Everything you need to know about 3D Secure in the US

3D Secure (3DS) in the US hasn’t become an industry standard the way it has in the European Union and many other regulated markets. We’ll cover the reasons why, but what’s important is that this trend is changing. US businesses are realizing that modern 3DS can reduce fraud without hurting conversion rates, and that waiting to adopt 3DS comes with risks.

To fully understand 3DS in the US, we’ll cover:

• What 3DS does and how it works
• 3D Secure adoption in the US
• Deciding whether to support 3DS
• Addressing common concerns
• Choosing a 3DS solution

What 3DS does and how it works

3DS adds a layer of security to online transactions. It’s a protocol designed to reduce fraud during card-not-present transactions, where either the card or the cardholder aren’t physically present.

Instead of relying solely on credit card details, 3DS introduces an authentication step at checkout. The goal is to quickly determine whether a transaction is legitimate using signals like the device being used, purchase behavior, and issuing bank risk models. If a transaction is low-risk, 3DS allows it without interrupting the customer. This is known as as a frictionless flow. When authentication is needed, a challenge flow is initiated that requires customers to verify their identity before the transaction goes through, often using:

• A one-time passcode (OTP).
• Biometric verification with their mobile banking app.
• Other forms of risk-based authentication.

What 3DS looks like to customers

For many customers, 3D Secure is nearly invisible, especially with newer implementations. On mobile browsers or in apps, 3DS2 (the latest version of the 3DS protocol) runs entirely in the background for trusted purchases.

When verification is needed, customers might see a branded screen from their bank asking them to confirm the purchase with Face ID, fingerprint, or a passcode. In some cases, they’ll approve the transaction in their banking app without leaving the checkout flow. These options ensure challenge flows create as little friction as possible.

What happens in the background

This is what happens in the background for 3D Secure purchases:

1. The customer initiates the transaction by entering their card details.
2. The merchant’s payment system checks whether 3DS is supported by the card issuer.
3. If supported, a request is sent to the Access Control Server (ACS) operated by the issuing bank.
4. The ACS evaluates the transaction and decides whether to challenge the customer or approve it silently (resulting in a frictionless flow).
5. If challenged, the customer completes the verification step and, if successful, the authorization proceeds.

This process only takes a few seconds but it makes a major difference in fraud detection, especially for e-commerce transactions and mobile payments. This is because traditional signals like physical signatures and chip readers don’t apply to these transactions.

3D Secure adoption in the US

The first version of the 3DS protocol (3DS1) was clunky, slow, and unfriendly to users. Customers were redirected to unfamiliar pages, asked to enter static passwords, and they frequently dropped out of the checkout process altogether. This increased transaction abandonment, and frustrated merchants. These issues had a lasting impact on the US, resulting in a lower adoption rate.

The shift to 3DS2

3DS2 is a completely overhauled version of the protocol that prioritizes speed, flexibility, and mobile compatibility. The updated version introduced:

• Support for biometric authentication, mobile apps, and one-time passcodes.
• A risk-based authentication model that allows low-risk purchases to pass without challenges.
• Faster performance and a more seamless checkout flow, especially for mobile browsers.

These changes significantly improved the customer experience. Frictionless flows were better supported, and issuing banks still had enough control to challenge high-risk and fraudulent transactions in realtime.

Why the US is seeing increased adoption

3D Secure still isn’t mandatory in the US but momentum is building. In addition to the 3DS2 improvements, there are a few other factors accelerating adoption:

• Spikes in digital commerce and mobile payments since the pandemic
• Rising losses from fraud and chargebacks, particularly in card-not-present transactions
• Pressure from global consumers and partners that expect authentication standards already common in regulated markets

Deciding whether to support 3DS

It’s sometimes assumed that 3DS is only necessary for large enterprises or international retailers, but that’s no longer the case. If your business accepts online payments, or you handle card-not-present transactions, 3DS is becoming a baseline requirement.

Fraud prevention and liability shift

Some businesses are more vulnerable to fraud than others. High-volume e-commerce platforms, digital goods providers, and subscription services all experience elevated fraud rates and chargebacks.

