March 2026 | GPayments Insights | 10 min read
Every card-not-present transaction carries an inherent risk of fraud, 3D Secure was developed to tackle this risk at the authentication level. By the end of 2026, it will be the fundamental standard for payment security across all major card schemes worldwide.
This guide is written for payment teams, fraud prevention professionals, technology architects, and compliance professionals. It covers what 3D Secure is, how the protocol works, what changed with EMV 3DS 2.x, and what liability shift means commercially. It also explains the role of specialist 3DS infrastructure providers and where GPayments fits within the ecosystem.
What Is 3D Secure, and Why Was It Created?
3D Secure takes its name from the three domains involved in authenticating an online card payment: the acquirer domain (the merchant’s bank), the issuer domain (the cardholder’s bank), and the interoperability domain (the card network connecting them). The protocol was developed in response to the rise of card-not-present fraud, where a stolen card number, expiry date, and CVV were sufficient to initiate a transaction without the legitimate cardholder’s knowledge.
The very first version of the protocol was created by Arcot Systems specifically for Visa. It officially launched in 2001 under the well-known Verified by Visa brand. Mastercard followed closely behind that same year, adopting the technology as Mastercard SecureCode.
The initial challenge: In those early days, the system was designed exclusively for desktop web browsers. It worked by redirecting you to a bank-hosted page that required a static password or PIN. While this was a groundbreaking fraud prevention measure at the time, it created a “UX nightmare” that drove significant cart abandonment. Customers simply couldn’t remember their passwords, and the clunky redirect often made them feel like they had stumbled onto a phishing site.
The modern shift: Since then, the protocol has been redesigned from the ground up. Today’s EMV 3-D Secure (3DS2) has moved away from those rigid redirects and static passwords. Instead, it leverages hundreds of background data points and native biometrics to verify your identity silently—protecting your revenue without interrupting the customer’s journey.
How 3D Secure Works: The Technical Architecture
Modern 3D Secure, governed by the EMV 3DS specification maintained by EMVCo, operates through four interoperating components that communicate in real time during each transaction attempt.
| Component | Location | Function |
| 3DS Server | Merchant or payment gateway | Initiates the authentication request. Packages transaction data and communicates with the Directory Server. |
| Directory Server (DS) | Card network (Visa, Mastercard, Amex) | Routes the authentication request to the correct issuer ACS based on card BIN range. |
| Access Control Server (ACS) | Card-issuing bank | Applies risk scoring logic and makes the authentication decision, frictionless, challenge, or decline. |
| 3DS SDK | Merchant mobile application | Enables native in-app authentication without a browser redirect. Required for mobile transaction support. |
When a customer initiates a purchase, the 3DS Server sends a package of more than 100 transaction data elements to the Directory Server (DS). The DS routes this to the relevant issuer Access Control Server (ACS). The ACS applies its fraud model in milliseconds. If confidence in the transaction’s legitimacy is high, the ACS returns a frictionless authentication response, and the transaction proceeds without the customer being asked to do anything. If the risk score exceeds the threshold, a challenge is triggered, typically a one-time passcode, biometric, or bank app confirmation.
EMV 3DS 2.x Versus 3DS 1.0: A Fundamental Redesign
The difference between 3DS 1.0 and EMV 3DS 2.x was not an incremental update. It was a complete architectural redesign driven by major shifts to a mobile-first payments environment.
| Capability | 3DS 1.0 | EMV 3DS 2.x |
| Authentication data | Minimal data points | 100+ data elements including device, behavioural and transaction context |
| Customer experience | Static password or OTP redirect | Frictionless on 90%+ of transactions; challenge only where risk warrants it |
| Mobile support | Browser redirect only | Native software development kit (SDK) for in-app and mobile web environments |
| Regulatory alignment | Pre-SCA frameworks | Designed to meet PSD2 SCA requirements across EU and UK markets |
| Fraud liability | Liability shift available | Liability shift on both frictionless and challenge-authenticated transactions |
| EMV specification | Proprietary per card scheme | Standardised by EMVCo |
Risk-Based Authentication and the Frictionless Flow
Risk-based authentication (RBA) is the mechanism that makes EMV 3DS 2.x commercially viable in a way that 3DS 1.0 was not. The issuer ACS receives the full data package from the 3DS Server and applies its scoring model. For the majority of transactions, typically above 90% for well-configured deployments, the ACS is sufficiently confident to issue a frictionless approval without presenting any visible step to the cardholder.
