Industry
Making 3D Secure Work For Your Business
If you're processing card-not-present (CNP) transactions, you're almost certainly dealing with 3D Secure in some capacity. Whether you're required to use it for regulatory reasons, you've added it to reduce fraud, or you're just trying to figure out if you're using it correctly, 3DS can be a beast to tackle. The love-hate relationship merchants have for 3DS isn’t anything new; the pros are very pro (who doesn’t want reduced fraud and chargebacks?), but prominent cons like cart abandonment, potential lost sales, and frustrated buyers are hard to ignore.
In this post, we’ll dig into what 3D Secure is, what it means for your business, and how to make sure it's working as hard for you as it should be.
What Is 3D Secure?
3D Secure (3DS) is a customer authentication technology designed to prevent fraud during online transactions. Short for Three Domain Server, 3DS involves three domains in the authentication process: the acquirer receiving the payment, the issuer funding the payment, and the interoperability system supporting 3DS.
In practice, 3DS typically adds a step to checkout where customers verify their identity before a transaction is approved, typically by manually entering a password, SMS code, or temporary PIN. All three parties have to confirm they are who they say they are, thereby reducing fraud risk and protecting everyone involved.
Alternatively, merchants can use the same 3DS rails to pass additional data points (e.g. customer email, billing address, and IP) with the transaction to Visa and Mastercard; the card brands use this data to assess the transaction’s risk and handle authentication with the issuer. While this data-only flow isn’t as secure, it does provide additional risk protections without interrupting customer flow.
The Very Real Pros and Cons
The most obvious upside to 3DS is a measurable reduction in fraud and chargebacks. That being said, 3DS can do more for your business than just boot fraudsters out of the checkout flow. According to the MRC's 2026 Global Payments and Fraud Report, 32% of merchants surveyed use 3DS to improve issuer approval rates. Issuers have their own fraud concerns, and a successful 3DS authentication vouches for your customer’s validity.
There are also cost benefits. Because 3DS reduces fraud risk and shifts liability away from the merchant, it can qualify transactions for lower interchange fees, particularly with Visa and Mastercard. Riskier-looking transactions often carry higher rates, and 3DS can help change that. This benefit looms large these days as more and more merchants realize interchange is the largest cost category driving the modern explosion in payment acceptance costs.
All that being said, you can’t just require 3DS on all transactions and expect only sunshine and rainbows. The friction traditional 3DS adds to checkout doesn't come for free; that extra authentication step is associated with higher cart abandonment and lower conversion. If the experience is clunky or leaves customers in a state of limbo, you can end up with longer support queues and a higher customer service burden.
This is where you may turn to the middle ground of the data-only flow. You still pass risk signals to the card networks and benefit from some fraud protection, but avoid interrupting the customer experience. It’s up to you to decide the right balance between security/cost savings and conversion/customer experience. Getting it right requires ongoing attention to your data.
Where 3DS Is Required (And Where It's Optional)
3DS is a regulatory requirement for card-not-present transactions processed in the European Economic Area (EEA) and the UK, both of which have adopted Strong Customer Authentication (SCA) rules. Several other countries, including Australia and Brazil have implemented similar requirements.
If you're primarily processing transactions in countries where 3DS is optional (e.g. United States and Canada), you may choose to use it in the following situations:
Soft decline retries - If a transaction is soft declined, implement an automatic retry sent through the 3DS flow (Visa and Mastercard both support this within a 15-minute window)
High-risk transactions - Digital goods, instant-delivery products, and those with high AOVs are often fraud targets
Guest checkouts - If a new customer goes through the guest flow, you don’t have a purchase history for assessing risk
When you just want extra risk protection - The data-only flow is a great low-disruption option for transactions that don't warrant a full challenge
Optimize Your 3DS Setup
Like so many aspects of payment processing, using 3DS isn't a set-it-and-forget-it situation. You need to establish a regular process of cycling through the following key actions:
1. Audit Where You Should Apply 3DS
Not every transaction needs 3DS, and applying it where it's out of scope adds unnecessary friction. The following transactions are typically exempt from SCA requirements and don’t require 3DS checks:
Merchant-initiated transactions (MITs) - After the initial customer-initiated transaction (CIT), subsequent MITs don't require re-authentication
Cross-border transactions where one party is outside the SCA-regulated area
Transactions with amounts below certain thresholds
2. Choose the Right 3DS Approach
Depending on where you operate, you have a few options when it comes to designing your 3DS strategy:
Option | Description | Liability Shift | Pros/Cons |
Traditional 3DS (full challenge) | The customer manually verifies their identity | Yes | Strongest fraud protection, but the most friction |
Data-only flow | You pass risk signals to the networks without interrupting the customer | No | Some fraud protection, zero checkout friction |
Request an exemption (available only in SCA-regulated markets) | For eligible transaction types (e.g. low-value, low-risk, trusted beneficiaries, and others), request the issuer skip authentication entirely | No | No fraud protection, but no friction |
Skip 3DS entirely | For out-of-scope transactions or in locations where it’s not required, don’t employ 3DS checks | No | No fraud protection, but no friction |
Depending on your business needs, it may be worth building explicit routing logic around these four options based on risk signals like transaction amount, card type, customer history, and geography.
3. Target 3DS Precisely with BIN Data
BIN data is a powerful resource for shaping retry and routing strategies, predicting costs, and designing fraud rules. With regards to 3DS, BINs can power smarter, more targeted decisions around which cards should or shouldn’t go through 3DS flows. For example, BIN data contains granular card intelligence like card issuer, card type, country of origin, and more, which you can use to build 3DS rules that add friction where it counts.
The MRC's 2026 Global Payments and Fraud Report backs this up: of the 32% of merchants using 3DS to improve issuer authorization rates, 66% rely on third-party data to inform how they apply it. The Pagos BIN Database gives you all the information you need to make smart 3DS decisions.
4. Compare Performance Across PSPs
If you're working with multiple payment service providers, 3DS performance may differ across them. For example, one PSP might have a higher challenge rate or lower authentication success rate than another. When you see that kind of discrepancy, it's worth digging into each PSP’s 3DS provider configuration, the richness of the data they're passing through, and whether their exemption engine is set up correctly.
With Pagos Insights, you can keep an eye on 3DS performance across PSPs over time to identify fluctuations within and across each provider.
5. Keep Your Technical Integration Current
3DS specs change regularly. If you've updated something else in your payments stack that touched the 3DS integration, it can cause a spike in declines that's easy to miss if you're not watching. Tracking transaction response codes over time is the best way to catch technical issues before they quietly drain revenue.
6. Monitor Your Data
Speaking of spikes in declines, you’re not going to spot them or know something has gone wrong unless you’re closely monitoring your incoming payments data from each of your processors. If you don’t have a solution for that just yet, Pagos has your back:
How Pagos Can Help
All of this optimization depends on having visibility into your 3DS data. In the Charts section of Pagos Insights, you can build charts to track your 3DS performance over time, broken down by 3DS authentication result, 3DS response code, and 3D secure version. Watching 3DS trends over time is the only way to catch a technical regression, identify a PSP underperforming on authentication, or see the impact of a change you made to your 3DS routing logic.
Alternatively, Pagos AI lets you query your payments data in a conversational format. Instead of configuring a chart from scratch, you can simply ask something like "What's my 3DS authentication success rate by PSP over the last 90 days?”
Want to see what your 3DS data looks like in Pagos? Get in touch with our team or log in to start exploring!
By submitting, you are providing your consent for future communication in accordance with the Pagos Privacy Policy.