The importance of strengthening online payment authentication (3DS)

Fraud involving online credit card payments continued to decline in 2024, according to a report by the Payment Security Observatory. The organization attributes this positive trend to the widespread adoption of the European PSD2 directive and the 3D Secure protocol.

This is a significant development and has helped to maintain a historically low fraud rate for online payments. Conversely, transactions that do not use the 3-D Secure protocol, without strong authentication, remain significantly more exposed to fraud. Find out, in our comprehensive overview, how this authentication system enhances the security of online purchases and what you need to know about its impact.

What is the 3D Secure protocol?

3D Secure, often abbreviated to 3DS, is a security protocol designed to protect online card transactions. The name “3D” refers to the “three domains” involved in the process:

• The merchant domain: the e-commerce site and its bank.
• The issuer domain: the buyer and their bank that issued the card.
• The interoperability domain: the card network system (such as Visa or Mastercard) that ensures communication between the other two domains.

The purpose of this system is to verify the identity of the cardholder at the time of payment. In practical terms, when a cardholder makes a purchase on a website secured by 3DS, they are redirected to their bank’s authentication page to validate the transaction.

This validation can take different forms:

• A unique code sent by text message to your phone.
• A notification on your bank’s mobile app, which you must confirm.
• A personal password or fingerprint.

This strong authentication method significantly reduces the risk of fraud and reassures consumers about the security of their online payments.

History of 3D Secure authentication

The initial version of the 3DS authentication system was created in the early 2000s. It consisted of sending a security code to the customer, via text message or email, so that they could confirm their payment.

Gradually, major card networks such as Visa and Mastercard took charge of this issue to ensure the security of their transactions. To improve the efficiency of the initial protocol and support the development of mobile applications, these card networks introduced 3D Secure 2 (3DS2) in 2019. This protocol now relies on strong customer authentication (SCA), which requires at least two authentication factors to validate a payment. In 2021, the European PSD2 regulation made strong authentication mandatory for online transactions. As a result, the use of the 3DS2 protocol is now essential, particularly on e-commerce platforms.

Transactions concerned

Strong authentication is normally mandatory for all payments made on the Internet. It is therefore required for merchants and anyone operating a website or application for the sale of goods and services. However, certain transactions are exempt, namely:

• payments of less than €30;
• recurring payments, for example in the context of subscriptions;
• transactions involving a bank domiciled outside the European Union.

The main steps in 3DS payment and authentication

To offer secure payments using the 3DS protocol, merchants must subscribe to the corresponding option with their payment provider.

For their part, users must have activated the 3D Secure service with their financial institution.

On the seller’s website, the use of this system is formalized by a label, displayed at the time of payment. Each card system has its own: Visa Secure, MasterCard Identity Check, American Express SafeKey, etc.

There are two steps to validating the transaction:

1. The buyer enters the information on their payment card on the merchant’s website. This includes their identification number, expiration date and the security code on the back of the card.
2. The transaction is validated on the financial institution’s mobile app. This is a new feature integrated into the 3D Secure 2 protocol. Previously, entering a one-time code sent by text message was sufficient. Now, the buyer must authenticate themselves on their payment app by clicking on a notification sent by the card issuer. Depending on the financial institution and the smartphone used, biometric identification may also be offered to further secure the transaction.

3D Secure: Advantages of the protection system

Despite some complexities and a long adoption period, the 3DS authentication system has become part of consumers’ habits. Here are its main advantages

Payment security and fraud prevention

By requiring the use of a reliable authentication system, the 3D Secure protocol secures online transactions. Similarly, merchants reduce their risk of non-payment due to credit card fraud.

Compliance with PSD2 rules

The European PSD2 directive requires the use of a strong authentication system to validate online transactions. 3D Secure enables these requirements to be met.

A mark of trust for websites and apps

Many consumers are concerned about the security of their online payments. Just like the https protocol, offering a transaction secured by 3DS helps to reassure customers. A website or application that does not offer this feature may therefore appear unreliable.

Why choose Treezor’s 3DS solution? 

Treezor offers a secure and robust option that is compatible with many mobile and web technologies, enabling it to provide the most suitable solution for each of its customers to optimize the user experience.

Treezor strongly encourages biometric authentication, which allows the cardholder to confirm their identity using their fingerprint or facial recognition. In order for this solution to be offered, the cardholder’s cell phone must have one of these authentication features.

This second system significantly enhances payment security by reducing the risk of fraud, as some scammers also resort to phone hacking to collect information received by text message.

Biometric data, being intrinsically linked to each individual on a physical level, is considerably more difficult to capture, thus offering an increased level of security during authentication processes. Despite its personal nature, Treezor is able to store and manage this data securely, thereby preserving its integrity.