaction details for accurate processing.

4. Settlement — to finalize payment between issuer and acquirer: Finally, settlement is where funds are transferred from the cardholder’s issuing bank to the merchant’s acquiring bank. This step completes the transaction and ensures the merchant receives payment for the purchase.

Together, these four stages help ensure that every digital payment is processed securely, accurately and efficiently.

How does Visa Secure enhance authentication?

Visa Secure, Visa’s EMV 3DS program, represents a major leap forward. Two-factor authentication (2FA) strengthens security and supports smoother, multi-device experiences — including mobile apps, in-app purchases and even IoT devices. Unlike its predecessor, EMV 3DS can also be used for identity verification in non-payment scenarios, such as onboarding or account setup. This technology protects Visa card transactions, establishing clear rules and technical standards for how merchants and issuers authenticate online purchases using 3DS.

Beyond improved fraud prevention, Visa Secure helps merchants achieve better business outcomes. Visa reports a 9% lift in authorization approval rates for transactions authenticated through Visa Secure.³ This means more legitimate sales are approved without added risk, translating directly into increased revenue and customer satisfaction.

On average, authentication solutions like Visa Secure have delivered a 4% increase in authorization rates and a 7 basis point reduction in fraud for clients.⁴

How does Visa Secure meet compliance standards?

PSD2 is a regulation in the EEAU and UK designed to make electronic payments safer. It requires strong customer authentication for online transactions that are in-scope and allows licensed third-party providers to access bank data securely — helping create a more open and competitive payments ecosystem across the EU and UK. For merchants operating under PSD2, Visa Secure supports these requirements and when they use it, ensuring compliance is met by either:

1. Facilitating exemptions to be applied, such as Acquirer TRA, Issuer TRA, Secure Corporate Exemption.

2. Enabling issuers to challenge their cardholder to verify themselves using at least two of the following:

• Something the customer knows, such as a password or PIN.
• Something the customer has, such as a preregistered mobile device, card reader or key generation device.
• Something the customer is, which is confirmed by checking biometric data like fingerprint or face ID or voice recognition.

The 3DS ecosystem is made up of three key stakeholders who work together:

1. Merchant initiates the authentication request through a 3DS network.
2. 3DS network — like Visa Secure — oversees program rules, data exchange standards and risk policies.
3. Issuer uses an access control server (ACS) to assess transaction risk and authenticate the cardholder.

At the heart of 3DS is risk-based authentication (RBA), where the issuer evaluates each transaction in real time using hundreds of data points — such as device type, location and historical spending patterns — to determine its risk level:

• Frictionless flow: Low-risk transactions are authenticated in the background, with no extra steps for the customer.
• Challenge flow: If a potentially high-risk transaction is detected, the issuer prompts the customer for verification via a one-time password or biometric confirmation.

In this way, 3DS ensures an adaptive approach to authentication that allows most legitimate transactions to proceed seamlessly while adding extra protection when needed.

How can I add 3D Secure authentication to my eCommerce site?

Merchants can connect to a 3DS program — like Visa Secure or Visa Enhanced Authentication Solutions (VEAS) — that securely transmits transaction data to the issuer. Issuers use an access control server (ACS) and risk-based authentication (RBA) to evaluate transactions in real time, enabling seamless authentication for low-risk payments and enhanced verification for higher-risk ones.

Visa provides comprehensive resources and technology to help merchants and issuers maximize the benefits of modern authentication. Visa Secure, Visa’s EMV 3DS program, supports robust cardholder authentication while enabling seamless customer experiences, ensuring legitimate transactions are approved and fraudulent ones are blocked.

Here’s a summary of the key benefits Visa Secure helps provide to merchants and financial institutions:

The benefits of 3D Secure for merchants

Solutions for issuers and merchants

Visa offers a suite of flexible, data-driven solutions that make it easier for businesses and financial institutions to implement 3DS authentication:

• Visa Consumer Authentication Service (VCAS): Hosted solution for issuers that uses AI and Visa’s vast global dataset to generate real-time risk scores. VCAS helps issuers make intelligent authentication decisions, reduce fraud and enhance approval accuracy.
• Visa Payment Passkey: Password-free authentication method designed to work with EMV 3DS and meet strong customer authentication requirements in Europe. It delivers faster, more secure logins across devices and channels.
• EMV® 3-D Secure (part of Visa Enhanced Authentication Solutions (VEAS)): Merchant-facing solution that enables the EMV 3DS protocol to help merchants authenticate customers, lower chargebacks and improve checkout experiences.
• Data Only (part of VEAS): For low-risk payments, Visa Secure supports a data-only mode where transaction information is shared with issuers to inform risk decisions without requiring direct customer interaction.

Enabling seamless customer identification

Visa Consumer Authentication Service (VCAS) leverages advanced artificial intelligence (AI) to deliver real-time, network-agnostic risk scores, enabling issuers to make intelligent, secure authentication decisions while improving the cardholder experience. Authenticated transactions demonstrate a significant reduction in fraud, and as card-not-present (CNP) fraud continues to rise, VCAS helps issuers balance fraud prevention, minimize false declines and maintain seamless customer interactions.

By analyzing transaction details, geo-location and device information, VCAS identifies and frictionlessly authenticates low-risk transactions and only challenges those that present risk. Issuers can also create, test and refine authentication rules using historical data to optimize performance before deploying them into production.

Leveraging AI-driven risk scoring with VCAS

Complementing Visa Token Service, VCAS uses AI-driven, network-agnostic risk scoring to help issuers make faster, more accurate authentication decisions. This minimizes unnecessary customer challenges and reduces friction at checkout.

For example, a leading Peruvian financial institution was facing rising friction in its cardholders’ eCommerce activities, as a result of high challenge rates and failed authentications. Determined to improve the cardholder experience without compromising security, the issuer turned to VCAS for support. By leveraging AI-driven risk scoring and shared data intelligence from Visa’s network, the bank could assess each transaction in real time and decide when additional verification was truly necessary. As a result, the issuer saw a 30-percentage-point reduction in challenge rates and a 6% improvement in overall authentication success. By embedding VCAS into its authentication strategy and aligning with Visa best practices, the institution created a smoother, more trusted checkout experience for its cardholders.