What is 3D Secure and is it necessary?

3D Secure (3DS) is a protocol for additional authentication in online bank card payments (card-not-present). Before completing a payment, the issuing bank may request confirmation that the purchase is being made by the cardholder—for example, via push notifications in a banking app, biometrics, or a one-time code.

Simply put, 3DS is an additional step between card data entry and the final debit, reducing the risk of purchases made with someone else's card. However, in modern scenarios, confirmation isn't always visible to the user—sometimes the bank conducts a risk assessment and allows the payment to proceed without further steps (a frictionless scenario).

Is 3D Secure necessary? For consumers, yes, because 3D Secure makes online payment fraud more difficult. For businesses, yes, too: 3D Secure helps manage the risk of fraudulent transactions and, in certain cases, influences the distribution of liability for fraud chargebacks (liability shift). However, 3D Secure doesn't make online payments completely invulnerable, so it's a basic level of protection, not a "sole defense."

How does 3D Secure work?

In short, 3DS is the cardholder's verification by the issuing bank during online payment, before the final confirmation of the transaction.

Technically, the process is built around the participants and components of EMV 3DS: the store (merchant) initiates an authentication request, the payment system routes it via the Directory Server, and the issuing bank decides how exactly to verify the client via the ACS (Access Control Server).

In other words, when a customer enters their card details on the website and clicks "Pay," the request is not only "written off" but also verified using 3DS. Once verified, the payment is either continued or declined.

There are two main possible scenarios, which are applied in EMV 3DS (where EMV is the name of the Europay, Mastercard, and Visa consortium) depending on the risk assessment:

• Frictionless flow: the bank (issuer) performs risk assessment and confirms authentication "in the background," without any action on the part of the buyer, to ensure payment is processed as quickly as possible. In practice, this is often achieved through rich transaction and device data used for risk-based authentication.

• Challenge flow: If a transaction appears suspicious (unusual amount, unusual device, new store, etc.), 3DS authentication is initiated with explicit identity verification—the user sees a bank/payment system screen and confirms the purchase via an app, biometrics, or a one-time code.

For the user, 3D Secure typically appears as an "additional confirmation from the bank" right at the time of payment, rather than a separate registration process on the online store's end. This is especially noticeable in mobile scenarios, where confirmation occurs within the banking app and is part of the familiar smartphone payment experience .

For businesses, this is an integrated element of the online payment chain, helping to filter out fraudulent transactions before funds are debited and making the payment process more predictable in terms of risks.

Benefits of 3D Secure

3D Secure reduces the risk of fraud in online payments through additional verification of the payer's identity: 3D Secure is a layer of protection for transactions where the card isn't physically used (purchases on a website or in an app). For the user, this means that even if card details become known to criminals, card information alone is often insufficient – ​​the bank may request confirmation, which is the practical purpose of 3D authentication.

For businesses, 3DS makes payment flows more manageable: low-risk transactions can proceed without additional customer action, while suspicious ones can be challenged. Additionally, 3DS can mitigate the consequences of fraudulent chargebacks through liability-shifting mechanisms, whereby, when the conditions are met, responsibility for a fraudulent chargeback shifts from the merchant to the issuer.

What does a business typically receive when 3DS payments are set up correctly?

• Fewer payment attempts with "someone else's card" thanks to additional confirmation.

• A more understandable scenario for the client: the bank is clearly involved in confirming the transaction.

• A balance of convenience and control: some payments are processed without any customer interaction, while others require confirmation in cases of increased risk.

• Fewer "gray" situations where the client doesn't understand how and why the payment was processed (confirmation makes the process more transparent).

3D Secure complements an overall secure payments strategy, especially when a company accepts multiple payment methods and wants to ensure a consistent and convenient payment experience for customers. Against this backdrop, it's helpful to consider how businesses build convenient payment methods overall—for example, in this article on QR code payments.

Is it possible to ensure complete security with 3D-Secure?

3D Secure doesn't provide complete security: it's an additional form of authentication for online payments, but it's not "universal protection against all types of fraud."

In practice, attackers often target not the 3DS protocol itself, but the user—through phishing and social engineering, where a person enters card details on a fake page or confirms a transaction themselves, believing a "message from the bank."

The most common online risks are related to phishing and social engineering. Fraudsters fake payment pages or websites of well-known services and stores to trick card details into entering and then proceed with the transaction for confirmation. A particularly common scenario involves calls and messages "from the bank," in which the victim is persuaded to provide a one-time code or perform a "verification," although this is actually confirmation of someone else's transaction (meaning 3DS authentication is performed manually by the client).

There are also risks on the device and account side: malicious apps and message/notification interception can help attackers obtain verification codes, especially if the user installs apps from untrusted sources or doesn't secure access to the phone. Therefore, not only bank checks are important, but also user habits – paying close attention to links and verification codes can help protect against fraud.

How to enable and disable 3D Secure

For a cardholder, "enabling 3D Secure" usually means enabling/configuring online payment confirmation with their bank (updated phone number, push notifications/OTP, app access). Many banks enable 3D Secure by default, and the user effectively only "enables" a convenient confirmation method.

Disabling 3DS depends on the policy of each bank in Kazakhstan: sometimes the option is available in the card settings in online banking, sometimes you need to contact support, and in some cases, completely disabling it may not be possible (the bank maintains 3DS as a mandatory security layer for online transactions). It's important to keep in mind that without 3DS, online payments become less secure, so it's important to assess the risks before disabling, especially if the card is used for regular online purchases.

For businesses in Kazakhstan, 3DS is enabled along with online acquiring (accepting payments on a website or in an app): 3DS is part of the payment process, in which the issuing bank adds a confirmation step if necessary. To reinforce the basic terminology and logic of the process, it's helpful to understand online acquiring and how the payment process works on the merchant side.

If, after enabling 3DS, customers frequently experience refusals, freezes, or are not redirected to the site after confirmation, the problem is usually not with the technology as a whole, but with the specific implementation: the correctness of redirects/the built-in confirmation window, status processing, timeouts, and compatibility with smartphones/browsers actually used by customers in Kazakhstan. In this case, it's worth coordinating the target user path (redirect/iframe) with the acquirer/payment provider, testing the scenarios on cards from different Kazakh banks, and testing the payment on popular devices to ensure consistent confirmation.

Conclusion

3D Secure is a basic level of protection for online card payments, helping to reduce the risk of unauthorized charges and enhance customer confidence. This is especially relevant in Kazakhstan: most purchases are made via smartphone, and confirmation is often done via the bank's mobile app or a one-time code, so it's important to ensure contact information and notifications are configured correctly.

However, 3D Secure doesn't guarantee absolute security: some fraudulent schemes rely on phishing and social engineering, requiring the user to confirm the transaction themselves. Therefore, maximum effectiveness is achieved only when combined with 3D Secure, a properly configured payment scenario (redirects/returns to the website, correct statuses), and customer attention.

For businesses, 3D Secure is a way to make payments more manageable: "routine" transactions are processed faster, while suspicious ones are subject to additional verification by the bank. If you accept payments on your website or in an app, consider 3D Secure as a standard element of online acquiring, enhancing payment security and trust in your service.

PAYGATE is your reliable partner for payment solutions with full 3D Secure support. We offer payment acceptance services through modern POS terminals and online acquiring, supporting various payment methods, including card payments, mobile acquiring, and QR codes. With us, your business will become more convenient and secure for your customers.

Looking to implement 3D Secure payment instruments for reliable online payments? Contact us, and we'll help you choose the best solution for your business.

FAQ