3D Secure (3DS) Authentication Flow

3D Secure is a security protocol that adds an extra authentication layer to online credit/debit card transactions. The "3D" stands for "Three Domain":

  • Acquirer Domain (the merchant and bank)
  • Issuer Domain (the card issuer)
  • Interoperability Domain (the infrastructure provided by card schemes)

1. Initial Purchase

  • Customer enters their card details on a merchant's checkout page
  • The merchant's payment system detects if the card is enrolled in 3DS

2. Authentication Request

  • The merchant sends a verification request to the card issuer
  • The payment system redirects the customer to their bank's 3DS page

3. Customer Verification

The bank verifies the cardholder using various methods:

  • One-time password (OTP) sent via SMS
  • Biometric authentication through banking app
  • Security questions
  • Hardware tokens

4. Authentication Response

  • After successful verification, the bank sends an authentication response
  • The customer is redirected back to the merchant's site
  • The transaction is completed with the added security token

Detailed Component Interaction

The following diagram shows the detailed interaction between all key components:
  • Customer (Cardholder)
  • Merchant
  • 3DS Server (PSP)
  • Directory Server (DS) - Operated by card schemes
  • Access Control Server (ACS) - Operated by card issuers
  • Card Issuer
sequenceDiagram participant C as Customer participant M as Merchant participant 3DS as 3DS Server (PSP) participant D as Directory Server participant A as Access Control Server participant I as Card Issuer Note over C,I: Initiation Phase C->>M: 1. Starts checkout M->>3DS: 2. Initiates 3DS process 3DS->>3DS: 3. Collects browser info 3DS->>D: 4. Sends verification request D->>A: 5. Checks enrollment status A->>I: 6. Verifies card status I-->>A: 7. Returns status A-->>D: 8. Returns enrollment info D-->>3DS: 9. Returns 3DS capability 3DS-->>M: 10. Returns initial status Note over C,I: Authentication Phase M->>3DS: 11. Requests authentication 3DS->>D: 12. Initiates auth request D->>A: 13. Forwards auth request A->>I: 14. Requests verification method I->>C: 15. Prompts for verification Note over C: 16. Provides OTP/Biometric C->>I: 17. Submits verification I->>A: 18. Validates authentication A->>D: 19. Returns auth result D->>3DS: 20. Returns auth status 3DS->>M: 21. Confirms authentication Note over C,I: Transaction Phase M->>I: 22. Processes payment I-->>M: 23. Confirms authorization M-->>C: 24. Displays confirmation