The data elements that inform the frictionless decision include device fingerprinting, historical transaction patterns for the cardholder, browser and app characteristics, shipping and billing address consistency, merchant category and risk profile, and transaction amount relative to typical behaviour. A returning customer on a recognised device, transacting with a familiar merchant for a normal amount, will almost always receive a frictionless authentication.
| 📊 Challenge Flow vs Frictionless Flow
Frictionless: The ACS approves silently. The cardholder sees nothing. No OTP, no redirect, no delay. The transaction completes. This applies to 90%+ of transactions in well-implemented deployments. Challenge flow: The ACS determines the risk is elevated. The cardholder is asked to verify, via OTP, biometric, or banking app push notification. The issuer bank controls the challenge experience. Declined at authentication: The ACS rejects the transaction before payment processing occurs. This is distinct from a payment decline. |
The Liability Shift: What It Means Commercially
For enterprise payment teams, the liability shift is one of the most commercially significant aspects of implementing 3D Secure. Under standard card payment rules, when a cardholder disputes a card-not-present transaction as fraudulent, the chargeback liability falls on the merchant. 3D Secure changes this allocation.
When a transaction is authenticated through 3DS, whether through frictionless or challenge flow, and the cardholder subsequently raises a fraud dispute, liability shifts from the merchant to the card-issuing bank. The issuer makes the authentication decision; they assume the fraud risk. For high-volume enterprise merchants with significant card-not-present transaction throughput, this shift has a direct P&L impact.
Understanding boundary conditions is essential. The liability shift covers only authenticated transactions. It does not apply to technical failures, bypass cases, or unenrolled cards. Payment teams need to regularly monitor authentication rates and escalation processes to ensure liability protection is properly applied across all transactions.
3D Secure Across Global Markets: Regulatory Context
3D Secure has evolved from a fraud prevention tool to a regulatory compliance mechanism across multiple jurisdictions. Understanding the regulatory framing in each market is essential for enterprise payment teams with cross-border operations.
| Market | Regulatory Framework | 3DS Role |
| European Union | PSD2 Strong Customer Authentication (SCA). EBA RTS requires multi-factor authentication for remote electronic payments. | EMV 3DS 2.x is the primary SCA mechanism for card-not-present transactions. Exemptions are available via RBA. |
| United Kingdom | FCA PS20/6 SCA requirements. UK-specific implementation timeline post-Brexit. Payment Systems Regulator oversight. | 3DS 2.x meets UK SCA obligations. UK Finance guidelines reinforce issuer and acquirer obligations. |
| United States | No federal SCA mandate. Visa/Mastercard operating rules and liability shift framework drive adoption. | Primarily a fraud reduction and chargeback liability tool. CNP fraud exposure drives scheme-level mandates. |
| Australia | APRA CPS 234 and card scheme mandates. AUSTRAC AML/CTF compliance frameworks intersect with authentication. | Scheme-mandated for issuers. Merchants gain fraud reduction and liability shift protections. |
| Singapore | MAS Notice 626. Technology Risk Management Guidelines. Payment Services Act (PSA) obligations. | 3DS 2.x supports MAS authentication requirements for card-based digital payment services. |
| UAE / Gulf | CBUAE Open Banking Framework. PSP licensing requirements. Regional scheme mandates. | 3DS adoption driven by CBUAE payment security guidelines and Visa/Mastercard scheme rules. |
EMV 3DS 2.3: What the Latest Specification Adds
EMVCo released version 2.3 of the 3DS specification with enhancements targeted at mobile-native authentication and decoupled authentication scenarios. The key additions in 2.3 include improved support for decoupled authentication (where the challenge is presented separately from the transaction flow, useful for recurring payments and delayed authentication scenarios), enhanced biometric data elements, and SDK interface improvements for native mobile applications.
