3D Secure (3DS) is the cardholder authentication standard used by Visa (Verified by Visa), Mastercard (Mastercard Identity Check), and American Express (SafeKey). For high-risk merchants, it’s not optional — it’s one of the most effective tools available for reducing chargebacks and protecting your merchant account from termination. This page explains how 3DS2 works, what the liability shift means in practice, and how DozyPay deploys it across high-risk merchant accounts.
How 3D Secure 2.0 Works?
When a customer completes a purchase, 3DS2 runs a behind-the-scenes risk assessment using data points including device fingerprint, transaction history, IP address, and shipping/billing address match. Based on this assessment, one of two things happens:
- Frictionless flow: The transaction is authenticated silently without the customer doing anything. No pop-up, no password, no delay. This happens for approximately 95% of legitimate transactions in well-configured 3DS2 implementations.
- Challenge flow: For higher-risk transactions, the customer is asked to confirm their identity — typically via a one-time code sent to their phone or biometric authentication in their banking app. This replaces the old static password screen that frustrated customers and increased abandonment.
The Liability Shift: Why This Matters for Your Account
The single most important commercial benefit of 3DS2 for high-risk merchants is the chargeback liability shift. On a 3DS-authenticated transaction, if the customer later disputes the charge as unauthorised, liability for that chargeback transfers from you (the merchant) to the issuing bank. You keep the funds. Your chargeback ratio stays clean.
For industries with high dispute rates — gambling, adult content, forex, subscription services — this shift alone can be the difference between a stable merchant account and one in termination proceedings.
3DS1 vs 3DS2: Key Differences
| 3DS1 (Legacy) | 3DS2 (Current Standard) |
Authentication method | Static password | Risk-based: frictionless or SMS/biometric challenge |
Friction for customer | High — password required every time | Low — ~95% of transactions frictionless |
Data points used | Minimal | 100+ data points including device, behaviour, history |
Mobile support | Poor — redirects broke apps | Native SDK for iOS and Android |
Liability shift | Yes | Yes (stronger protection under EMV specification) |
Conversion impact | Negative — abandonment from friction | Neutral to positive |
Mandate status | Being retired | Required by Visa/Mastercard in most markets |
How DozyPay Implements 3DS2?
Component | Detail |
Automatic 3DS2 on all transactions | All DozyPay merchant accounts have 3DS2 enabled by default. No additional configuration required at launch. |
Risk-based authentication tuning | Transaction thresholds for challenge triggers are configured based on your industry and chargeback history — reducing unnecessary friction on low-risk transactions. |
Mobile SDK integration | Native iOS and Android SDK support for apps that accept in-app payments — preventing the redirect failures that plagued 3DS1 on mobile. |
Exemption management | Low-value transactions (below €30/£25 in Europe) and trusted merchants benefit from SCA exemptions that skip the challenge flow entirely while maintaining liability protection. |
Decline recovery | Soft-declined transactions (declined pending 3DS) are automatically retried with authentication, recovering sales that would otherwise be lost. |
Reporting | Real-time authentication data — challenge rates, frictionless rates, liability shift status — available in your merchant dashboard. |
Frequently Asked Questions
Is 3D Secure mandatory?
In the European Economic Area (EEA) and UK, 3DS2 authentication is mandatory under Strong Customer Authentication (SCA) regulations for most card transactions. Outside Europe, it’s not mandated but is strongly recommended — card networks are gradually extending SCA-equivalent requirements globally. For high-risk merchants, the liability shift benefit makes 3DS2 worth implementing regardless of legal requirements.
Does 3D Secure reduce my conversion rate?
Properly implemented 3DS2 has a neutral to slightly positive impact on conversion. The frictionless flow handles approximately 95% of legitimate transactions without any customer action. The remaining 5% that require a challenge are predominantly lower-quality transactions — the authentication step often filters out fraudulent attempts before they complete.
What happens to chargebacks on authenticated transactions?
On a successfully authenticated transaction, chargeback liability shifts to the issuing bank for ‘fraud’ reason codes (4837, 4853 on Mastercard; 10.4, 10.5 on Visa). The customer can still dispute the charge for other reasons (item not received, not as described), but the most damaging fraud chargebacks — which drive the majority of high-risk account terminations — are covered by the liability shift.
Can 3DS2 be bypassed by fraudsters?
3DS2 significantly raises the bar for fraudulent transactions. A fraudster who has card details but not access to the cardholder’s phone (for SMS OTP) or banking app (for biometric) cannot complete a 3DS-authenticated transaction. The main attack vector that remains is social engineering — persuading the legitimate cardholder to share their OTP. This is a limitation of all authentication systems, not specific to 3DS2.
Does DozyPay charge extra for 3DS2?
3DS2 authentication is included as standard across all DozyPay merchant accounts. There is no separate charge for authentication. The cost is built into the processing arrangement because reducing chargebacks protects both the merchant and DozyPay’s acquiring relationships.
Get 3DS2 included as standard with every DozyPay merchant account — apply at dozypay.com/contact. |