3D secure

Explore how the Dunning Setup for 3D Secure 2 Declines can aid in revenue recovery for failed Merchant Initiated Transactions (MITs) under the PSD2 Mandate, improving customer authentication processes and reducing transaction failures.


Required plan

This feature or setting is available to all customers on any Recurly subscription plan.


3D Secure (3DS) is an additional security layer for online credit and debit card transactions. It comes in two versions: 3DS 1.0 and 3DS 2.0. While 3DS 1.0 had issues with checkout conversion rates, the newer 3DS 2.0 offers a more streamlined user experience. It helps in complying with PSD2 regulation by providing multi-factor authentication.

Key benefits

  • Enhanced online security: Adopting 3DS 2.0 provides a robust layer of security that can significantly reduce fraudulent transactions.
  • Boosted customer confidence: The added layer of authentication and security can assure customers of a safer online shopping experience, fostering trust.
  • Streamlined shopping experience: While bolstering security, 3DS 2.0 also considers the importance of user experience, ensuring that authentication processes are seamless and don't deter customers.

Exploring the Depths of 3D Secure

3D Secure (3DS), an additional layer of security for online credit and debit card transactions, comes in two versions - 3DS 1.0 and 3DS 2.0.

3DS 1.0 is the older version of the protocol, designed to add an extra layer of security to online transactions by requiring cardholders to complete an additional verification step with the card issuer when making purchases. The primary reason for the somewhat limited adoption of 3DS 1.0 has been its potential adverse impact on checkout conversion rates. While it helped protect against fraudulent transactions, the added friction in the checkout process often resulted in increased shopping cart abandonment.

For instance, suppose a customer is shopping online at a site that uses 3DS 1.0. In that case, they may be redirected to another page (managed by their bank) to enter additional information or a password to confirm their identity. This redirection could be perceived as confusing or suspicious, leading the customer to abandon their purchase.

3DS 1.0 has been phased out by the Card Networks and isn't a feasible choice in the majority of countries. While a few countries have been granted an extension to use 3DS 1.0 until 2023, businesses should predominantly transition to 3DS 2.0+ for their operations moving ahead.

3DS 2.0, on the other hand, came into existence alongside the introduction of the PSD2. It’s a much more refined and user-friendly version of the protocol that offers a smoother, more seamless user experience without compromising security. 3DS 2.0 uses a risk-based approach, meaning that it requires additional authentication only for transactions deemed high-risk, while low-risk transactions are allowed to go through with less friction.

For example, a customer shopping on a site that uses 3DS 2.0 might be allowed to complete their purchase without any additional steps if their transaction is deemed low-risk. However, for a high-risk transaction, they might be asked to authenticate their identity through their mobile banking app or via a text message code. This balance between user convenience and transaction security is a significant improvement over 3DS 1.0 and has led to wider adoption of 3DS 2.0.

There are also certain payment methods that have already incorporated robust multi-factor authentication layers, making them exempt from additional 3DS authentication. Examples of these include PayPal, AmazonPay, and ApplePay, which have their in-built security mechanisms. Additionally, alternative payment methods, such as iDEAL and SOFORT, are also exempt from 3DS due to their inherent secure design.

Helpful resources

  • Adyen: Dive deeper into understanding PSD2 and its implications with Adyen.
  • Braintree: Navigate your preparations for PSD2 with this comprehensive guide from Braintree.
  • Stripe: Explore Stripe's detailed guide on Strong Customer Authentication under PSD2.
  • WorldPay: WorldPay's resource on PSD2 provides a global perspective on this regulation.
  • Cybersource: Learn about the intersection of 3D Secure and PSD2 with Cybersource.


Q: Do I need to worry about PSD2?
A: If your business bank or payment provider is in the European Economic Area (EEA) and you have customers there too, then yes, you need to get ready for PSD2 and make sure you have Strong Customer Authentication (SCA) in place. If either you or your customers are outside the EEA, then you don't need to worry about SCA.

Q: Where can I find more technical information on preparing for PSD2?
A: You can find all the technical details you need in our integration guide here.

Q: Will my checkout conversions change because of 3DS?
A: The first version of 3DS could lead to a drop in checkout conversions between 3-15%. But don't worry, the second version aims to limit this to a maximum of 5%. But remember, these numbers can change depending on your country. (Statistics provided by WorldPay)

Q: What's the effect of 3DS on authorization rates?
A: If you're new to 3DS, you can expect your authorization rates to go up from about 84% to 92% with the first version. The second version aims to push this up to 95%. (Statistics provided by WorldPay)

Q: Can 3DS help me reduce fraud?
A: Absolutely. According to statistics from WorldPay, businesses that didn't utilize 3DS experienced fraud rates of approximately 0.29%. With the introduction of 3DS 1.0, this rate decreased to 0.12%. The second version of 3DS aims to further diminish this rate to an estimated 0.05%. However, it's essential to note that 3DS 1.0 is no longer a feasible choice for the majority of businesses.

Q: Will 3DS slow down my transactions?
A: Generally, using 3DS could add up to 10 seconds to your transaction time. If an exemption is rejected and SCA is enforced, this could add another 1-2 seconds. (Statistics provided by WorldPay)

Q: Who can I turn to if I have more questions about PSD2, SCA, or 3DS?
A: While we're always here to help, your payment gateway should be your go-to resource for these kinds of questions. They'll be up to speed on how PSD2 and SCA might affect you and your customers.

Q: What about PayPal transactions?
A: No extra work needed here! PayPal will take care of Strong Customer Authentication in their "Pay with PayPal" process. We will also make sure our integration can handle recurring PayPal payments.

Q: Could 3DS be triggered on recurring payments that I initiate, especially if the value changes?
A: Yes, it's possible. Card issuers can challenge a transaction for any reason. Because of this, we're developing a "3DS dunning flow" to help you manage transactions that fail due to SCA and need to be re-authenticated by your customer.

Q: Will SCA be needed every time I re-bill a customer on a usage-based plan?
A: As long as the transaction is flagged as being started by the merchant (that's you), most re-bills shouldn't need SCA, even if the amount varies. But remember, card issuers have the final say and can ask for SCA on any transaction.

Q: I have a fixed subscription but the first month is prorated. Will the full charge in the second month need SCA?
A: Ideally, you should authenticate the full subscription amount when the customer signs up, even if the first month is prorated. After that, re-bills should generally not need SCA, as long as they're flagged as merchant-initiated. We'll take care of this for you.

Q: What if the original transaction happened before Sept 14, 2019? Will I need to authenticate all of these older transactions?
A: For renewals, we'll try to exempt these transactions from SCA by marking them as "merchant-initiated". This includes subscriptions that started before September 14, 2019. Our goal is to treat these as merchant-initiated so they won't need SCA when they renew on or after September 14.