Secure payment for online credit card and debit card transactions must move with the times. As mobile devices have become highly popular around the world and cyber criminals more knowledgeable and therefore more dangerous, new methods of card and user authentication have become mandatory. The development of version 2.0 of the 3D Secure protocol for online payment authentication has been catalysed by these changes, as well as the need to improve the user experience associated with 3D Secure.

Three Domains

The Three Domains of Online Payment

The first version of 3-D Secure was designed to increase consumer confidence in online payment, thus fostering the growth of e-commerce. This standard for payment authentication is marketed as Mastercard SecureCode, Verified by Visa, and American Express SafeKey, among others. 3-D refers to the three domains or entities involved in a secure payment: the issuer domain (the bank issuing the card); the acquirer domain (the bank of the merchant to which payment is to be made); and the interoperability domain provided by the credit card organisation supporting the 3D Secure protocol.

Interoperability for Handling Transactions

By definition, the interoperability domain includes the Internet and interfaces to the ACS (Access Control Server), MPI (Merchant Plug-in), or any other software provider. The MPI is a software module that connects the card scheme’s servers such as Visa and Mastercard and the merchant’s servers. The ACS is controlled by the card issuer and verifies whether a 3-D Secure authentication is available for a particular card number, as well as managing authentication of the cardholder for a specific transaction. These backend elements will be used for 3-D Secure 2.0 implementations as well.

Handling Transactions
3-D Secure Version 1

Pros and Cons of 3-D Secure Version 1

3-D Secure version 1 lets cardholders authenticate themselves to the bank that issued them their card. With this approach, fraud responsibility also shifts away from the merchant and towards the card issuer, reducing chargebacks to the merchant. Cardholders must first sign up with their bank and activate the 3-D Secure service. At time of use, the system makes a pop-up window or inline frame appear, requiring the user to enter a password in order for the user’s bank to authenticate the user. However, the credentials of the entity generating the pop-up window cannot themselves be authenticated. The inability to handle frames or pop-ups in mobile browsers has also been problematic for 3-D Secure version 1.

Differences in 3-D Secure Version 2.0

While version 1 will continue to be available, 3-D Secure 2.0 will use token-based and biometric authentication, instead of static passwords. By supporting additional data during transactions, risk-based decisions will be possible on whether to authenticate or not. The consumer experience will also be simplified and enhanced, starting with the elimination of the initial sign-up process and removing the need for cardholders to use static passwords. Merchants will see fewer transaction abandonments by customers, for the same reasons. EMVCo, jointly owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa, is responsible for the EMV 3DS 2.0 specification and the certification program to go with it.


Meeting New Payment Method Requirements

The support of non-browser-based card not present payments in 3-D Secure 2.0 will mean that in-app, mobile, and digital wallet payment methods will now be possible. 3-D Secure version 1 did not support these, as it was only designed for cardholder authentication in online sales transactions driven by standard web browsers. Additionally, 3-D Secure 2.0 will offer the following enhancements compared to the original 3-D Secure:

  • Improved messaging with supplementary information for better decisions on authentication
  • Non-payment user authentication
  • Non-standard extensions to meet specific regulations and requirements, including proprietary out-of-band authentication solutions, used by card issuers
  • Better performance for end-to-end message processing
  • Improved datasets for risk-based authentication
  • Prevention of unauthenticated payment, even if a cardholder’s card number is stolen or cloned


Overall, 3-D Secure 2.0 takes into account additional payment channels that are increasing in popularity. Compared to 3-D Secure version 1, 3-D Secure 2.0 improves authentication possibilities to allow merchants to move closer to frictionless checkout experiences for their customers, with new intelligent risk-based possibilities, as well as enhanced security, performance, and flexibility for both application and browser driven payments.