Are you in?

Subscribe and receive the latest updates on the future of payment.


3D-Secure 2 – Everything Merchants need to Know about the Improved Security Process

By Kilian Thalhammer

Every online merchant knows secure online payments are essential for successful e-commerce. To further enhance security, new methods of card and user authentication have become imperative under the European payment directive PSD2. Important changes in the area of online payments are coming s­oon – good news for online merchants, as the new so-called 3-D Secure 2 standard will soon enable online commerce to enjoy higher approval rates and thus higher revenues, also th­anks to a lower fraud rate. These changes will further strengthen digitization and the general culture of innovation.

Major changes always raise many questions for merchants. In my capacity as Wirecard’s VP Product Management Payment & Risk, I’ve answered some of the most frequently asked questions below. However, the most important message for Wirecard customers is: relax! We will ensure that you get all the support you need to be ready by the September 14, 2019 deadline.

What is the new standard 3D-Secure 2?

3D-Secure 2, in short 3DS2, is a multi-level security process which is supported by the leading credit card organizations Visa, Mastercard, Amex and JCB. This new standard is being introduced to comply with the legal framework of the European Payment Services Directive 2 (PSD2).

In short, its main goals are to make online credit card payments as secure as possible and to increase the conversion rate compared to current 3DS implementations.

But hasn’t 3D-Secure been around for quite some time?

That’s right – as with the first generation of the authentication process, 3D Secure 2 also ensures that the buyer is actually the credit card holder.

However, the second generation brings some important improvements: these include a new approach to authentication through a wider range of data, biometric authentication and an improved online experience, especially on smartphones. In addition, the European Union’s second Payment Service Directive (PSD2) calls for a so-called Strong Customer Authentication (SCA), and 3DS2 is the leading credit card companies’ answer to it.

This overview shows the main differences between 3DS1 and 2:

Source: Kilian Thalhammer / Wirecard

3DS1 and 3DS2 compared - this is how they differ from each other. (Source: Kilian Thalhammer / Wirecard)

What is Strong Customer Authentication (SCA)?

SCA is a new requirement that comes with PSD2. In the past, customers could simply enter their card number and the CVC, but with PSD2 regulations, information from two independent sources, also called factors, will be required to initiate payments. 3D Secure is a widespread security protocol to prevent fraud in transactions with credit and debit cards online and will be used to implement SCA in all card payments.

While in the past with 3DS1, for online shoppers e.g. a static password was sufficient, in the future, issuers must make sure authentication includes at least two of the following factors:

- Inherence: Something you are

- Knowledge: Something you know

- Ownership: Something you have

Source: Kilian Thalhammer / Wirecard

SCA always requires at least two factors to make payments secure (Source: Kilian Thalhammer / Wirecard)

Does 3DS2 affect all payment methods?

No, payment methods affected are online payments via credit or debit cards, in individual cases also via wallets.

How does Wirecard support merchants?

On our side, we are upgrading our payment pages and also creating new payment APIs that support strong customer authentication. We are including the new 3DS2 protocol into our APIs and payment pages in a way that is designed to keep implementation changes for merchants at a minimum.

Here we provide detailed implementation guides and documentation for the various integration methods. The first issuing banks are already gradually supporting 3DS2, but the whole changeover process will still take some time. Therefore, 3DS1 and 3DS2 will exist in parallel as standards until further notice and both will be accepted by banks and card issuers.

What are concrete benefits, especially for me as a merchant?

We welcome the forthcoming changes under PSD2 because they will enable Europe to stimulate competition and therefore innovation amongst financial institutions. In addition, PSD2 increases long-term payment security, of which 3DS2 is an important component – which also strengthens the widespread practical use of future-oriented trends such as biometric payments.

For merchants, in comparison to 3DS1, there are many advantages– here are the most important ones:

  • Higher conversion rates thanks to an enhanced customer experience

Static passwords will be banned. In many cases, transactions will be authenticated based on the historic and transactional data available at the issuer without cardholder intervention. After a familiarization period, in the medium term this will increase conversion rates as cardholders experience a frictionless flow.

  • Higher revenue thanks to increased approval rates

Thanks to the wide application of 3D Secure, the issuers will be able to approve a lot more e-commerce transactions than they have in the past. The overall expectation is that approval rates of these transactions will be as high as those of face-to-face businesses.

  • Less fraud thanks to strong authentication with biometrics

The purpose of the new protocol is to facilitate the data exchange between the merchant, cardholder, acquiring bank (who receives a transaction and then sends an amount to the merchant, minus applicable fees) and issuing bank (who verifies the transaction and if credit is available sends authorization to the card network) in order to assess the risk of a transaction. If an issuer decides to challenge the transaction, the authentication can happen with TAN by SMS or seamlessly with biometric data.

  • Practical for your customers thanks to support for various devices

The new messaging protocol also creates a framework for digital authentication to make the process possible on a wider set of devices. It will be possible to run 3D Secure payments in both application and browser-based solutions, on mobile and other connected consumer devices.

What are the exceptional cases when SCA does not need to be used?

There are a number of exceptions, here are some of them:

The exceptions confirm the rule - the Secure Customer Authentication does not always come into play (Source: Kilian Thalhammer / Wirecard)

The exceptions confirm the rule - the Secure Customer Authentication does not always come into play (Source: Kilian Thalhammer / Wirecard)

For all further details on exemptions, please visit our page on Strong Customer Authentication.

What are the timelines regarding 3DS2?

PSD2 and SCA come into effect on September 14, 2019 meaning strong customer authentication will become mandatory within Europe, paving the way for the adoption of 3DSecure 2.

From 2020, 3DS 2 should launch worldwide – so you’ll also be ready to carry out safer and more secure business with customers outside the European Economic Area (EEA), which comprises all EU countries plus Norway, Iceland and Liechtenstein.

Please visit our landing page to get more details and ongoing updates about 3D-Secure 2, about Strong Customer Authentication (SCA) and about implementation.

Should you need assistance, please do not hesitate to contact our support team by email any time at or via phone at +49 (0) 30 300 113 177 (Monday to Friday, 8:00 to 17:00 CEST).

To learn more about the topic, click here to watch the recorded webinar "Understanding 3D Secure 2: Boosting conversion and security in parallel" by Kilian Thalhammer:

And to learn more about "Implementing 3D Secure 2", click here to watch the webinar by our experts Timo Seifert and Marco Conte:

Leave a comment.

If you would like to give us feedback, propose a collaboration, or become an author on our blog, please feel free to connect with us.