5 things merchants need to know before implementing 3D Secure

The benefits of the 3D Secure protocol implementation in any organisation are widely known and accepted. At its core, the technology provides an additional layer of security in card-not-present online payments, providing merchants with increased protection against financial liability, while also raising shopper confidence.

It would therefore seem that implementing 3DS is a no-brainer. However, before jumping into implementing 3D Secure, there are a number of factors merchants need to know about and consider.

Conversion rates

The main concern for merchants when implementing 3DS is the user experience and what effect this will have on conversion rates. The truth is that 3DS has had some bad press, resulting in many merchants unfairly blaming the technology for a drop in conversions.

The fact of the matter is that the payments landscape is complex; one size does not fit all. It’s not as straightforward to draw a direct correlation between implementing 3DS and conversion rates as many other factors come into play.

The first factor would be the market in which the technology is implemented. Research has shown that in some countries, implementing 3DS can have a positive effect on conversion rates. These countries include Russia, India and the UK. At the same time, the research has also found that in other countries, including Germany, France and the US, it could have a negative impact on conversion rates, but this is when it has been enabled on all transactions. When applied to certain segments only, it actually had the opposite effect and increased conversion rates.

It also showed that the size of the transaction plays a significant role. High-value transactions tend to carry a greater risk and therefore chances of it being declined are greater. Conversion rates can drop drastically with high-value transactions due to decline rates and not as a direct result of 3DS authentication.

Using the technology on a mobile device could have a slight impact on conversion rates due to the incompatible user interface but the 3D Secure industry has implemented solutions to improve the customer experience on these platforms.

Another potential impact on conversion rates is first-time users landing on the 3DS authentication page. They could perceive it as a security threat (not a security enhancer) and abandon the purchase. However, this issue is easily overcome by educating customers through FAQ’s and explanatory wording that can be used in the checkout process.

It is evident that there is a combination of factors that could influence conversion rates and it would be unfair to say that 3DS is solely responsible for a drop in conversion rates because of the extra step in the payment process.

Liability shifts

When implementing 3D Secure, it is important for merchants to know who is liable for fraudulent chargebacks and at what point in the transaction the obligation moves to the card issuer (also known as a liability shift).

Generally speaking, the point when this shift occurs in the transaction cycle is the same in most instances.

If we look at Visa (Verified by Visa) and Mastercard (Mastercard SecureCode), then there are five main scenarios that can come up once the customer goes through the 3DS verification process:

  • Authentication successful
  • Authentication attempted
  • Authentication failed
  • Authentication unavailable
  • Error

For both providers, if the authentication was successful and a fraudulent transaction occurs as a result, the liability has shifted and now lies with the card issuer. If the authentication fails, the liability stays with the merchant. The same goes for when authentication is unavailable; there’s no liability shift and the merchant is liable for any fraudulent chargebacks.

Again, in both cases, if the authentication was attempted, the liability has shifted to the card issuer. However, if an error occurred with the authentication for any reason, the merchant stays liable.

The main difference between the two providers is in 3D Secure enrolment. If a specific card is not enrolled in 3DS, Visa states that they will take responsibility for any fraudulent chargebacks as a result. On the other hand, with Mastercard, the responsibility stays with the merchant.

This is a high-level overview only but it is clear that these “rules” can get tricky in determining the liable party. Merchants are therefore strongly advised to check with issuing banks on the exact terms relating to liability shifts.

[More on 3D Secure & Liability Shift]

Adaptability to the changing marketplace

There’s no doubt that the online marketplace is changing rapidly, with more people browsing and making purchases online via mobile devices, rather than desktops and laptops.

The challenge here is that 3DS was introduced through Verified By Visa in 2001 but the first iPhone wasn’t launched until 2009. The 3D Secure protocol wasn’t developed with the mobile phone in mind.

The result is that when the 3DS page loads on a mobile device, it can take a bit longer than on a desktop site. This is not ideal for today’s impatient online customers. We want everything at the touch of a button, delivered securely and quickly.

Another issue with 3D Secure on a mobile device is the design functionality. As we said, the protocol wasn’t invented with a mobile device in mind, which can cause a distortion when viewing the 3DS authentication page on a mobile. This causes problems when, for example, customers are asked to enter characters of their unique password into the boxes, as some mobile devices make this a very challenging process.

As mentioned earlier though, these challenges have been acknowledged by the 3D Secure industry and solutions have been implemented to make the customer experience as frictionless as possible, including reconfiguration of customer facing pages and risk-based authentication.

3D Secure is very valuable from a fraud prevention and liability-shift standpoint. However, when implementing 3DS, keep in mind that users might experience compatibility issues with mobile devices.

Research on providers

It is essential to do your due diligence on potential 3DS vendors. From a merchant point of view, it is important to be able to keep track of transactional data. The number of times customers were presented with the 3DS verification page and the percentage of orders protected, can give merchants valuable industry insights into customer behaviour. It will also provide fraud analysts and banks with important statistics on potential fraudulent activities.

The additional functionality you would want from your choice of vendor is support for both the current version of 3DS and the upcoming 2.0 version. If they don’t support the 2.0 protocol, merchants risk having to go through the whole exercise again when 3DS 2.0 is fully rolled-out.

Finally, easy integration with your e-commerce platform is essential. The last thing any merchant would want is a lengthy, drawn-out process to make the system compatible with that of the potential vendor. Especially when the risk of losing customers and sales during lengthy periods of downtime can be avoided by doing proper research.

Every business is different with unique needs. Therefore, the qualities merchants will look for in a vendor will also differ. The important part is not to rush the process and skip the due diligence. It might end up being an expensive mistake.

Good implementation practice

There are a number of good practices to consider when implementing 3D Secure.

First, merchants need to educate their customers. One of the main reasons shoppers abandon a transaction routed through 3DS is that they actually perceive the authentication process as a threat. Merchants can overcome this uncertainty by having an extensive FAQ section, explaining the process.

Wording in the checkout process can also be used to explain the increased security benefits of the verification process. It is recommended that merchants let the customer know that there will be no fee for to the service and warn them that using “Refresh” or “Back” will disrupt the process. The wording should be in a prominent place that can’t be missed.

Alternatively, Verified by Visa and Mastercard SecureCode come with preambles that can be used for this exact purpose.

Secondly, merchants could consider dropping the 3DS authentication for certain transactions where the conversion rate loss outweighs the benefit. Use a rules-based approach that takes into account the country, currency and value of the transaction. If the risk is deemed to be low based on these rules, bypassing the verification process could increase conversion rates. However, the 3DS protocol was invented to keep the customer’s money safe, so this step should be considered carefully.

Finally, when implementing 3DS, merchants have the choice of opening up the authentication on a new page or embedding the frame into the checkout process. Best practice suggests using frames inline with the merchants’ branding in the page URL, rather than that of the issuer bank. Research done by Visa shows this has a positive impact on authentication rates.


There is not just a single approach to implementing 3D Secure. The process will be different depending on the characteristics of the specific industry that merchants find themselves in. There are however guidelines that can make the process less daunting.

What is important for merchants to remember is that a strategy that works today might not be valid tomorrow, especially with the development of the 3DS 2.0 protocol. By choosing a customisable strategy that’s open for re-evaluation in the future, coupled with the support of a knowledgeable vendor, merchants can streamline their payment authentication solutions that will not only continue to protect their customers but also themselves against fraudulent transactions.