Online shopping is part of everyday life in the UK, but with it comes a growing risk: card-not-present fraud. In 2024 alone, remote-purchase fraud cost UK businesses over £722 million, making it the most common type of payment fraud.
To help reduce these losses and build trust in digital commerce, the payments industry relies on 3D Secure authentication, a protocol that quietly verifies cardholders behind the scenes, or steps in with a quick ID check when needed.
In this article, we break down what 3D Secure is, how it works, and what UK businesses need to know to stay compliant, protect revenue, and keep customers happy.
What is 3D Secure?
3D Secure (3DS) is a security protocol developed by EMVCo to add an extra layer of protection to online card payments. The “3D” stands for the three domains involved in the transaction:
- Issuer domain: The cardholder’s bank
- Acquirer domain: The merchant and their payment provider
- Interoperability domain: The card scheme’s directory (e.g., Visa, Mastercard)
When a shopper makes a purchase, 3DS allows the cardholder’s bank to silently verify the transaction using behavioural and contextual data or, if needed, ask for a quick extra step like a passcode or biometric.
3DS is the main method for meeting the Strong Customer Authentication (SCA) rules under the UK’s Payment Services Regulations. These rules were introduced to reduce fraud and are enforced by the Financial Conduct Authority (FCA).
Versions of 3D Secure
| Version | Key Features | Status |
| 3DS 1.0 | Static password pop-ups, high friction | Being phased out |
| 3DS 2.1 | Richer data, mobile support | Ended Sept 2024 |
| 3DS 2.2 | Supports SCA exemptions (e.g. low-value, whitelisting) | Recommended |
| 3DS 2.3.1 | App push notifications, passkey support, wearable-ready | Latest version |
How 3D Secure Works
Here’s how 3DS plays out in a typical online checkout:
- Customer enters card details at checkout.
- The merchant’s system contacts the card scheme (like Visa or Mastercard) to check if the card supports 3DS.
- The cardholder’s bank assesses the risk using 100+ data points (like device type, previous behaviour, location).
- If risk is low: The bank silently approves (frictionless).
- If risk is higher: The bank may trigger a challenge (e.g. SMS code, biometric approval, passkey).
- A secure cryptogram is returned, confirming the customer’s identity.
- The payment is authorised, and if fraud occurs later, liability sits with the bank and not the merchant.
Key Benefits for UK Merchants
| Benefit | Why it Matters |
| Cuts card-not-present fraud | 3DS helps catch suspicious activity before it leads to losses. |
| Shifts liability | If the customer is authenticated, the bank, not the business, covers chargebacks. |
| Ensures SCA compliance | Avoids soft declines from banks rejecting non-authenticated payments. |
| Improves UX with latest versions | Newer versions like 2.3.1 allow biometric or app-based approval instead of SMS codes. |
How to Implement 3D Secure
To make the most of 3DS and ensure both compliance and a smooth customer experience, UK businesses should:
- Choose a payment provider that supports 3DS 2.2 or above: Many older integrations still use 3DS 1.0 or 2.1, which will no longer be supported after September 2024. Make sure your PSP or gateway has fully implemented 3DS 2.2 or 2.3.1, and ideally provides built-in support for features like Secure Payment Confirmation (SPC) and exemption management.
- Enable SCA exemptions where appropriate: Smart use of exemptions can improve approval rates and reduce unnecessary friction. These include:
- Low-value transactions (under £45)
- Recurring payments and subscriptions (merchant-initiated transactions)
- Whitelisted customers (those who have previously approved the merchant)
- Provide rich transaction and customer data: Frictionless authentication relies on the issuer receiving enough context to assess the risk. You should send data such as:
- Device ID and fingerprint
- Account creation date
- Delivery address match history
- Transaction amount and frequency
- Test fallback flows for older cards and edge cases: Not all customers will have cards that support 3DS 2.x. Your checkout should gracefully handle fallbacks to older 3DS versions or non-authenticated authorisations, ideally with clear messaging and retry logic.
- Offer clear, reassuring messaging during the checkout flow: Sudden authentication prompts can spook customers. Add short explanations like “We use 3D Secure to keep your card safe” and offer a quick FAQ link or tooltip that explains common challenge methods (like SMS or Face ID).
- Track and optimise key performance metrics: Post-implementation, monitor your:
- Challenge rate: What % of transactions require step-up
- Approval rate: How many transactions are successfully authorised
- Chargeback/fraud rate: Especially on exempted flows
What’s Next for 3D Secure
The 3D Secure protocol isn’t standing still. As fraud tactics evolve and user expectations shift, new updates are on the horizon to keep payments secure, seamless, and future-proof. Here’s what UK merchants should keep an eye on:
Passkeys Go Mainstream
Secure Payment Confirmation (SPC), built on FIDO2/WebAuthn, is paving the way for password-free authentication. Instead of one-time codes, customers can use biometric methods like Face ID or fingerprint recognition to confirm payments. Passkeys are device-bound, secure, and fast, making them ideal for mobile and desktop checkout flows. By 2026, they’re expected to become the default for 3DS challenges, especially across high-trust devices and wallets.
Delegated Authentication
Delegated authentication allows merchants or digital wallets to authenticate returning users directly, without sending them to the bank’s Access Control Server (ACS). This reduces friction and streamlines checkout while still protecting merchants with the same liability shift. Major card schemes are piloting this model with large merchants and fintech platforms, and broader rollout is expected across 2025 and 2026.
AI-Driven Fraud Prevention
3DS 2.4 (in development) will introduce real-time AI driven fraud intelligence sharing between merchants and issuers. This will allow both parties to feed dynamic risk signals into the decision-making process, such as abnormal login patterns, recent disputes, or velocity data. The result? More accurate fraud detection and a better experience for legitimate customers who are less likely to face unnecessary step-ups.
Open Banking Crossover
As open banking adoption grows in the UK, expect 3DS-style risk assessments to be applied to account-to-account (A2A) and pay-by-bank flows. The goal is to bring the same level of fraud protection and user familiarity to non-card payments. Over time, authentication frameworks across cards and open banking will become more aligned.
Regulatory Tightening
The Financial Conduct Authority (FCA) is expected to step up enforcement of Strong Customer Authentication rules. This may include:
- Lower thresholds for exemptions (e.g. low-value or recurring payments)
- Greater scrutiny of merchant fraud rates
- Formal SCA compliance reviews for high-risk verticals
Businesses that rely heavily on exemptions like Transaction Risk Analysis (TRA) or Merchant-Initiated Transactions (MITs) should review their approach and ensure they’re maintaining strong audit trails and SCA justification.
Conclusion
3D Secure is more than just a box-ticking exercise. It’s a smart, evolving tool that may help UK merchants fight fraud, meet regulatory obligations, and protect their bottom line. If you haven’t reviewed your 3DS setup since 2.1, now’s the time to upgrade.
