How 3-D Secure 2.0 (3DS2) Works: A Complete Guide

[Cloned Boy]

The latest version of the protocol for secure online payments.

1. What is 3DS 2.0?​

3-D Secure 2.0 is an improved authentication protocol for online payments, replacing the outdated 3DS 1.0. Developed by payment systems (Visa, Mastercard, Mir) for:

• PSD2 compliance (SCA – Strong Customer Authentication requirement in the EU).
• Reduce fraud without compromising user experience.

2. Key differences from 3DS 1.0​

Parameter	3DS 1.0	3DS 2.0
Authentication	SMS/password only	Biometrics, push notifications, behavioral analysis
Integration	Go to the bank page	Built-in verification in the application/website
Data for analysis	Minimum	100+ parameters (device, purchase history)
SCA (PSD2)	Does not match	Full compliance

3. How 3DS 2.0 Works: Step-by-Step Process​

Step 1. Initialize the transaction​

The user enters card details on the website → the merchant sends a request to the payment system (Visa/Mastercard).

Step 2. Data Collection (Risk-Based Authentication)​

The payment system analyzes 150+ parameters to assess risk:

• Device data: IP, OS, browser, fingerprint.
• Purchase history: Frequency, amounts, geolocation.
• Payment context: Product type, user behavior.

Example parameters:

{
"device": {"os": "iOS 16", "ip": "192.168.1.1", "screen_resolution": "1125x2436"},
"transaction": {"amount": 100, "currency": "EUR", "merchant_category": "electronics"}
}

Step 3: Making a Decision​

The system selects one of the scenarios:

1. Without authentication (Low Risk):
   • Small amounts (<€30 in EU), trusted merchants.
2. Transparent authentication (Frictionless Flow):
   • Verification via token/biometrics without entering a code.
3. Full Authentication (Challenge Flow):
   • OTP entry, face scanning (Face ID) or confirmation in the bank app is required.

Step 4. Confirmation of payment​

• For Challenge Flow:
  • The user confirms the payment in the bank's mobile application (for example, via push notification).
  • Or enters the code from the SMS (rarely, only for old cards).

Step 5. Completing the transaction​

• After successful authentication, the merchant receives a cryptographic token (replaces the card number).
• The money is being written off.

4. Technical innovations 3DS 2.0​

4.1. Tokenization​

• The card number is replaced with a one-time token (e.g., tok_9s7dFg34).
• Even if leaked, the token is useless for reuse.

4.2. App-Based Authentication​

Banks can use:

• Biometrics (Face ID, Touch ID).
• Transaction signing via mobile app (no SMS).

4.3. Frictionless Flow​

For trusted users, payment goes through without any additional steps (based on trust in the device/merchant).

5. Examples from practice​

Case 1: Purchase of €50 in the EU​

1. The user enters card details.
2. The system checks:
   • The device is known (used for 2 years).
   • Buying from a familiar store.
3. Result: Payment approved without entering code (Frictionless Flow).

Case 2: Suspicious Transaction​

1. New card + IP from another country.
2. Action: Face ID is required in the bank app.

6. How is 3DS 2.0 tested?​

For developers and QA:

• Sandbox environments:
  • Visa Sandbox (test cards and scenarios).
  • Stripe 3DS2 Testing.
• Response codes:
  • Y – success.
  • N – refusal.
  • U – error.

Example of a test card for 3DS2:

• Number: 4000 0000 0000 1000 (Visa, always requires authentication).

7. Limitations and workarounds for scammers (For protection!)​

• Weaknesses:
  • Old cards without 3DS2 support.
  • Phishing attacks on OTP (but biometrics reduce risk).
• Protection:
  • Banks block transactions without 3DS for high risk operations.

Conclusion​

3DS 2.0 is:
Security: PSD2 compliance, fraud protection.
Convenience: Minimum steps for reliable payments.
Flexibility: Support for biometrics, tokens and ML analytics.

For integration:

• Use Stripe/Adyen SDK.
• Test in Visa/Mastercard Sandbox.

Need details on setting up 3DS2 for your site? Or code samples to test? Ask!