3D Secure in 2026: what businesses and cardholders need to know

3D Secure (3DS) is the authentication layer that sits between a card payment and its approval. It's been around since 1999, but the version most of the world runs on today — EMV 3DS 2.3.1 — is a different protocol in everything but name. If you're operating, scaling, or building on payment infrastructure, understanding how 3DS actually works in 2026 is non-negotiable: it shapes your approval rates, your fraud exposure, and your liability position on chargebacks.

This guide covers the fundamentals, the current regulatory picture (including what's coming under PSD3/PSR), and the practical questions cardholders and payment teams ask most.

3D Secure basics worth knowing

What is 3D Secure?

3D Secure is a payment authentication protocol that verifies a cardholder's identity during card-not-present (CNP) transactions — typically online checkout. It sits between the merchant, the cardholder's issuing bank, and the card network, exchanging data that lets the issuer decide whether the person attempting the payment is the legitimate cardholder.

What does 3DS mean?

The "3D" refers to the three domains the protocol connects:

1. Issuer domain — the bank that issued the cardholder's card.
2. Acquirer domain — the merchant's bank, which receives the payment.
3. Interoperability domain — the infrastructure (card network, directory servers, and access control servers) that routes messages between the other two.

How 3D Secure authentication works

When a cardholder pays online at a 3DS-enabled merchant, the merchant's system sends transaction and device data to the issuer through the card network. The issuer's Access Control Server (ACS) evaluates the risk and chooses one of two flows:

1. Frictionless flow — the issuer authenticates the transaction silently in the background using the data provided. The cardholder sees nothing extra and the payment proceeds.
2. Challenge flow — the issuer requires additional verification. The cardholder is prompted to confirm the transaction through their banking app, a biometric check, or a one-time password sent by SMS, email, or push notification.

If authentication succeeds, the transaction continues to authorisation. If it fails or is abandoned, the payment doesn't go through.

The shift from blanket challenges to risk-based, mostly frictionless authentication is the single biggest change between 3DS1 and the current 3DS2.x protocols — and the reason 3DS is no longer the conversion-killer it was a decade ago.

Ready to start your success story?

See our platform in action, share your challenges, and find a solution you’ve been looking for.

Get started

Where 3D Secure is mandatory

In the European Economic Area and the UK, the Strong Customer Authentication (SCA) requirements under PSD2 effectively make 3DS the standard for online card payments. Other jurisdictions take different approaches:

• India — mandatory for all domestic card-not-present transactions.
• Brazil, Saudi Arabia, UAE — increasingly enforced by local schemes and regulators.
• United States — not mandated by regulation, but adoption is rising rapidly because of the liability shift on fraud chargebacks.
• Most of APAC and LATAM — partial adoption, often driven by issuer policies or scheme rules rather than law.

If you operate a 3DS-compliant white-label gateway, the practical requirement is to handle authentication consistently across providers and regions so security doesn't create unnecessary checkout friction in markets where 3DS is optional.

The regulatory landscape in 2026

The regulatory ground beneath 3D Secure is moving. Three frameworks matter most right now:

1. PSD2 and SCA (current). Since September 2019, payment service providers in the EEA have been required to apply Strong Customer Authentication to most online card payments. SCA requires two of three independent factors: something the customer knows (password, PIN), something they have (phone, hardware token), or something they are (biometric). 3DS2 is the standard mechanism for delivering SCA at checkout.
2. PSD3 and the PSR (incoming). The European Parliament and the Council reached provisional political agreement on PSD3 and the new Payment Services Regulation (PSR) on 27 November 2025. Final texts are expected in the EU Official Journal in H1 2026, with the PSR entering into force 20 days after publication and applying after a transition period of roughly 18–21 months — meaning practical applicability in late 2027 or 2028. PSD3/PSR will tighten SCA rules further, expand fraud liability frameworks (including for impersonation and authorised push payment fraud), and harmonise enforcement across member states. None of this replaces 3DS — it raises the bar for what authentication systems must do.
3. EMV 3DS 2.3.1 (current spec). EMVCo released 3DS 2.3.1 in August 2022. It remains the latest active version, with technical bulletins issued through 2025 to align with new device APIs (Android 14+, iOS 18+) and to support emerging integrations such as the European Digital Identity Wallet. All major card networks have operated on 3DS2 since October 2022, so 3DS1 is effectively retired in mainstream e-commerce.

For payment teams, the practical implication is simple: keep authentication infrastructure on 3DS 2.3.1, monitor PSD3 obligations during 2026, and treat compliance as a continuous workstream rather than a one-off project.

