What Hath 3D Secure Wrought … in 2025?

Back in 1999, payment networks introduced the first version of the 3-D Secure authentication protocol, which sought to add security to online credit card transactions. 3DS 1.0, as it is now known, required cardholders to authenticate their identity before completing a purchase.

Ben Dominguez, executive vice president of 3-D Secure and strategic alliances at Entersekt, was a vice president at Visa at the time and was present at the protocol’s creation. The general premise was to add a bit of friction into the mix, taking users to a third-party site for authentication and prompting them to use a password.

“We thought authentication was going to be the killer app,” he told PYMNTS in an interview.

However, the password mandate and pop-up windows as part of the verification process created friction and spurred consumers to abandon their online carts, especially as 3DS 1.0 proved cumbersome on mobile devices.

Merchants were slow to embrace the protocol, as they cared more about throughput and conversion rates than authentication, Dominguez said. Merchants thought transaction information was their data to keep close to the vest, and issuers felt the same way.

Fast forward a few decades to the present day, and commerce itself has changed. 3DS 1.0 was not designed to handle the great digital shift to mobile devices, and merchants and issuers have had to reconsider authentication, especially as commerce is international in scope.

“Things have changed quite a bit in the ecosystem,” said Dominguez, who added that “even folks that weren’t interested in 3DS have said, ‘In order to do business in this geography or this channel we need 3-D Secure.’”

The newest iteration of 3DS, dubbed 3DS 2.0, takes the place of 1.0 (which was sunsetted in 2022) and is designed for mobile devices and to meet the demands of strong customer authentication (SCA) requirements in Europe.

More specifically, the new version could be referred to as “EMV 3-D Secure,” as it’s managed by EMVCo. (3DS 1.0 was managed by Visa), Dominguez said. Version 2.0 “introduces additional capabilities that help facilitate and support risk-based authentication — so there’s no reason for an issuer to treat a transaction for a big-screen TV the same way they treat a transaction for buying a T-shirt.”

3DS 2.0 allows greater data sharing across the ecosystem, including biometric data, to streamline card-not-present transactions.

Enhanced data and artificial intelligence can be important arrows in the quiver against fraudsters who also use AI to defraud issuers and merchants.

“We can use transactional attributes that the fraudsters may not have access to,” said Dominguez, who added that there are several ways in which firms, including Entersekt, can support and improve the levels of authentication that are applied to a transaction, while satisfying the compliance rules of SCA, PSD2 and the data protection regulations of GDPR.

“3DS is first and foremost a messaging protocol, and it’s designed to convey transaction-level information from the merchants through the payment networks all the way through to the issuer and possibly the cardholder,” he said. “It allows us to convey these data points so that the various parties can act on it … and it floats all boats so that we can improve the overall transaction quality and security.”

As Dominguez told PYMNTS, the flow of information across all stakeholders fosters a sense of collaboration that recognizes that “driving fraud out of the system is a shared responsibility.”

The post What Hath 3D Secure Wrought … in 2025? appeared first on PYMNTS.com.