3D Secure Guide

3D Secure reduces the risk of the unauthorized use of a cardholder account, and makes online shopping better and safer for both buyers and sellers on the web.

The service enables card issuers to verify a cardholder's identity and provide results to the merchant in real-time during the checkout process. This reduces the merchant's exposure to fraud and disputes, and protects the cardholder from fraudulent use of their credit card.

Our 3D Secure Server is built on three key pillars:

  • Minimize friction for cardholders:
    By sharing rich transaction data with the issuer and applying industry best practices and scheme recommendations, cardholders experience less friction. This leads to lower transaction abandonment and higher conversion rates.

    For more information, refer to our guide on how to maximize frictionless rate for 3D Secure transactions.

  • Maximize liability shift for merchants:
    If a transaction is successfully authenticated using 3DS, liability for chargebacks shifts from the merchant to the issuer.

    To learn more, please see our guide to understanding 3D Secure liability shift.

  • Satisfy all regulations:
    Our solution is fully compliant with PCI DSS, PCI 3DS, and PSD2 requirements. We ensure that all audits and certifications are completed smoothly and on time.

    To learn more about PCI, please visit our guide to PCI DSS and compliance.

Intelligent authentication routing

Our intelligent authentication routing is designed to maximize liability shift for merchants while minimizing friction for cardholders.

By default, the system evaluates the entire transaction context, including (but not limited to):

  • Merchant location
  • Issuer country
  • Issuer and scheme capabilities
  • Transaction type indicators

Based on this information, the platform automatically selects the most appropriate authentication approach for each transaction.

While the default behavior is optimized out of the box, certain aspects of the authentication flow can be adjusted:

  • Through simple configuration options, or
  • Via transaction-level parameters

This allows merchants and PSPs to tailor the behavior to specific risk strategies, regional requirements, or business needs—without requiring complex integration changes.

Features at a glance

Depending on your business, you can take advantage of a number of features 3D Secure authentication offers.

Exemptions can be used to reduce friction during cardholder authentication. The Open Payment Platform offers a simple way to handle these use-cases.

  • As a passthrough each merchant can determine which exemption to use.
  • As an addition to transaction processing the Open Payment Platform determines if an exemption is applicable and applies it to the payment transaction.
  • As a standalone service the Open Payment Platform determines if an exemption is applicable and returns the suggested exemption flag.

Non-payment authentication (NPA in short) offers the option to authenticate the shopper even when there is no payment transaction happening and in cases when the transaction amount is not known.

  • During card tokenization if there is no payment amount present, NPA will apply.
  • During a payment transaction NPA can be used if the amount is not known of it is zero

Mastercard has defined a custom authentication message category called Identity Check Insights, formerly called Data Only. It provides the merchant with the flexibility to share cardholder data through the EMV® 3DS rails to influence an issuer’s decision to approve a transaction without requesting authentication and thus with no risk of cardholder challenge and added latency.

3RI authentication stands for 3DS Requestor Initiated Authentication. This is an authentication method where the cardholder is not present and the transaction is initiated by the merchant. This type of authentication is mainly used to get the status of an already authenticated transaction in case of delayed shipments, recurring transactions, or merchant initiated transactions.

Decoupled Authentication is an authentication method whereby authentication can occur independent from the cardholder’s experience with the 3DS Requestor (merchant). During decoupled authentication the shopper will not do the authentication during the challenge flow in the iframe on the merchant's website, but separately via a mobile application for example.

To request a decoupled authentication from the issuer, send the threeDSecure.decoupled=true field with the request.
Please be aware that not all issuers support decoupled authentication. In case it's not supported, the transaction will be authenticated with the normal workflow.

Try it out

Important: Our test system is using an in-house 3D Secure simulator. To make sure you successfully test the various features and scenarios, please follow our 3D Secure testing guide.
For the full list of mandatory and optional parameters for 3D Secure, please take a look at our 3D Secure parameter reference table.

COPYandPAY

COPYandPAY is our JavaScript payment widget that sends sensitive payment data directly from the shopper's browser to the Open Payment Platform.

Get Started

Server-to-Server

Our Server-to-Server API allows payment acceptance services to be integrated directly, offering fully flexible workflows for frontend and backend processing.

Get Started

Standalone

Send a Server-to-Server request to the 3D Secure endpoint.

Get Started

Mobile SDK

Our Mobile SDK for Android and iOS makes it straight-forward to integrate to the Open Payment Platform for mobile devices.

Get Started