Over the past few years, payment frauds have increased rapidly. According to a report published by Juniper Research, businesses globally are expected to lose a staggering $362 billion due to payment fraud between 2023 and 2028. Merchants that accept digital payments are now focusing on the security of these online transactions, to ensure that the consumers preferred payment methods are made exceedingly secure. Payment authentication comes into play as a critical step in the digital payment process, preventing fraud and protecting sensitive financial data.
Authentication verifies the identity of the payer when they initiate a transaction. Once their identity is validated as the legitimate owner of the payment details, the payment is authorized. Authentication becomes a crucial layer of security to detect and prevent fraud, making the payment experience more secure for both businesses and consumers.
As businesses work toward secure payments, adoption of a robust authentication method like 3DS is a popular solution. We’ll see how 3DS works to prevent fraud and protect businesses and consumers later in this article.
Modes of Authentication in Payments
Knowledge, possession, and inherence are three factors that contribute to the authentication of a payment. This translates to something the cardholder
- Knows (Knowledge-Based Authentication or KBA): This is something the user knows, such as passwords or PINs. While widely used, static credentials are vulnerable to theft and misuse.
- Has (Possession-Based Authentication): This method verifies something the user has, such as an OTP sent via SMS or a hardware token.
- Is (Biometric Authentication): This method verifies the user based on their fingerprints, facial recognition, or voice patterns. Biometrics are gaining popularity due to their convenience and difficulty to replicate.
Other Techniques: Modern authentication methods go beyond these traditional modes:
- Out-of-Band (OOB) Authentication: Verifies identity using a separate channel, such as a mobile app or phone call.
- Multi-Factor Authentication (MFA): Combines two or more authentication methods for enhanced security, such as pairing biometrics with possession-based verification.
Why is Authentication Critical in Payments?
Without authentication, payment systems are vulnerable to fraud and identity theft - bearing difficult consequences to both businesses and consumers in its absence. A critical application of authentication is seen in the case of remote commerce, where card-not-present (CNP) transactions dominate and fraud risks are significantly higher.
- Fraud Prevention and Chargebacks: Weak authentication mechanisms make businesses vulnerable to chargebacks, damaging merchant revenues. With global e-commerce fraud losses expected to exceed $91 billion annually by 2028, authentication becomes a critical factor in offering consumers secure payments while saving businesses revenue.
- Remote Commerce Challenges: CNP transactions are more likely to face threats of identity theft, phishing attacks, or account takeovers, requiring greater digital authentication compared to physical cards.
- Fraud Prevention and Customer Experience: A tedious authentication process can cause friction at checkout and result in cart abandonment. With businesses focused on offering security with convenience at the checkout stage, authentication is a critical solution that help businesses significantly.
- Regulations and Guidelines: Governments and regulatory bodies like PSD2 in Europe require Strong Customer Authentication (SCA), RBI in India mandates two-factor authentication (2FA), while other countries adopt risk-based authentication depending on risk levels, to combat fraud across card payments.
What is 3D Secure (3DS)?
3D Secure (3DS), or Three-Domain Secure, is an authentication protocol, developed by Visa in its first iteration as ‘Verified by Visa’ in 1999 and standardized by EMVCo, offers an upgraded level of security to online credit and debit card transactions. Instead of entering only card details and security code, 3DS requires the consumer to verify their identity by sharing an OTP or an additional passcode or biometric authentication to make the payment.
How Does 3D Secure Work?
The three-domain model includes a relationship between:
- Issuer domain: The cardholder’s bank that issues the credit or debit card.
- Acquirer domain: The merchant’s bank responsible for processing payments.
- Interoperability domain: The infrastructure offered by card networks like Visa or Mastercard to facilitate secure transactions.
The 3DS authentication process typically involves:
- Entering card details during checkout.
- Being redirected to the card issuer’s authentication page.
- Completing verification via methods like one-time passwords (OTP), PINs, or biometrics.
The transaction is approved after the user’s identity is verified, ensuring that they can legitimately complete the transaction.
