How Does 3D Secure Authentication Protect Payments?

If you routinely make purchases or payments online, you might be vaguely familiar with 3D Secure authentication. If you’re a business owner operating an online storefront and you don’t know what it is, you should probably keep reading.

3D Secure (short for Three-Domain Secure) is an authentication protocol that adds extra security to online credit and debit card purchases. In places like the European Union and India, 3D Secure authentication is mandatory for all card-not-present transactions. While it’s not technically required in the United States, 3D Secure is an industry standard that’s met across most reputable online marketplaces. In fact, payment gateways like Stripe and Paypal usually enable it by default.

This guide explains what 3D Secure is, how it works during checkout, and what merchants should understand about its place in a broader payment setup. If you’re looking for a way to centralize the cash flow that comes after customer purchases, Slash may be your answer.¹ While Slash isn’t a payment gateway with authentication capabilities, it brings plenty of other business banking functions into one platform that’s built to help manage incoming and outgoing payments.

The standard in finance

Slash goes above with better controls, better rewards, and better support for your business.

Get Started

Glossary

Before getting into the technical details, let’s look at a glossary of payment processing terms that will be helpful to know:

Payment gateway: The technology that captures and transfers payment data from a customer to a merchant’s acquiring bank. It sits at the beginning of the overall process.
Payment processor: The financial service that manages the backend logistics of electronic transactions. Common examples include Stripe, PayPal, and Apple Pay.
Card-not-present transactions: Any purchase (typically online) where the customer doesn’t use their physical card to tap or swipe at a terminal.
Card networks: The infrastructures that power debit and credit card transactions. Common examples include Mastercard, Visa, and Discover.
Issuing bank: The customer's bank in a given transaction. It’s the financial institution that issued the card being used for the purchase.
Acquiring bank: The merchant’s bank in a given transaction. It receives the funds from a purchase.

What Is 3D Secure Authentication?

Initially launched in 2001 by Visa, 3D Secure authentication is the verification protocol that can appear during eligible online card payments. When it's triggered, the system asks the cardholder to confirm their identity before the purchase proceeds. It can show up as a one-time code sent to a phone, a biometric prompt in a banking app, or a background check that completes behind the scenes.

The name “3D Secure” refers to the three parties involved in the process: the merchant's domain (the acquiring bank and payment infrastructure), the interoperability domain (the card network), and the issuer domain (the bank that issued the card to the customer).

It’s important to remember that 3D Secure is in charge of authentication, not authorization. Authentication confirms identity and determines whether the person making the transaction is the real cardholder. Authorization is a separate step handled by the issuing bank, which assesses whether the transaction should be approved based on factors like available funds, account standing, and risk signals.

3DS is most commonly applied to card-not-present transactions like online purchases, mobile checkouts, and in-app payments. These transactions are higher risk by nature, as they’re more vulnerable to hacking and suspicious activity than payments at a physical terminal. So, they need a little extra security.

How 3D Secure Authentication Works

3D Secure works by passing transaction and customer information between the merchant, the card network's 3DS program, and the issuing bank. This allows the issuer to assess how the customer should be authenticated. This authentication can happen in the background, or it can require the customer to complete an extra step. Here’s how each method works:

The Easy Way

In the simpler outcome, the issuer investigates the transaction using the data it receives and determines that the customer’s good to go. The buyer sees nothing unusual during checkout, and the payment moves forward.

While the customer doesn’t see an extra request, authentication isn’t being skipped or waived. The issuer performs a real-time risk assessment using factors like transaction history, device data, location, and behavioral signals, and can decide the transaction is low enough risk to authenticate in the background. According to ACI Worldwide, over 100 data points can be called upon, with none taking more than a fraction of a second to assess.

The Hard Way

If the issuer determines that a transaction carries elevated risk, or when specific regulatory requirements apply, it can trigger extra steps. At this point, the customer is asked to actively verify their identity before the transaction can proceed.

Verification methods can come in the form of a one-time password sent to a registered phone number or email, a prompt within the customer's banking app, or a biometric confirmation like a fingerprint or face ID. The one that appears can depend on the issuer and their configurations. Once the challenge is completed successfully, the customer is authenticated and they can continue with their purchase.

Why 3D Secure Matters for Businesses

Simply put, 3DS Secure authentication is meant to directly protect merchants against fraud and indirectly protect customers from their data being used elsewhere. However, those aren’t the only ways it can help. Here are each of the advantages a business can receive from adopting 3DS:

Fewer Unauthorized Card-Not-Present Transactions

Card-not-present fraud is a constant challenge for online businesses. According to data from Visa, CNP fraud accounts for nearly 90% of all payment fraud, and is more than 7 times as common as fraud at physical points of sale. 3DS gives issuers more context to verify whether the buyer is the legitimate cardholder, which can greatly reduce unauthorized transaction activity.

Some corporate cards, such as the Slash Visa® Platinum Card, offer their own protections against card-not-present fraud. If Slash detects that a card has been used at a merchant that lacks fraud controls and is particularly vulnerable to PAN (Primary Account Number) attacks, Slash can flag the transaction and take protective action. Even if the cardholder’s identity is correct, the act of putting card data into an unprotected POS system is a risk that Slash stays on top of.

Potential Liability Shift for Certain Authenticated Payments

In certain circumstances, when a transaction is successfully authenticated through 3D Secure, responsibility for fraud-related chargebacks may shift from the merchant to the issuing bank. In other words, it might not legally be the merchant’s problem.

This liability shift doesn’t automatically apply to every authenticated transaction, though. It may not cover non-fraud disputes, some chargebacks, or certain other transactions where applicable exemptions apply. In short, if a merchant adopts 3DS, it means they aren’t liable for every act of fraud that occurs within their system, but they may be for some.

