If you’ve asked yourself this question, you are doing things right! It means you’re innovating and protecting your online business against fraud. And now ChargebackHelp is here to explain: what 3D Secure 2.0 is and why you should adopt it sooner rather than later.


Technically speaking, 3D Secure (3DS) is an authentication process where three “domains” (hence 3D) are involved in authorizing a transaction. Those domains are the issuing bank, the acquiring bank, and an “interoperability” domain, that handles communications between merchant, issuer and acquirer.

When a cardholder initiates a purchase, their card information is sent via SSL to the “interoperability domain” to determine if a card is registered 3D Secure. If so, the issuing bank or payment network intercedes to complete the authentication process with their cardholder. 3DS1.0 did this through a popup or iframe within the merchant gateway. Authorization speed was slow, sales were dropped, and carts were abandoned. 3DS required a major update before adoption could be scaled.


The main value-add of 3DS2.0, apart from its resolved interfaces, is that it inherently suports SCA. No transaction can proceed without confirming two authentication factors. Even if the customer is only prompted to provide one, the second factor is always met though passive means. This is called “strong customer authentication.”

Now pay attention because you’re about to learn something cool here… In all the history of confirming one’s identity — whether it’s a secret handshake, legal evidence, or nuclear launch codes — authentication is proven by at least one of three factors:

  • What you know (knowledge) — passwords, billing addresses, PIN#
  • What you have (ownership) – keys, Credit cards and CVV#
  • Who you are (inherence) – signature, fingerprints

So-called “strong customer authentication” will always include two of the three factors. If you’re processing in the European Economic Area, 2.0 with its SCA is essential for compliance with the Payment Services Directive 2. But even if you’re not, the 2.0/SCA package is currently a best practice for running secure transactions. While 3DS1.0 got a chilly reception, with most merchants taking an “only if we have to” adoption stance, 3DS2.0 actually makes good business sense to integrate, regardless of your geo.


3DS2.0 made several major improvements over its predecessor:

  • Frictionless Flow: no popups, no static passwords
  • SDK component
  • Improved mobile integration
  • Improved browserless (in-app) transactions
  • Enhanced risk-based assessments

3DS2.0 is capable of making intuitive, risk-based assessments to enable certain “passive” authentications. Rather than requiring two-factor authentication by default, 2.0 detects certain datapoints, like if you make a purchase from your home or on a known device. These factors can be detected intuitively to take the place of additional passwords or other further challenge/response measures. This is what is known as “frictionless flow.”

Frictionless flow analyzes the following to determine if an intuitive authentication is warranted:

  • Transaction value
  • New or existing customer?
  • Transactional history
  • Behavioral history
  • Device information

2.0 also ships with a software development kit for custom integration into the checkout UX, making any third-party authentications seem more organic in the merchant gateway. 1.0 was anchored to browser-based purchases that fell apart with in-app transactions. 2.0 also worked out some major compatibility bugs within mobile devices.


Tech culture places an outsized value on “disruption” and “early adopters.” Often times, getting in on a new technology at an early stage can trigger more problems than it solves. Such is the case with 3DS. Yes, we want secure transactions, but security should disrupt conversions. Early adopters learned this the hard way with 3DS. However, there are ever more hard lessons in store for the late adopters, and that stage is fast approaching with 3DS2.0.

The SCA that comes with 3DS is currently driving fraudsters to points of sale that do not have that capability. Much like EMV chips drove fraud to card-not-present environments to beat the chip, 3DS is sending fraud in search of softer targets. Issuers are also starting to require SCA in many transactions and will drop transactions with merchants that do not provide it. Given its recent makeover and the protections is provides, 3DS has moved into the asset column for ecommerce merchants.