Example: Role of Each 3DS Domain in OTP Authentication
| 3DS Domain | Role in OTP Authentication | Directly Involved? |
| Issuer Domain (Cardholder’s bank) | Generates the OTP, verifies the OTP entered by the consumer, and approves or declines the authentication. | Yes (Main party responsible) |
| Acquirer Domain (Merchant’s payment processor) | Passes the authentication request to the issuer, and ensures the merchant integrates 3DS authentication into their payment process. | Indirectly involved (Acts as a messenger, does not control OTP verification) |
| Interoperability Domain (Visa, Mastercard, etc.) | Facilitates the secure transfer of authentication requests and responses, and ensures 3DS compliance. | Indirectly involved (Enforces security standards, does not control OTP process) |
Challenges of Early Versions
3DS was introduced with the view to offer advanced protection for card transactions. However, in doing so, it also added an extra step of verification in the payment process, like static passwords or clunky pop-up windows which made payments especially difficult on mobile devices. Limitations on data sharing and lower compatibility across devices, networks, and platforms, all contributed to friction and hampered the consumer experience.
What is 3DS 2.0?
Remaining consistent with the goal of fraud prevention, 3D secure 2.0 or 3DS 2.0, addresses the limitations of its first iteration. It is updated to deal with current challenges, while enhancing security, improving user experience, and reducing friction during online transactions. This next-generation protocol introduces advanced features that align with modern e-commerce needs, such as mobile-first compatibility, risk-based authentication, and seamless integration across devices.
How Does 3DS 2.0 Work?
Here’s how 3DS 2.0 has evolved in its approach to payment security:
- Enhanced Data Sharing: Merchants now send as many as 150+ data points like device ID, geolocation, transaction history, and merchant details (compared to just 15 in 3DS 1.0) to the card issuer for authentication.
- Risk-Based Authentication: Issuers use machine learning to analyze shared data and assess transaction risk in real time. For low-risk transactions, authentication happens invisibly through a frictionless flow, eliminating customer input.
- Frictionless Flow: The protocol enables seamless authentication for low-risk transactions without requiring customer intervention.
- Challenge Flow for High-Risk Transactions: If a transaction is flagged as high-risk, customers are prompted for additional verification using dynamic methods like biometrics or one-time passwords.
Typical Card transaction flow with 3DS 2.0
Key Differences Between 3DS 1.0 and 3DS 2.0
| Feature | 3DS 1.0 (Old) | 3DS 2.0 (New) |
| User Experience | Popup windows for authentication | Seamless authentication within app/browser (no popups) |
| Authentication Method | Static passwords prone to being forgotten or stolen | Risk-based authentication + biometrics for dynamic verification |
| Device Compatibility | Limited to browsers | Works across mobile apps, browsers, IoT devices |
| Data Sharing | Minimal data points (15 elements) | Rich data exchange (150+ elements) enabling better fraud detection |
| Security | OTP-based, vulnerable to interception | Biometrics + AI-driven risk analysis |
| Friction | High; all transactions required customer input | Low; frictionless flows for low-risk transactions |
| Drop-Off Rates | High due to poor user experience | Reduced drop-offs with frictionless flows |
Advantages of 3DS 2.0
3DS 2.0 addresses the shortcomings of its predecessors, providing consumers with an improved consumer experience. Let’s take a look at the advantages of this updated version of the 3DS:
- Reduced friction: With the use of risk-based authentication that was absent in the 3DS, 3DS 2.0 allows most payments to proceed without requiring customer input, reducing cart abandonment rates by up to 70%.
- Improved fraud prevention: With access to over 150+ data points per transaction, 3DS 2.0 uses advanced machine learning models to analyze factors like device fingerprinting, geolocation, and transaction history in real time. It minimizes false declines by enabling better fraud detection.
- Mobile-First and Multi-Device Compatibility: Unlike its predecessor, which was limited to desktop browsers, 3DS 2.0 is designed for mobiles, IoT devices and cross-platform transactions for a consistent and secure payment experience across all devices.
- Compliance with Global Regulations: 3DS 2.0 aligns with regulatory requirements like: Complying with PSD2’s Strong Customer Authentication (SCA) in Europe and RBI’s two-factor authentication (2FA) mandate in India, businesses can reduce the risk of penalties and ensures smooth operations in regulated markets.
- Liability Shift for Merchants: 3DS 2.0 provides a liability shift for authenticated transactions, similar to its predecessor, transferring responsibility for chargebacks from merchants to card issuers, reducing financial risks for merchants while encouraging them to adopt 3DS 2.0 as part of their payment strategy.
