3D Secure 2.0: The Future of Digital Payment Security is Now

With the increase of devices becoming payment devices, Digital commerce is now the fastest growing area of payments. Consumers have much more ways to pay than before, whether via an internet browser, mobile application, or connected device. However, whenever a consumer is making a digital purchase as opposed to purchasing in a traditional store, verifying the transaction and the consumer’s identity transforms into an increasingly important and even challenging task. Industry researchers estimate that half of the digital commerce transactions declined due to suspected fraud are actually legitimate.

Paying online with credit/debit cards entails transferring sensitive information, which is why special precautions need to be taken to maximize customer safety. For that same reason, it’s more crucial than ever that the industry continues to invest in new approaches to prevent fraud while also maintaining the speed and convenience that customers love about online shopping. Helping merchants and issuers distinguish good transactions from bad will mitigate fraud while at the same time allowing transactions to continue happening at the speed of light.

Following the Payment Services Directive in the European Union (PSD2), the European Union (EU) has stronger demands on payment systems on the Internet. 3D Secure 2.0 is an important advancement in this effort that will help prevent fraud and accelerate digital commerce with fast, secure authentication. That will improve customer protection globally.

It’s important to note that your bank provides 3D Secure, not FastComet.com. It serves as an extra layer of security for all online transactions. 3D Secure is also commonly referred to as “Mastercard SecureCode” or “Verified by Visa.”

What is Strong Customer Authentication (SCA) Under PSD2?

Similar to what happened with GDPR in 2018, Payment Services Directive 2 (PSD2) is an EU directive that doesn’t affect only businesses based in Europe. PSD2 also applies to all internet businesses that process payments in the EEA, meaning this normative triggers whenever both the credit card holder’s bank and the payment processor are situated in Europe. Most payment processors have a European subsidiary, and thus, even if one uses American payment processors such as PayPal or Stripe, they will be affected by the PSD2 directive.

When Strong Customer Authentication triggers, your payment processor is obligated to verify the payment with at least two of three verification methods:

  • Something the customer knows (e.g., a bank login, a card PIN code);
  • Something the customer has (e.g., a credit card, an RSA Token, a matrix card);
  • Something the customer is (e.g., the customer’s fingerprint or facial features).

Solutions like Apple Pay or Google Pay already have biometric customer verifications placed in hand (like Touch ID or Face ID). For this reason, they work with SCA out of the box.

Transactions Impacted by SCA

The general rule is that all payment transactions initiated electronically by the payer have to be SCA. PSD2 has defined cases in which Strong Customer Authentication of the cardholder does not apply:

  • Anonymous prepaid cards;
  • Mail order and telephone orders (MOTO transactions);
  • Interregional / “One Leg” transactions;
  • Transactions initiated by the payee (Merchant Initiated Transactions – MIT);

PSD2 allows for certain exemptions where the cardholder does not have to perform SCA. The goal is to improve the user-friendliness for the cardholder thanks to a smooth and frictionless user experience.

  • Low-risk transactions: payment gateways (such as Stripe) are to be allowed to do real-time risk analysis in order to determine whether they should apply SCA to a transaction. This may be possible only in case the payment provider’s or bank’s overall fraud rates for card payments do not exceed the set threshold of fraud rates.
  • Payments below 30 euro: Transactions below €30 will be considered “low-value transactions” and may be exempted from SCA. Banks must request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. The cardholder’s bank must track the number of times this exemption has been used and decide whether or not the authentication is necessary.
  • Fixed amount subscriptions: This can apply whenever the customer makes a series of recurring payments for the same amount to the same business (Subscriptions). SCA will be required for the customer’s first payment. However, rebill charges may be exempt from SCA.
  • Merchant-initiated transactions: Vendor-initiated payments that were made using the billing method when the customer is not present in the checkout flow (“manual transactions”) may qualify as merchant-initiated transactions.
  • Trusted beneficiaries: When completing authentication for payment, customers may opt to whitelist a business they trust. That is to avoid having to authenticate future purchases. Such businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.
  • Corporate Payments: This exemption may cover payments made with “lodged” cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).

NOTE: None of the above factors that suggest SCA may not be required is any guarantee that SCA will indeed not be one of the requirements for the customer purchase. This ultimately depends on the discretion of the bank or the payment method used to make the purchase.

What is 3D Secure?

In 2000, VISA took the initiative to create a procedure that would make using credit cards on the Internet more secure. The technology, named “Verified by VISA,” is used by the company itself. Following the example of VISA, other credit card providers have implemented the security mechanism as well. 3D Secure is known with various names for different credit card providers. Some examples are:

  • MasterCard – “Identity Check;”
  • American Express – “SafeKey;”
  • JCB – “J/Secure.”

When you go to pay on a website and enter your payment details, you then get redirected to your debit or credit card provider’s 3D secure web page. It’s here where you are normally asked to provide either:

  • the password that you’ll have previously set up with your bank;
  • a one-time authentication code that’s sent to your mobile phone.

