Translated by

3-D Secure

Developers: Visa International
Branches: Financial services, investments and audit
Technology: Cybersecurity - Authentication,  cybersecurity - the Fraud detection system (fraud),  cybersecurity - Means of enciphering


3-D Secure are the protocol of processing of Internet transactions, development of Visa company. The 3D Secure system upon purchase on the Internet verifies the client using the dynamic code which goes through the SMS. The license to use of this technology MasterCard which has the service of protection SecureCode also has.

Purpose of the protocol - security of the Internet payments executed using credit or debit cards. Other its name Verified by Visa - in Visa terminology, or SecureCode in MasterCard terminology.

3-D Secure are a trademark of VISA corporation.

The 3D Secure protocol, is used by payment systems under the Verified by Visa and MasterCard SecureCode logos and provides to holders of cards a possibility of authentication through the emitting bank at commission of online purchases via web browsers on personal computers.


The purpose of use of 3-D Secure - simplification of service of card transactions on the Internet with simultaneous increase in safety of their carrying out.

System of three domains

Model 3-D Secure is implemented on the basis of three domains in which there is a generation and check of transactions:

  • the domain of the Issuer, as a part of which the Card holder and the Bank issuing cards.
  • the domain Ekvayera which includes merchant acquirer and its clients (on-line dealers).
  • the domain of interaction contains elements which do possible transactions between two other domains. In its maintaining network and services of card associations.

Domains are independent in the rights and are an important component of process of information transfer in the general 3-D Secure-infrastructure. To each domain own sphere of responsibility in transactions is defined:

  • In the domain of the issuer the emitting bank is responsible for authentication of the buyer and providing right information for transaction.
  • In the domain of an ekvayer the on-line dealer is responsible for the commercial relations with the buyer and also a guarantee that the buyer was directed in right emitting bank for verification. In the same domain the ekvayer bears responsibility for approval of transaction through traditional networks Visa or MasterCard.
  • In the domain of interaction the Visa or MasterCard payment system is responsible for safety of information on each issuer (bank of the card holder, the issuer's Internet address) and providing this information for decision in case of conflict situations.

Model 3-D Secure provides the standard protocol of interaction between domains for exchange and check of transactions. It does not cause the necessity of changes in the relations between participants of one domain:

  • The dealer and Ekvayer are free in the choice of any method of carrying out the transactions and in management of the relations in the domains.
  • Issuers are free in the choice of any mechanisms preferred by them for authentication of the card holder.

Components of architecture 3-D Secure

In architecture of 3-D Secure a set of special servers for service of a flow of transactions is implemented during its lifecycle:

  • In the domain of the Issuer Server of Access control (Access Control Server or ACS) it is responsible for process management of authentication between the Buyer and the Issuer and guarantees carrying out payment transactions for the Dealer.
  • In the domain Ekvayera the Merchant Plug-In server (or MPI) manages a flow of transactions between Visa/MasterCard infrastructures, the infrastructure of card holders and payment infrastructure created by Ekvayer.
  • In the domain of interaction Server-Direktory (Directory) Visa/MasterCard keeps information on participants of process. Reliably stores information on all transactions in the same domain Server of History of Authentications Visa/MasterCard (Authentication History Server or AHS) and guarantees its availability at emergence of conflict situations.
  • In domains of the Issuer and Ekvayer Hostovye of a system are involved in process of reconciliation of transactions in bek office of bank for ensuring clearing offsets between participants for the purpose of further transfer of money.

2020: Transition of the Russian banks on 3D Secure 2.0

At the end of July, 2020 it became known that banks in Russia implemented the new standard of security 3D Secure 2.0 in this connection began to permit to shop on the Internet without SMS code.

As told Izvestia in the National Payment Card System (NPCS), the 3D Secure technology 2.0 for the World cards was connected by 140 banks, and other credit institutions undergo certification. A new system is also introduced for Visa and MasterCard.

To holders of the World cards permitted to make purchases on the Internet without SMS

3D Secure system 2.0 defines a part of transactions as low-risky and does not require check. It is designed to improve and accelerate shopping process — the client should not wait for confirmation by the message. At the same time, preserving of due level of cyber security is promised. 

The technology is focused on convenience and safety of making payments not only via the web browser, but also directly in applications of different services in the mobile device. In the new version convenient support of authentication of users for a design of regular payments, subscriptions to different services is also implemented, the representative of World explained to the edition.[1]

The protocol of security of new level is an attempt to reach reasonable compromise between security and convenience, the director of methodology and standardization of Positive Technologies Dmitry Kuznetsov considers. On the one hand, the standard is supported by several mechanisms of verification of payers: along with passwords at the discretion of of emitting bank the biometrics and cryptography can be used. But with another, in some regions of the world even the first version of the standard - with confirmation only using the code from the SMS - led to noticeable decrease in number of purchases.

The president of National financial association Vasily Zablotsky says that transition on 3D Secure 2.0 will help banks to save up to 30–80% of expenses on the SMS and to aim the saved funds at business development or in profit.

2019: Vulnerability at payments by bank cards online

On September 20, 2019 the ChronoPay company warned about a possibility of substitution of data of the receiver of payment at some transactions in payment process online the bank card because of features of the 3D Secure protocol (3DS). Due to vulnerability in a request for authentication of the payer (PAReq) malefactors can mislead the consumer, having changed data of the receiver of payment on the page of confirmation of transaction.