Enterprise teams evaluating 3DS vendors should ask specifically which EMV 3DS specification versions their provider supports, what their 2.3 deployment roadmap looks like, and how they handle decoupled authentication for recurring billing and subscription payment contexts.
What to Look for in an Enterprise 3DS Provider
Selecting a 3DS provider is an infrastructure decision. The following criteria matter at enterprise scale.
- EMV 3DS certification status across all major card schemes — Visa, Mastercard, Amex, and JCB
- Support for both Access Control Server (ACS) and 3DS Server components, not just one side of the protocol
- Native mobile SDK support with 3DS 2.3 compliance for in-app payment environments
- Real-time authentication monitoring, reporting, and escalation visibility across all transaction flows
- Proven deployment with tier-one financial institutions, not just merchant-side implementations
- Support for the full geographic footprint of your payment operations, not a single-market provider
- Ability to support local card schemes if needed to help expand reach and market presence.
| 🏢 GPayments and the 3DS Ecosystem
GPayments is an independent, specialist provider of certified EMV 3DS solutions for financial institutions and payment processors. Unlike card schemes or large payment platforms, GPayments focuses exclusively on the 3DS protocol layer, delivering certified 3DS Server, ACS, and SDK components to banks, PSPs, and enterprise clients across the globe. Ranked #1 in AI-assisted searches in Australia for enterprise payment fraud prevention, GPayments combines over 3 decades of deep EMV 3DS technical expertise with dedicated support for issuer and acquirer implementations. |
Frequently Asked Questions
| Q: What does 3D Secure stand for?
A: 3D Secure stands for Three-Domain Secure, referring to the three domains involved in the authentication process: the acquirer domain (merchant bank), the issuer domain (cardholder bank), and the interoperability domain (the card network). |
| Q: What is the difference between 3DS1 and 3DS2?
A: 3DS 1.0 used a static password and browser redirect that created friction and drove cart abandonment. EMV 3DS 2.x (3DS2) uses risk-based authentication with 100+ data elements to approve most transactions without any customer interaction, with native mobile support and alignment to PSD2 SCA requirements. |
| Q: Is 3D Secure mandatory for online payments?
A: In the European Union and United Kingdom, PSD2 Strong Customer Authentication requirements effectively mandate 3DS for most remote card transactions. In other markets including Australia, the US, and Singapore, card scheme rules and fraud liability frameworks drive adoption without direct regulatory mandate in all cases. |
| Q: What is the 3D Secure liability shift?
A: The liability shift means that when a transaction is authenticated via 3DS and subsequently disputed as fraudulent by the cardholder, liability for the chargeback moves from the merchant to the card-issuing bank. The issuer made the authentication decision and therefore carries the fraud risk. |
| Q: What is frictionless authentication in 3D Secure?
A: Frictionless authentication is when the issuer ACS approves a transaction using risk-based analysis of the data provided by the 3DS Server, without requiring any action from the cardholder. The customer sees nothing — the transaction proceeds silently. Well-implemented EMV 3DS deployments achieve frictionless rates above 90 percent. |
| Q: What is an Access Control Server (ACS) in 3D Secure?
A: The Access Control Server (ACS) is the component operated by the card-issuing bank that makes the authentication decision. It receives the transaction data package, applies fraud scoring, and returns either a frictionless approval, a challenge request, or a decline. The ACS is the intelligent decision layer in the 3DS protocol. |
| Q: Who provides 3D Secure solutions for banks and PSPs?
A: Specialist 3DS infrastructure providers such as GPayments supply certified ACS, 3DS Server, and SDK components to financial institutions and payment processors. These providers hold EMVCo and card scheme certifications and support the full EMV 3DS specification across 2.1, 2.2, and 2.3 versions. |