A brief history of 3DS, and what changed in 3DS2

Visa developed the original 3D Secure protocol in 1999 under the Verified by Visa brand. Other networks built their own versions on top of the same protocol — Mastercard SecureCode, ProtectBuy by Discover, J/Secure by JCB, American Express SafeKey.

In 2016, EMVCo — the consortium of major card networks — published EMV 3DS 2.0 to address the structural problems of the original protocol: clunky redirects, static passwords, high cart abandonment, and poor mobile support. Subsequent versions (2.1, 2.2, 2.3, 2.3.1) progressively expanded data sharing, added native app and biometric support, introduced the Split-SDK for IoT and embedded devices, and integrated FIDO-based Secure Payment Confirmation.

The substantive differences between 3DS1 and 3DS2 are worth understanding, because they explain why approval rates and customer experience improved so significantly:

• Risk-based authentication. 3DS2 sends ~150 data points (device fingerprint, behavioural signals, transaction context) to the issuer, enabling silent authentication for low-risk transactions instead of forcing a challenge on every payment.
• Modern authentication methods. Static passwords are gone. 3DS2 supports biometric authentication, push notifications to banking apps, and FIDO/WebAuthn — methods customers actually want to use.
• Mobile-native flows. 3DS2 was designed for in-app and mobile browser checkout from the start, not bolted on afterwards.
• Liability shift. When 3DS2 authentication is successfully completed, liability for fraud-related chargebacks shifts from the merchant to the issuer. This is the single biggest financial argument for enabling 3DS even where it's not legally required. Note: the shift does not apply to merchant-initiated recurring transactions.

What businesses should know about 3DS in 2026

For payment teams running infrastructure at scale, 3DS is less about compliance and more about optimisation. A few things to keep in mind:

• Approval rates are a function of how 3DS is configured, not whether it's enabled. Issuers approve frictionless authentications at materially higher rates than challenged ones. The teams getting the most out of 3DS are those tuning the data they send (device ID, cardholder behavioural signals, transaction history) to maximise frictionless flow eligibility — not those treating 3DS as a binary on/off switch.
• Routing logic and 3DS interact. If a payment fails authentication on one provider, smart routing can retry through another acquirer or with different exemption logic. Payment platforms like Corefy let payment teams define rules for when 3DS should be applied, exempted, or bypassed (where regulation allows) — but exemptions need to be governed carefully, because fraudsters actively probe for merchants that disable 3DS under specific thresholds.
• Recurring and merchant-initiated transactions need separate handling. The liability shift doesn't apply to recurring transactions, and SCA exemption rules for MITs are complex. Tokenisation, network tokens, and properly flagged transaction initiation indicators are the mechanisms that keep recurring billing flowing without authentication friction.
• The data you send matters more than ever. 3DS 2.3.1 supports over 150 data elements. Issuers are building increasingly sophisticated risk models on top of them. Payment teams that send richer, more accurate data — especially around device, behaviour, and recurring payment context — get better approval rates and more frictionless flow approvals.
• Monitor authentication-level metrics, not just authorisation. Approval rate is the headline number, but the underlying drivers — challenge rate, frictionless rate, abandonment during challenge, and 3DS technical failure rate — are what payment teams should be tuning. A high authorisation rate with a high challenge rate is leaving money on the table.

Cardholder questions, answered

How do I know if my card supports 3D Secure?

Effectively, every active Visa and Mastercard card in circulation today supports 3D Secure. Cards issued before mass 3DS adoption have long since expired or been reissued. If a card doesn't support 3DS, most online merchants will decline it.

My 3D Secure verification failed. What now?

There are three common causes:

1. Wrong details entered. Retry the payment and complete the authentication step carefully.
2. Technical issue. Often resolved by retrying. If a banking app is involved, make sure notifications are enabled and the app is up to date.
3. Cardholder communication issue. If the issuer can't reach the cardholder (no SMS coverage, app not installed, expired phone number on file), authentication will fail. Updating contact details with the issuer usually fixes it.

If retries don't work, the practical workaround is to use a different card. Calling the issuing bank can also confirm whether there's a block on the account.

Can I bypass 3D Secure?

No legitimate way to bypass it exists, and you wouldn't want one. 3DS is what shifts fraud liability away from cardholders and merchants when authentication succeeds. The actors most interested in bypassing 3DS are fraudsters, and they typically do it through social engineering — calling cardholders, posing as bank staff, and tricking them into authenticating fraudulent transactions. Treat any unsolicited request for card details, OTP codes, or authentication confirmation as suspicious, regardless of who the person claims to be.