Decoupled Authentication and Authorization: A unique advantage of 3DS 2.0 is its ability to decouple authentication from authorization processes. This means authentication can happen before or after payment authorization, offering greater flexibility in handling complex transaction workflows (e.g., recurring payments or subscriptions).
Understanding Liability in a 3DS 2.0 Transactions
| Merchant/Acquirer Action | Issuer Action | Cardholder Experience | Liability Owner |
| Initiates a NO-3DS transaction or merchant not enabled for 3DS | Applies non 3DS flow | Frictionless - Cardholder not authenticated via 3DS | Merchant |
| Initiates a 3DS transaction | Applies 3DS flow | Either a challenge flow or frictionless flow under 3DS | Issuer |
| Initiates a 3DS transaction | *Cardholder/ Issuer not 3DS enabled | Frictionless - Cardholder not authenticated via 3DS | Issuer |
| Initiates a 3DS transaction with acquirer exemption | Issuer accepts the exemption | Frictionless - Cardholder not authenticated via 3DS | Merchant |
| Initiates a 3DS transaction with acquirer exemption | Issuer rejects the exemption and applies 3DS flow | Either a challenge flow or frictionless flow under 3DS | Issuer |
| Initiates a 3DS transaction | Issuer uses Issuer Exemptions | Frictionless - Cardholder not authenticated via 3DS | Issuer |
Why Businesses Should Embrace 3DS 2.0
The advantages of 3DS 2.0 make it an indispensable tool for businesses aiming to secure online transactions while maintaining customer satisfaction:
- Merchants benefit from higher conversion rates, fewer chargebacks, and improved compliance.
- Customers enjoy faster checkouts with minimal interruptions.
- Issuers gain access to richer data for more accurate fraud detection.
By adopting this protocol, businesses can stay ahead of evolving fraud trends while delivering secure and seamless payment experiences that meet modern customer expectations.
Juspay’s 3DS Intelligence Engine
Juspay’s 3DS intelligence engine empowers merchants to increase conversion while reducing risk. Let’s break down its capabilities -
1. Fraud risk - Considers Merchant Fraud Risk score to determine how to authenticate the customer over 3DS
2. Acquirer restrictions - Evaluate Acquirer exemption usage conditions prior to deciding on SCA exemption request
3. Issuer behaviour - Assess issuer authentication intelligence to inform least path of friction
4. Authorisation data - Assess issuer authorisation intelligence data to confirm probability of hard decline
5. Chargeback data - Evaluate Issuer disputes and chargeback behaviour on frictionless transactions
6. Customisable parameters - Enables merchants to tailor configurable rules in alignment with authentication strategies
Juspay’s 3DS intelligence engine optimizes authentication flows with real time data driven insights on issuer behaviour
Juspay’s 3DS intelligence provides deep insights on 3DS user experience across 20+ dimensions. It analyzes 3DS failure reasons and takes corrective actions. Along with that, it provides merchants with crucial insights on 3DS success rates, user drop-off rates, etc. across issuer, market, channel, channel type, etc.
Benefits of Working with Juspay:
- Smart Tech for frictionless 2FA – Juspay optimizes two-factor authentication (2FA) by enabling reliable auto-OTP capture, handling network issues, caching preloaded data, and auto-filling forms from history. This ensures a seamless user experience during authentication.
- Protocol supported Native OTP – Leveraging the 3DS 2.0 protocol, Juspay provides an issuer-led native OTP experience, ensuring wider BIN coverage and consistent authentication across issuers.
- Eliminates redirection drops – Unlike 3DS 1.0, where challenge results relied on browser redirection, Juspay enables direct server-to-server (S2S) communication between the ACS and 3DS server, significantly reducing drop-offs.
- De-Facto payments SDK for all merchants – Juspay’s payments SDK optimizes bank 3DS pages, processes OTPs automatically, and delivers the best success rates for merchants.
- DeviceInformation URL for Web Transactions: Juspay’s DeviceInformation URL reduces latency (1 second vs. the traditional Issuer Method URL’s 10 seconds), enhancing transaction speed and reliability.
Click here to know more about Juspay's product suite