When purchases are disputed, whether it’s for real fraud or friendly fraud, you’re liable for any chargebacks. However, liability shifts for purchases that pass 3DS authentication. This means the issuer is liable for fraudulent chargebacks instead of you. So not only does 3DS fight fraud and reduce chargebacks, it can translate into significant revenue retention by shifting liability, and reducing the internal overheard of dealing with disputes.

Chargeback rates also need to be kept low to prevent businesses from getting flagged by chargeback monitoring schemes. These schemes are defined and implemented by card networks, and when businesses exceed certain thresholds, card networks can impose fees or block transactions.

Evervault helps businesses realize these benefits by making it easy to implement 3DS, while reducing friction during the checkout process. FlightHub is an online travel agency that operates in an at-risk industry and they decided to use Evervault for 3DS. This resulted in a 33% reduction in fraudulent chargebacks, a 73% reduction in friendly fraud chargebacks, and saved ~65 hours of manual review time per quarter.

Capturing otherwise lost revenue and building trust

Fraud assessment models have gotten very advanced, but there are scenarios they struggle with that 3DS can help with. For example, new customers and guest customers often present a challenge. There’s less information available for these customers, so fraud models have more difficulty determining whether a purchase is legitimate. In these scenarios, especially for higher priced items, models often default to blocking the transaction or flagging it for manual review. If you support 3DS, you can instead pass these transactions through the authentication process. If it succeeds, you’ve saved the transaction without any manual review, and you can use the successful authentication as a positive signal for that customer profile. If the authentication fails, you can flag the card and customer details from that transaction as suspicious for future reference.

Adopting 3DS can also have positive impacts on your brand. Customers are genuinely concerned about fraud, and having secure authentication methods like 3DS helps build trust. For many global consumers, authentication methods like 3DS and passkeys are actually expected for online payments. And in the US specifically, there’s a trend of more Gen Z and Millennials using updated authentication tools.

Addressing common concerns

As mentioned before, the initial rollout of 3DS wasn’t ideal. This resulted in two primary concerns at the time: that 3DS lowered conversion rates and that it was difficult to implement. Since then, there’s also been a concern that many issuers in the US don’t support 3DS. While there was some validity to these concerns, modern 3DS has resolved many of the original issues. Let’s talk about issuer support first since it feeds into other concerns.

Issuer support

When looking at our own data, 88% of the issuers in the US that we have data for support 3DS. And the percentage of transactions that failed 3DS just because the card wasn’t enrolled (meaning the issuer doesn’t support 3DS) was .16%. This actually tracks because many of the major issuers in the US support 3DS. What this means is that 3DS is supported, it’s just not being used.

Even though the number of cards we see not enrolled is relatively small, Evervault built functionality into our 3DS solution to improve the experience in these situations. When a 3DS session is created, we can tell you whether the card is enrolled. If it’s not, you can decide whether to continue with the authorization or take some other action. Evervault only charges for successful authentications so this enrollment check doesn’t cost you anything. It also provides a much better customer experience because you won’t accidentally send customers through a 3DS flow that’s going to fail because the issuer doesn’t support it.

Conversion rates

Customer experience improvements, like risk-based authentication and embedded challenge flows, have made conversion rates less of a concern. Risk-based authentication allows low-risk transactions to go through frictionless flows that don't require extra steps. When a challenge occurs, customers can complete the process within the checkout flow, often through biometric prompts, mobile banking apps, or one-time codes that are already familiar to most consumers.

Redirects are commonly flagged for negative impacts on conversion rates, and this is actually still an issue with the current protocol. During a challenge flow, these redirects transition customers out of the checkout flow to a completely different page. This is now an unnecessarily disruptive process because you can use embedded challenge flows instead. In these flows, customers complete challenges in a modal as a part of the checkout process instead of a different page.

Even though 3DS2 was designed to support embedded challenge flows, many 3DS providers themselves still use redirects. So the concern about redirects and conversion rates is still justified, but you can avoid it by choosing a 3DS provider like Evervault that fully supports embedded challenge flows.