According to the company, protocol 3DS is used at acceptance of online bank card payments. To make sure that payment is made by the account holder, in addition to data of the bank card also the confirmation code which comes to the mobile phone number tied to the card to the SMS is necessary. The buyer enters a confirmation code on the separate page on which the swindler can forge data on the receiver. Method 3DS was developed for protection against theft of these plastic cards and does not provide counteraction to online fraud from receivers of payments.

As specialists of ChronoPay managed to find out, the problem consists in lack of protection of a request for authentication of the payer of PAReq. At order placement in online store, payment of the state fees or the order of services such request is transferred to bank in the form of a simple address bar in the browser. In the current version 3DS it is not ciphered cryptographic and not checked by a payment system. It is not difficult to malefactors to change any data in a line of a request and to mislead the buyer on the page of payment confirmation.

In network there are more and more fraudulent websites which issue themselves for the known service providers, public services or corporate online stores. Vulnerability in requests of PAReq of protocol 3DS allows to convince the consumer that it registers payment for benefit of a certain organization. The payment confirmations given on the page can be changed. Swindlers actively use methods of social engineering, convincing the client as soon as possible to make payment on their website. We recommend to users to be extremely attentive when carrying out online payments.

Pavel Vrublevsky, the CEO of processing company ChronoPay told

To secure against fraud consumers should prove additional vigilance. Experts in security of ChronoPay recommend:

  • Check the address of online store in which you are going to make purchase (swindlers often select the similar addresses). Especially if the website dazzles with sales which come to an end in a few minutes.
  • Not make purchase according to links from letters of e-mail — instead independently to find the legitimate website in the search system.

Information on this vulnerability was transferred to representatives of FINTSERT. Specialists calculate that vulnerability will be corrected in version 3DS 2.0, transition to which is expected in the nearest future. So far experts from ChronoPay recommend to payers to be attentive at online payment performing transactions.

2016: 3D Secure version 2.0

Visa, 3D-Secure from international payment system, which requires the additional password at card online payment began to become obsolete. Development of mobile devices and e-commerce requires the increased speed, convenience and safety of online payments. For this reason and also from desire to get rid of Visa, a number of the largest payment systems, banks and companies of e-commerce which integrated in the EMVCo international consortium last year announced plans to develop own version of technology of protection of card payments — 3D-Secure 2.0.

The e-commerce environment significantly changed for years of its existence, and EMVco prepares for 3D Secure version 2.0, aiming to make the contribution to creation of the global operational and compatible and most convenient environment for users of such new means and payment methods as mobile phones and purchases from applications.

Documentation release is planned for the first half of 2017, at the same time Visa reports that it in return already takes necessary steps to that Verified by Visa and service of authentication of holders of cards was ready even prior to industrial start to the middle of the next year.

However the giant of the industry of plastic cards specifies that for providing to all to the interested organizations of sufficient time for implementation of new products and services, the company will refrain from application of certain rules – such as protection against fraudulent reverse payments (chardzhbek) in relation to transactions 3D Secure 2.0 – before date of activation of the program.

Dates of activation will vary on regions. In Europe where the 3D Secure first version works already practically everywhere, implementation of version 2.0, most likely, will take place in April, 2018, but terms for other markets are not determined yet.

The main difference 3D-Secure 2.0 from the first version is that the decision on confirmation of payment transaction will be made on the basis of new parameters. In particular, these devices from which the payment, settings of the browser, the IP address, e-mail and others is made will be taken into account. Besides, for authentication the intelligent mechanism of decision-making on the basis of the analysis of behavioural activity of the user will be used

You See Also: "World" started testing 3D-Secure 2.0

2014: Visa and MasterCard are removed by passwords for 3D Secure

Visa and MasterCard announced in November, 2014 plans to eliminate need of password authentication for the Verified by Visa and SecureCode platforms which are developed to add the additional security level to online transactions[2].

In the press release of MasterCard announced that work with "more extensive data on card holders" to reduce password delays in payment process will be feature of the updated 3D Secure system which will replace the current system this year. If the request of authentication is required, MasterCard is going to replace the static password with one-time passwords and biometrics on a fingerprint. MasterCard also carries out commercial tests of applications of recognition of the person and a voice for their use as authenticators in the future and bracelets for authentication on a warm rhythm.

Threatpost requested from MasterCard explanation about what the company meant under "more extensive data of the card holder", but for the period of the publication of the answer did not receive.

3D Secure — the payment protocol without presentation of the card drafted by Visa and implemented by some other the payment companies. It was developed to solve the growing problem of the fraudulent purchases made online. When the user of Verified by Visa and SecureCode transfers to the dealer information on the card, the dealer sends payment data of Visa or MasterCard. The payment company sends iframe which shows to the user an additional form of password authentication. If the client enters the correct password, the dealer receives the authorization code for transaction.

At the same time the 3D Secure protocol подвергается to criticism because demands from users of storing of the next difficult password and also for the interface which is often mistakenly taken for the phishing scheme.

"All of us want the payment procedure which would be safe and at the same time simple, but not one or the other — Ajay Bhalla, the president of MasterCard on security issues told. — We are going to identify people on the one whom they are, but not on what they remember. We should remember too many passwords, it creates additional problems for clients and business".

You look also

  • Assist Antifraud is an intelligent system of counteraction to fraud for use within online store.

You watch also Payment systems and services