3D Secure (3DS) Authentication
Authenticate every cardholder. Protect every transaction.
3D Secure (3DS) is an industry-standard security protocol that adds an additional layer of protection for online credit and debit card payments — commonly known as Card-Not-Present (CNP) Sale transactions. It acts as a digital checkpoint, verifying a customer's identity directly with their bank to confirm they are the legitimate card owner. Integrating 3DS through PCE provides the following advantages:
- Liability Shift: For successfully authenticated transactions, the financial liability for fraud-related chargebacks shifts to the card-issuing bank.
- Reduced Fraud: By verifying the cardholder's identity directly with their bank, you can significantly reduce the risk of fraudulent transactions from stolen card details.
- Increased Approval Rates: Banks view 3DS-authenticated transactions as more secure and are less likely to falsely decline them, potentially increasing your authorization success rates.
Note — 3DS authentication is disabled by default. Contact the PCE Account Management team to enable 3DS authentication for your business.
Common use cases include:
-
E-commerce Checkouts: Verify cardholder identity before authorization to reduce unauthorized card use.
-
Guest Checkouts: Authenticate cardholders transacting without a registered account or saved credentials.
-
International Payments: Mitigate cross-border fraud by authenticating internationally issued cards.
-
High-Risk Transactions: Secure fraud-prone purchases — electronics, travel, and luxury goods — with authentication.
-
Regulatory Compliance: Meet SCA requirements for markets mandating two-factor verification.
3DS Authentication Flow
Once card details are submitted, a data payload — device fingerprint, IP address, billing details, and transaction context — is sent to the issuing bank. The bank evaluates this data and determines the authentication method. A successful authentication shifts fraud liability from your business to the card-issuing bank.
Every authenticated transaction proceeds via one of two flows:
Frictionless Flow — The issuing bank authenticates the cardholder silently. No customer action is required.
Challenge Flow — The customer is prompted to verify their identity via a one-time passcode (OTP) or biometric authentication.
Both flows return an ECI code and a CAVV cryptogram — pass both values in your authorization request to secure the liability shift.
Authentication Results
Every 3DS authentication returns two key values — an ECI code and an authentication status. The table below combines both, showing the outcome, network, ECI code, and liability shift in a single reference.
| Authentication Result | Status | Network | ECI Code | Liability Shift |
|---|---|---|---|---|
| Success | Y | Visa | 05 | ✓ Shifts to issuer |
| Success | Y | Mastercard | 02 | ✓ Shifts to issuer |
Best Practices
| Practice | Description |
|---|---|
| Initiate 3DS before completing a transaction | 3DS protects against chargebacks. A frictionless authentication adds no friction to the customer experience. |
| Store ECI and CAVV on every transaction | Retain eci, cavv, and xid alongside your transaction records for required evidence. |
| Never reuse authentication values | Each cavv and xid is valid for a single transaction only. Re-running the 3DS session generates a fresh set of values. Reusing values will cause the transaction to be rejected. |
| Include AVS data | Always pass AVS data (avsZip, avsStreet) in the cardAccount object alongside the 3DS result. This further reduces fraud risk and can lower processing fees. |
| Test your integration | Use our provided Test Card Data to safely test all payment scenarios, including declines and errors, in our sandbox environment. |