3D Secure (3DS) is the authentication protocol that adds a verification layer to card-not-present transactions. Version 2 3DS2 — is the current standard and brings significant improvements over the original, including frictionless authentication, mobile-native support, and a liability shift that protects merchants from fraud chargebacks. For WooCommerce merchants, understanding 3DS2 is essential for both fraud prevention and regulatory compliance.
ConvesioPay supports 3DS2 natively through Adyen’s infrastructure, frictionless for most transactions, with challenge flows only when issuers require it. Get started →
1. What Is 3D Secure?
3D Secure is an authentication protocol developed by the card networks (Visa calls it Visa Secure; Mastercard calls it Mastercard Identity Check; American Express calls it American Express SafeKey). It adds an authentication step to online card payments, where the issuing bank verifies the cardholder’s identity before the transaction is authorized.
The “3D” in 3D Secure refers to the three parties involved: the merchant, the acquirer (your payment processor), and the issuer (the cardholder’s bank).
2. How 3DS2 Works
When a 3DS2-enabled transaction is initiated, your payment processor sends a rich set of transaction data to the card issuer, including device fingerprint, browser information, IP address, shipping address, and historical transaction data. The issuer uses this data to assess the fraud risk of the transaction and decides how to respond:
Frictionless Flow (majority of transactions)
The issuer determines the transaction is low risk and authenticates it silently, with no cardholder action required. From the customer’s perspective, the checkout proceeds normally, they never see an extra step. Behind the scenes, the transaction has been authenticated and fraud chargeback liability has shifted to the issuer.
Challenge Flow (higher-risk transactions)
The issuer requests additional verification from the cardholder. This might be:
- A one-time passcode (OTP) sent via SMS to the cardholder’s registered number
- Biometric authentication via the cardholder’s banking app
- A security question
The challenge is presented in the checkout flow via an inline iframe or redirect. If the cardholder completes it successfully, the transaction is authenticated and liability shifts to the issuer.
Failed Authentication
If the cardholder fails the challenge, the transaction is declined. The merchant doesn’t bear fraud liability because the issuer declined to authenticate.
3. The Liability Shift
The liability shift is the most commercially important aspect of 3DS2 for merchants. When a transaction is successfully authenticated via 3DS2:
- The cardholder’s bank has verified the transaction
- If a fraud chargeback is later filed on that transaction, the issuer — not the merchant bears the loss
- The chargeback may still be filed, but the issuer cannot pass the loss to the merchant for fraud-category chargebacks
This means 3DS2 doesn’t eliminate chargebacks, it changes who pays for them when they’re fraud-related. Consumer dispute chargebacks (non-receipt, not as described) are not covered by the liability shift.
4. 3DS2 vs. Legacy 3DS1
| 3DS1 (deprecated) | 3DS2 | |
|---|---|---|
| Authentication method | Password-based challenge for most transactions | Risk-based; frictionless for most; challenge only for flagged |
| Data sent to issuer | Minimal (card, amount, merchant) | Rich context (device, browser, behavior, history) |
| Mobile support | Poor — broken in many mobile browsers | Native mobile app integration; biometric support |
| Conversion impact | Significant abandonment at challenge step | Minimal — most transactions are frictionless |
| Status | Deprecated; no longer supported by major networks | Current standard |
5. SCA Requirements for European Merchants
Under PSD2 (the EU’s Payment Services Directive 2), Strong Customer Authentication (SCA) is required for most European online card payments. SCA requires two of three authentication factors: something the customer knows (password), something the customer has (device), something the customer is (biometric).
3DS2 is the primary mechanism for complying with SCA requirements. For WooCommerce merchants selling to customers in the European Economic Area (EEA), 3DS2 is effectively mandatory for card payments, not optional.
SCA exemptions exist for:
- Low-value transactions (under €30)
- Low-risk transactions (transaction risk analysis exemption)
- Trusted beneficiaries (customer has whitelisted the merchant)
- Merchant-initiated transactions (recurring payments where the first transaction was SCA-authenticated)
ConvesioPay handles SCA exemption requests automatically through Adyen’s infrastructure, requesting exemptions where appropriate to minimize friction on legitimate European transactions.
6. Implementation in WooCommerce
With ConvesioPay, 3DS2 is available natively, no separate plugin or configuration required to enable the protocol. You can configure:
- 3DS2 for all transactions — maximum liability protection at the cost of some challenge friction
- 3DS2 with risk-based triggering — frictionless by default; challenge triggered by issuer risk assessment or your fraud rules
- SCA-only mode for EU transactions — 3DS2 triggered only for customers where SCA is required
For high-fraud environments or merchants approaching chargeback thresholds, enabling 3DS2 universally is the most effective single step to reduce fraud chargeback exposure.
For more on fraud prevention tools that work alongside 3DS2, see CNP Fraud Prevention: Protecting Your Online Store from Card-Not-Present Fraud and Payment Fraud Prevention: A Complete Guide for Ecommerce Merchants.
ConvesioPay’s 3DS2 support is built in — frictionless authentication, liability shift, and SCA compliance for WooCommerce merchants, powered by Adyen. Get started →