Challenge preferences are another way to control your 3DS implementation and improve conversion rates. On every authentication request, you can specify a preference for challenging the customer or not. This increases the chances of a frictionless 3DS flow for low-risk transactions, while ensuring challenges for transactions you want authenticated. The issuer, however, still makes the final decision based on its own risk assessment.

Outside the European Economic Area (EEA), fail-on-challenge flows are becoming popular. These flows let you attempt 3DS authentication to secure a liability shift, but if a challenge is required, the authentication is automatically skipped and the transaction proceeds to authorization. This approach is ideal for companies that prioritize a frictionless customer experience ,while still benefiting from liability protection when a frictionless flow is available. With Evervault, you can implement this with a straightforward flag in the authentication request.

Looking at our own data, 3DS performs surprisingly well in the US. Overall, 86.4% of 3DS sessions succeeded, which included frictionless flows, challenged authentications, and scenarios where the card network completed the authentication rather than the issuer. Even more striking, 74% of transactions were frictionless, higher than in the UK (63.5%) and Germany (62.2%), where 3DS has been mandatory for years. Despite being less prevalent, 3DS in the US can deliver a smooth and effective authentication experience, rivaling or even exceeding countries with long-standing 3DS adoption.

Implementation difficulties

There are different ways to implement 3DS, with varying degrees of difficulty. Many businesses rely on their payment gateway’s solution, which offloads the implementation work but comes at a cost. It locks businesses into individual vendors which means limited flexibility, and little control over performance. It also means you can’t change what your 3DS solution looks like, and you can’t use logic like Evervault’s preauthorization checks to verify cards are enrolled in 3DS. These issues are compounded if you use multiple PSPs because you have to set up 3DS with each provider.

Evervault’s 3D Secure product isn’t a wrapper around legacy technology like other solutions. We built it from scratch so it’s simple to integrate and scalable. You can add it as a standalone service independent of your payment processor, and you can tailor it to fit your checkout and risk model. That means you control when to move forward with authorizations, and you can customize the experience with your own copy, fonts, and colors. Our solution doesn’t use redirects either, so customers stay within your checkout flow regardless of whether you have a mobile app, a single page application (SPA), or a progressive web app (PWA).

Choosing a 3D Secure solution

After deciding to implement 3D Secure, the next step is choosing the right solution. Not all providers are the same, and the way you integrate 3DS can make a big difference. The ideal 3D Secure solution should:

• Support the latest protocol (3DS2) for better mobile and cross-platform performance.
• Offer high authentication success rates without introducing unnecessary friction.
• Handle risk-based authentication natively, allowing for frictionless flows where appropriate.
• Integrate with your existing stack without locking you into a single processor.
• Scale with your business as your digital commerce footprint grows.

Many gateway-provided 3DS tools fall short in one or more of these areas. It's also common for them to be tailored to the gateway rather than your own business logic, fraud patterns, and customer experience goals.

Evervault works with any stack, without lock-in

Evervault doesn’t have any of the constraints that gateway-provided solutions have. Instead of bundling 3DS inside a tightly coupled gateway or payment processor, Evervault offers it as a modular, standalone layer that works across multiple payment providers. This means you can:

• Provide a great customer experience that matches your brand, and that uses embedded challenge modals instead of redirects.
• Use challenge preferences and fail-on-challenge flows that give you more control over when to apply 3DS.

Evervault’s 3DS solution was built from scratch for developers. Using our API, you specify how you want 3DS to behave, and then Evervault converts that into a request that fits both the 3DS specification, and the card issuer’s preferences. Evervault even processes error codes from issuers so that you receive human-readable errors instead of cryptic messages that make debugging difficult.

With Evervault, you don’t have to understand the full 3DS specification, and you don’t have to work through a lengthy integration process. You essentially create a 3DS session (which returns an ID), and then render the 3DS modal on the frontend using the session ID and one of our SDKs. Compared to other providers, this cuts down the integration to a couple of steps, and you can go live in minutes. Check out our website to get started.