3D Secure

3D Secure, often shortened to 3DS and marketed under names such as Visa Secure, Mastercard Identity Check, or American Express SafeKey, is a card authentication protocol that verifies a cardholder’s identity at the moment of checkout, exchanging risk data with the card issuer to confirm a transaction is genuinely being made by the cardholder.

The current version, 3D Secure 2 (3DS2), routes every authentication attempt down one of two paths. In a frictionless flow, the merchant’s checkout sends a rich set of risk data, potentially over 100 fields covering device, billing, and transaction details, to the card issuer; if that data convinces the issuer the purchase is genuine, the transaction proceeds instantly with no customer input.

In a challenge flow, the issuer instead requires the cardholder to actively confirm the purchase, typically through a one-time code, biometric prompt, or banking app notification, holding the transaction until that step completes.

Well-optimized implementations can push 80 to 95 percent of transactions through frictionlessly, while poorly configured ones, often due to missing data fields, push far more traffic into challenges, which carry meaningfully higher cart abandonment.

3D Secure is treated differently by region. In the EU and UK, PSD2 legally mandates Strong Customer Authentication (SCA) for most online card payments, and 3DS2 is the primary technical mechanism merchants use to satisfy that requirement, with exemptions, such as low-value payments under roughly €30, allowed to skip a full challenge.

In the US, there is no equivalent legal mandate, and 3DS adoption is merchant-driven rather than required, though card networks increasingly encourage it through fraud-monitoring programs and the liability protection it offers; US merchant adoption has climbed substantially in recent years as a result.

Crucially, the liability shift 3DS provides only covers chargebacks coded as fraud; disputes filed under other reason codes, such as item not received or not as described, remain the merchant’s responsibility regardless of whether the original transaction was authenticated.

Example

A customer in the UK purchasing from an online store is routed through a 3D Secure frictionless check, since the issuer’s risk system finds the device and billing data convincing enough to approve without further input. A higher-value purchase from a different customer triggers a challenge, prompting them to approve the payment through their banking app before completing. Months later, if either transaction is disputed as fraudulent, the store is protected by the liability shift since both were authenticated through 3DS, though this would not apply if the customer instead disputed the order as never having arrived.

Key characteristics

• Two distinct authentication paths: Frictionless authentication completes instantly using shared risk data, while a challenge requires active cardholder input, with both equally valid for satisfying authentication requirements.
• Mandatory in the EU and UK, optional in the US: PSD2’s Strong Customer Authentication requirement makes 3DS2 effectively required for most EU and UK card-not-present transactions, while US adoption remains merchant-driven.
• Liability shift is limited to fraud-coded disputes: Protection from chargeback liability applies specifically to disputes coded as fraud; it does not cover other dispute types such as non-delivery or item-not-as-described claims.
• Data quality drives the frictionless rate: Merchants submitting richer, more complete risk data to the issuer generally achieve a higher share of frictionless approvals and a lower share of conversion-harming challenges.
• Embedded directly into modern checkouts: Unlike the original 3D Secure, which redirected customers to a separate page, 3DS2 embeds challenges directly within the existing checkout as a modal or in-app prompt.

Related terms

• Fraud prevention – the broader layered system of checks within which 3D Secure functions as one specific step-up authentication tool.
• Chargeback – a forced payment reversal that 3D Secure’s liability shift protects merchants from, specifically for disputes coded as fraud.
• Payment gateway – the technology layer through which 3D Secure authentication requests and responses are typically routed during checkout.
• Credit card processing – the broader authorization system within which 3D Secure adds an additional identity-verification step before a transaction proceeds.
• Stripe – a payment service provider that supports 3D Secure 2 across its payment APIs, applying it dynamically to higher-risk transactions.

Frequently asked questions

What is the difference between a frictionless flow and a challenge flow?

A frictionless flow approves a transaction instantly using risk data shared between the merchant and card issuer, with no action required from the customer. A challenge flow requires the cardholder to actively confirm the purchase, such as entering a one-time code or approving a banking app prompt, before the transaction completes.

Is 3D Secure required by law?

It is effectively required in the European Union and UK, where PSD2’s Strong Customer Authentication mandate makes 3DS2 the primary way merchants comply for most online card payments. In the United States, there is no legal mandate, and adoption is driven by merchant choice and card network incentives rather than regulation.

Does 3D Secure protect against all types of chargebacks?

No, the liability shift 3D Secure provides only applies to chargebacks coded as fraud. Disputes filed under other reason codes, such as item not received or product not as described, remain the merchant’s responsibility even if the original transaction was successfully authenticated through 3DS.

Does using 3D Secure slow down checkout?

It can, but a well-implemented frictionless flow adds no noticeable delay for most transactions, since the entire data exchange happens in the background within a second. Only transactions routed into a challenge flow require active customer input, and that share can be reduced significantly by submitting complete, high-quality risk data to the issuer.

AliDropship: An all-in-one platform for starting dropshipping in 2026

AliDropship is a dropshipping platform that covers store creation, product imports, order automation, and marketing within a single system. It is designed for users with no prior ecommerce experience, though it also supports scaling for more established stores.

🛍️ Free turnkey store

New users receive a free pre-built store – set up, designed, and stocked with products. The store includes a ready-to-use product catalogue and a standard storefront design. It also comes with hosting, a domain, SSL, and payment systems already set up and included.

📦 Products

The platform provides access to a product catalogue covering both trending and niche items, with one-click import to your store. The catalogue is updated regularly to reflect current market availability. Products can be browsed, filtered, and added without leaving the platform.

🚚 Shipping & fulfillment

AliDropship provides access to a vast catalogue of products from global suppliers and handles order fulfillment automatically once a purchase is made. Customers receive tracking information directly, and orders are processed without manual intervention from the store owner.

📣 Marketing & promotion tools

The platform includes built-in marketing tools covering email campaigns, discount management, SEO settings, and social media integration. These are available within the dashboard and do not require third-party subscriptions for basic use.

👌 Ease of use

AliDropship requires no coding knowledge. The dashboard contains all the necessary tools for managing your store, products, and orders in one place. Additional features and products can be added as the store grows without rebuilding the existing setup.