Sometimes you won’t be asked to provide any details at all. After you enter the right details and the payment is approved by the card provider, you’re then automatically sent back to the website with an order confirmation message. It’s a quick and simple process.

What are the Benefits of 3D Secure?

Before 3D Secure, paying with your credit card on the Internet was much simpler but much less secure. All you had to do was enter your credit card information and then confirm possession of the credit card by entering your three-digit security Card Validation Code (CVV, CV2, or CVV2 code), which is placed on the back of your card.

With the continuous growth in eCommerce, more and more people need to use online paying methods. Typically, interest in online fraud has also increased. Some of the common ways for criminals to access data are phishing and social engineering. The goal of 3D Secure was to prevent such fraud.

In addition to the information contained on the credit card, the 3D Secure authentication procedure requires further information – a password that only the card owner knows. That method is known as two-factor authentication because it requires two steps to complete the card transaction.

There’s a security risk when using static passwords. If a third party gets access to the password, your security is compromised. That is why dynamic methods that adapt to every process are the better choice. A good example is when you get a text message with a specific security code generated through cryptic procedures and can only be used once for that particular payment.

Even if security was better than before, both customers and online retailers were dissatisfied with 3D Secure’s first version. The website where you enter the additional security factor did not have a very good design, but more importantly, the application and use of the required password were not as clear as they should be. What’s more, the whole process couldn’t be integrated into mobile applications. Some customers were frustrated and even canceled orders, which had an impact on online retailers.

The new and second version of 3D Secure (3DS2) addresses those issues while also improving security. All new features also comply with the new EU Payment Services Directives. Furthermore, all credit card companies are responding to technical developments with 3D Secure’s new version. Modern devices such as smartphones and tablets use authentication methods with data (fingerprint or face recognition).

Understanding 3D Secure 2.0 Technology

The newest and latest 2.0 version of the technology enables a real-time, secure, information-sharing pipeline that merchants can use to send an unprecedented number of transaction attributes that the issuer can use to authenticate customers more accurately without asking for a static password or slowing down commerce.

3D Secure 2.0 is specially designed so that online retailers can integrate the procedure into the payment process, resulting in a pleasant shopping and user experience for each customer. Additionally, this new version should be an intelligent system. The authentication method adapts to the risk – lower security requirements apply to small payments, and higher requirements apply to large payments. Furthermore, 3DS2 can be used for mobile payments, in addition to working with bank applications.

Advantages and Disadvantages of 3D Secure in Mastercard and VISA

The 3D Secure process has both advantages and disadvantages for customers and online retailers.


  • Better security for customers;
  • The procedure is free of charge for everyone;
  • Credit card providers bear the costs of fraud despite 3D Secure;


  • Lower conversion rates;
  • 100% security not guaranteed;
  • More effort is required from customers.

What Customers Should Expect

For customers, even though they would need some more time for the whole process, the 3DS2 process will make it easier and better to pay online. Now they can benefit from a modern, more secure process. Here’s what customers should know:

  • Registration: To use the second version of 3D Secure with your credit card, you will have to register with your bank. The bank that issued your credit card is responsible.
  • Installation: It can be assumed that banks will use applications to send the 3D Secure code or request biometric data in the future.
  • Finalizing: When you pay, both the credit card and the smartphone must be available.

Most of the time, you will log in or pay with PayPal by entering your email address and your PayPal password as usual. PayPal may sometimes ask you to confirm your identity. The easiest way is via the PayPal App. Make sure you authorize push notifications from the PayPal App. You’ll also have the option to enter a one-time passcode which we will send by SMS to the phone number you’ve registered with us or via a phone call if you have a landline.

Note: Even with 3D Secure, you should pay attention when paying with your credit card on the Internet. Only enter the data when you are sure you are on the correct website. A valid SSL Certificate is an indication that the website can be trusted.

Implications for eCommerce

If your organization is based in the EEA and accepts eCommerce transactions or other digital payments from the EU, the EU’s PSD2 stated that from September 14, 2019, online payments must meet special security standards. 3DS2 meets those requirements. To use the procedure, online merchants have to contact their payment service provider (PSP). The PSP should offer a proper technical solution that retailers need to implement in their online stores.

Merchants should offer 3D Secure in their online stores. The new system is much more customer-friendly, takes place entirely on the online merchant’s website, and increases consumer confidence in eCommerce. This, in turn, should lead to more conversions and, therefore, more sales.


Security should always come first, especially when it comes to online payments. The 3D Secure 2.0 makes everything better when compared to its first version. Online payments are becoming more and more the go-to method, and such security updates are inevitable. The special security standards make the Internet more secure, minimize online fraud, and help both customers and marketers feel safer


Elena oversees all Marketing, Product Management and Community efforts for FastComet and is in charge of telling the brand's story. Always pitching, she’ll share the FastComet vision with anyone who’ll listen. Elena helps our customers make the most of their web sites' and focuses on our inbound marketing efforts; everything from developing new online growth strategies, content creation, technical SEO, and outreach within the FastComet community. Her background includes Sales and Customer Relationship development, as well as Online Marketing.