More Confidence at the Point of Checkout

3D Secure can also reinforce a customer's sense of security during checkout. Seeing a familiar verification prompt from their own bank can signal to customers that the merchant and the card network are actively protecting the transaction. Even if it takes a few extra seconds to authenticate the customer’s identity, the extra step demonstrates that the site they’re using isn’t sketchy.

Better Risk Signals for Issuers

As we mentioned before, 3D Secure can send the issuer over 100 data points to help them assess a given transaction. Without those data points, the issuer has a lot less information to draw from, and fraudulent transactions may be confirmed more often. On the flip side, the merchant’s customers may be consistently prompted to manually verify their identity when it isn’t really necessary. The stronger the information shared between the merchant and the issuing bank, the more accurately risk can be assessed.

Corporate cards built for control

Cashback, automation, and insights, simplified.

Get Started

Challenges Businesses Should Consider with 3D Secure

While 3DS can improve the security of online card payments, it also introduces a few obstacles that merchants need to keep in mind. These obstacles can be experienced by either the merchants or by their customers. Here are some of the main ones:

Extra Steps Before Payment Approval

Customers often have to complete an additional verification step before their payment can proceed. For most people, receiving and entering a one-time code or using biometric authentication is pretty easy. However, any additional step introduces an opportunity for the transaction to stall, especially if the customer’s having issues receiving texts or there’s another technical difficulty. If their processor allows it, businesses may want to monitor how often their 3DS system prompts an authentication challenge, in case some tweaks need to be made.

Different Issuer Rules Across Transactions

3DS doesn't actually operate as a single, uniform system. Each issuer can set their own risk thresholds and verification preferences, and those parameters may differ across banks and cards. A transaction that gets the green light from one issuer could be challenged by another issuer under similar circumstances. For merchants with a customer base that uses different payment methods, authentication experiences will often vary among their customers.

Authentication Flows on Mobile Checkout

Mobile checkouts can come with their own hurdles. A challenge triggered in a mobile browser may redirect the customer to a separate page that doesn’t pop up correctly on all devices or screen sizes. In-app verification can be smoother if the issuer's banking app supports direct verification, but not all do. If a business experiences lots of mobile traffic, they may want to test authentication steps on a few different devices and browsers.

Regional Authentication Differences

Just as some issuers have different 3DS rules, certain regions do as well. Countries that abide by Strong Customer Authentication (SCA) regulations require 3DS by law, and so buyers in those areas will be much more comfortable with security checks. In other nations, however, 3DS checks could be rare and catch a potential customer off guard. If your business operates across multiple regions, it may be helpful to see how rules apply across each market to get a better picture of different customer journeys.

From Payment Authentication to Payment Operations with Slash

3D Secure authentication keeps funds safe at the very first point of a transaction’s journey. From there, it travels through the payment processor, acquiring bank, and merchant account before it finally ends up in your business’s main account. Now that the funds are in your hands, you may want to keep them secure in the same way they were while being authenticated by 3DS. Slash is a business banking platform that can offer that kind of security.

With the help of a sweep network managed by Slash’s partner bank, Column N.A., deposits in Slash are FDIC insured up to the hundreds of millions.² Slash’s charge card, the Slash Visa® Platinum Card, also comes with configurable controls that can help protect against fraud. Users can issue unlimited physical and virtual cards with custom budgets and merchant restrictions, so employees can only spend in approved places. Our fraud detection tools can automatically flag suspicious activity and surface it for human review.

Beyond Slash’s security tools, the platform can track all incoming and outgoing transfers on an integrated financial dashboard, allowing businesses to get an accurate picture of their cash flow in real time. Alongside payment tracking, you’ll also find the following features on the Slash dashboard:

Agentic AI: Our platform comes with Twin, a built-in AI assistant that can be prompted with natural language to complete complex tasks. Users can ask it to create cards, pay invoices, review your cash flow, and much more.
High-yield treasury: Earn up to 3.80% annualized yield on idle funds with money market investments from BlackRock and Morgan Stanley, managed directly within your Slash account.⁶
Accounting & ERP integrations: Sync transaction data with QuickBooks Online, Xero, NetSuite, or Sage Intacct to streamline reconciliation, reporting, and month-end close.
Native cryptocurrency support: Send and receive USD-pegged stablecoins USDC and USDT across eight supported blockchains for faster, lower-cost global payments.⁴
Reimbursements: Instead of managing reimbursements across multiple tools, teams can now submit, review, and approve reimbursements directly inside the Slash dashboard. Connect your bank account, upload your receipt, and let Slash capture the details.

While Slash isn’t a 3DS provider in itself, it can help businesses keep their funds safe after initial authentication and settlement. If you’re looking for a modern banking solution that covers the financial steps after payment processing, give Slash a try today.

Apply in less than 10 minutes today

Join the 10,000+ businesses already using Slash.

Frequently Asked Questions

What is PSD2?

PSD2 stands for the second edition of the Payment Services Directive. It is a European Union (EU) regulation that governs electronic payments and banking across the European Economic Area (EEA). Strong Customer Authentication (SCA) regulations are a key element of PSD2.

What happens if a customer fails 3D Secure authentication?

If a customer fails 3D Secure (3DS) authentication, their transaction is determined to be fraudulent by the issuing bank, and the purchase is declined.

What is 3DS2?

3DS2 (3D Secure Authentication 2) is an update to the common 3D Secure system that came about in 2016. It didn't change the core of how 3DS worked, but it did introduce new data points for online payments and make extra authentication steps less common for customers.

Does 3D Secure prevent chargebacks?

3D Secure can help prevent fraudulent chargebacks, but it can't eliminate them. Merchants can still be liable for chargebacks that relate to product/delivery issues or general refunds.