How Does 3D Secure Work? The Complete Transaction Flow Explained

3D Secure can seem like a black box — it happens behind the scenes, and merchants don’t always know what’s occurring. This guide walks through a 3DS2 transaction step by step, explaining what each component does and why the process produces better outcomes for merchants than unauthenticated card transactions.

The Parties Involved

• Customer: The cardholder making the purchase
• Merchant / 3DS Server: The website collecting the payment, with 3DS enabled via their payment provider
• Acquirer (ConvesioPay/Adyen): The merchant’s payment processor; initiates the 3DS flow and submits the authentication value with the authorization request
• Directory Server (Visa/MC): Routes the 3DS request to the correct issuer
• Access Control Server (ACS): The issuer’s 3DS system; makes the authentication decision
• Issuing Bank: The bank that issued the customer’s card; ultimately approves or declines the payment

The 3DS2 Transaction Flow: Step by Step

1. Customer initiates checkout. The customer enters their card details on the merchant’s checkout page.
2. Device fingerprinting. The merchant’s 3DS Server collects over 100 data elements — browser type, screen resolution, timezone, IP address, and behavioral signals — in the background, typically in under one second.
3. Authentication request sent to Directory Server. The 3DS Server packages the device data, transaction details, and card information into an Authentication Request (AReq) and sends it to Visa’s or Mastercard’s Directory Server.
4. Directory Server routes to ACS. The Directory Server identifies the card’s issuing bank and routes the AReq to that bank’s Access Control Server (ACS).
5. ACS risk scoring. The issuer’s ACS evaluates all data elements against its fraud models. If the transaction looks low-risk, it approves frictionlessly. If high-risk patterns are detected, it returns a challenge.
6. Frictionless approval (most common): The ACS returns an Authentication Response (ARes) with a successful outcome and a CAVV (Cardholder Authentication Verification Value) — the authentication value that proves 3DS occurred.
7. Challenge flow (if triggered): The ACS presents a challenge — OTP via SMS, banking app push notification, or biometric prompt. The customer completes the challenge; the ACS then returns a successful ARes.
8. Authorization submitted. The acquirer submits the card authorization request including the CAVV. The card network routes this to the issuer.
9. Issuer authorizes. The issuer approves the transaction, recognizing the 3DS authentication. The liability for fraud on this transaction now rests with the issuer, not the merchant.
10. Payment completes. The merchant receives the authorization response and completes the order.

The Full Flow in Under Two Seconds

For frictionless transactions, the entire 3DS exchange — steps 2 through 5 — typically completes in under one second, invisible to the customer. The customer sees no interruption to their checkout experience, yet the merchant receives full liability shift protection.