3D-Secure 2.0

3DS 2.0 (also known as EMV 3DS)


  • 3D-Secure (3DS) is a security protocol created and used by card networks to reduce credit and debit card fraud for online transactions
  • This is most often performed via some form of two-factor authentication (2FA)
  • The current version of 3DS technology (known as “3DS 1.0”) is outdated
  • The card networks have upgraded 3DS technology and the software required to support it - this is referred to as “3DS 2.0”
  • In 2021,
    • Visa will stop liability shift for chargebacks even if the transaction is processed with 3DS 1.0
    • MasterCard will not stop liability shift for 3DS 1.0 transactions, but will charge more scheme fees for them
  • Added benefits of 3DS 2.0 include frictionless authentication, a better payments experience for customers, and improved payment acceptance rates

Xendit is ready to help our customers accept card payments with 3DS 2.0 with our APIs and mobile SDKs (iOS, Android).

Refresher: what is 3DS?

3D-Secure was first developed by Visa in 2001 to add a layer of security to online card transactions, by verifying the cardholder’s identity to the issuer. This was important as online transactions are Card-Not-Present (CNP) transactions, where a merchant cannot physically verify that the person making payment is the owner of the card.

3DS verification is most often performed via two-factor authentication (2FA). This usually takes place via redirecting the user to a challenge page or popup window in their browser, which asks for a One-Time Password (OTP) from their issuer. You would be familiar with the card networks’ individual 3DS methods such as Verified by Visa (renamed as Visa Secure), MasterCard SecureCode (renamed as MasterCard Identity Check), or AMEX Safekey.

The OTP would be received either by text or in an app, and when entered in the challenge page, is sent to the issuer to verify the cardholder’s identity.

3DS gives the issuer and the cardholder greater confidence that a transaction is legitimately and securely processed. Merchants benefit from higher acceptance rates with 3DS, as many issuers require successful authentication before they approve a payment. 3D-Secured transactions also provide merchants with higher likelihood of liability shift when a cardholder raises a chargeback.

The main disadvantage of 3DS is added friction during checkout, since the cardholder must perform 2FA. Some customers may abandon the cart as a result. Read more about how Xendit helps customers process card transactions with 3DS.

Why the need for 3DS 2.0?

The current version of 3DS, 3DS 1.0, is now 19 years old. While the economy, businesses and payments and the technologies involved have changed significantly, 3DS 1.0 has not. The card networks saw a need to create a new 3DS protocol to meet the requirements and challenges of new technologies and businesses.

EMVCo is a global technical body which handles worldwide interoperability and acceptance of online card payments - it is collectively owned by Visa, MasterCard, AMEX, Discover, JCB, and UnionPay. Under the umbrella of EMVCo, the card networks have developed 3DS 2.0 (also known as EMV 3DS) to meet market needs for a new security protocol.

3DS 2.0 provides frictionless authentication

With 3DS 1.0, the card networks and issuers use a number of data elements to verify the cardholder’s identity. 3DS 2.0 increases the number of accepted data elements, creating a better profile of the cardholder with every transaction. Merchants and their payment providers can receive more data from the end-user making payment, and send that data to the issuer.

The issuer uses this information to better review the transaction for fraud or associated risks.

  • If sufficient data is received to verify that it is indeed the cardholder making payment, the issuer can use “frictionless” 3DS authentication without the cardholder needing to perform 2FA. 3DS succeeds, the payment is accepted, and the merchant benefits from chargeback liability without any additional verification step.
  • If the issuer needs more data for verification, they initiate the “challenge” and require the cardholder to provide an OTP or other 2FA.

This is also known as “risk-based authentication”. The benefit to merchants is that their customers can make purchases and checkout without friction if enough data is provided for a successful 3DS 2.0 transaction. This data must be passed from the cardholder via the merchants’ checkout page to Xendit using our APIs and Javascript implementation, or mobile SDKs.

3DS 2.0 allows for a better customer experience

If you’ve experienced 3DS 1.0 before, you’ll know that the most common authentication method is via an OTP sent to your phone. In recent years, issuers have created innovative methods such as in-app biometric authentication or PIN verification which allows even a challenge step to be smoother. 3DS 2.0 was developed with these innovations in mind, as well as the increased smartphone usage globally and particularly in Southeast Asia.

3DS 2.0 also allows for the challenge step to be contained within the merchant’s checkout browser without defaulting to a redirect. The OTP page or other type of prompt will emerge within the original browser itself, leading to more control of the entire payment process and decreasing exposure to security risks.

How Xendit supports 3DS 2.0

Xendit has worked directly with Visa, MasterCard and JCB to enable 3DS 2.0 for merchants using our products to accept online credit and debit card payments. 3DS 2.0 will be available using our APIs, and mobile SDKs (iOS, Android). Our Invoices, CheckoutUI and plugins such as the Xendit-Shopify and Magento plugins will be ready for 3DS 2.0 in 2021, well before the card networks reduce support for 3DS 1.0.

Our xendit.js Javascript client and mobile SDKs support handling of new data params in API responses out of the box - merchants need only make sure you are using the latest versions of these. However, merchants will have to add new data params in your Tokenization/Authentication requests to Xendit, in order to provide data necessary for a 3DS 2.0 authentication. Your user interfaces must also be able to allow users to enter this data.

We are rolling out 3DS 2.0 to merchants upon request - contact us at help@xendit.co and let's get started!

Last Updated on 2023-05-19