How 3-D Secure 2.0 (3DS2) Works: A Complete Guide

Cloned Boy

Professional
Messages
874
Reaction score
696
Points
93
The latest version of the protocol for secure online payments.

1. What is 3DS 2.0?​

3-D Secure 2.0 is an improved authentication protocol for online payments, replacing the outdated 3DS 1.0. Developed by payment systems (Visa, Mastercard, Mir) for:
  • PSD2 compliance (SCA – Strong Customer Authentication requirement in the EU).
  • Reduce fraud without compromising user experience.

2. Key differences from 3DS 1.0​

Parameter3DS 1.03DS 2.0
AuthenticationSMS/password onlyBiometrics, push notifications, behavioral analysis
IntegrationGo to the bank pageBuilt-in verification in the application/website
Data for analysisMinimum100+ parameters (device, purchase history)
SCA (PSD2)Does not matchFull compliance

3. How 3DS 2.0 Works: Step-by-Step Process​

Step 1. Initialize the transaction​

The user enters card details on the website → the merchant sends a request to the payment system (Visa/Mastercard).

Step 2. Data Collection (Risk-Based Authentication)​

The payment system analyzes 150+ parameters to assess risk:
  • Device data: IP, OS, browser, fingerprint.
  • Purchase history: Frequency, amounts, geolocation.
  • Payment context: Product type, user behavior.
Example parameters:
JSON:
{
"device": {"os": "iOS 16", "ip": "192.168.1.1", "screen_resolution": "1125x2436"},
"transaction": {"amount": 100, "currency": "EUR", "merchant_category": "electronics"}
}

Step 3: Making a Decision​

The system selects one of the scenarios:
  1. Without authentication (Low Risk):
    • Small amounts (<€30 in EU), trusted merchants.
  2. Transparent authentication (Frictionless Flow):
    • Verification via token/biometrics without entering a code.
  3. Full Authentication (Challenge Flow):
    • OTP entry, face scanning (Face ID) or confirmation in the bank app is required.

Step 4. Confirmation of payment​

  • For Challenge Flow:
    • The user confirms the payment in the bank's mobile application (for example, via push notification).
    • Or enters the code from the SMS (rarely, only for old cards).

Step 5. Completing the transaction​

  • After successful authentication, the merchant receives a cryptographic token (replaces the card number).
  • The money is being written off.

4. Technical innovations 3DS 2.0​

4.1. Tokenization​

  • The card number is replaced with a one-time token (e.g., tok_9s7dFg34).
  • Even if leaked, the token is useless for reuse.

4.2. App-Based Authentication​

Banks can use:
  • Biometrics (Face ID, Touch ID).
  • Transaction signing via mobile app (no SMS).

4.3. Frictionless Flow​

For trusted users, payment goes through without any additional steps (based on trust in the device/merchant).

5. Examples from practice​

Case 1: Purchase of €50 in the EU​

  1. The user enters card details.
  2. The system checks:
    • The device is known (used for 2 years).
    • Buying from a familiar store.
  3. Result: Payment approved without entering code (Frictionless Flow).

Case 2: Suspicious Transaction​

  1. New card + IP from another country.
  2. Action: Face ID is required in the bank app.

6. How is 3DS 2.0 tested?​

For developers and QA:
  • Sandbox environments:
    • Visa Sandbox (test cards and scenarios).
    • Stripe 3DS2 Testing.
  • Response codes:
    • Y – success.
    • N – refusal.
    • U – error.
Example of a test card for 3DS2:
  • Number: 4000 0000 0000 1000 (Visa, always requires authentication).

7. Limitations and workarounds for scammers (For protection!)​

  • Weaknesses:
    • Old cards without 3DS2 support.
    • Phishing attacks on OTP (but biometrics reduce risk).
  • Protection:
    • Banks block transactions without 3DS for high risk operations.

Conclusion​

3DS 2.0 is:
✅ Security: PSD2 compliance, fraud protection.
✅ Convenience: Minimum steps for reliable payments.
✅ Flexibility: Support for biometrics, tokens and ML analytics.

For integration:
  • Use Stripe/Adyen SDK.
  • Test in Visa/Mastercard Sandbox.

Need details on setting up 3DS2 for your site? Or code samples to test? Ask!
 
Top