3D Secure (3DS)
Integrate 3D Secure authentication in Bamboo using external or Bamboo-managed flows. Compare integration options and learn how to include 3DS data in your purchase requests.
What is 3D Secure?
3D Secure (3DS) is a cardholder authentication protocol designed to add an additional layer of security to online card transactions. It enables issuers to verify payer identity during checkout, reducing fraud in card-not-present (CNP) environments.
When authentication is required, the issuer evaluates the transaction and may request additional verification from the payer (OTP, biometric, push approval, or other challenge).
Why use 3D Secure?
Implementing 3DS offers several advantages:
Fraud mitigation
Adds an authentication checkpoint that reduces unauthorized transactions
Liability shift (when applicable)
For certain schemes and regions, successful 3DS authentication may shift chargeback liability to the issuer.
Regulatory compliance
Required for Strong Customer Authentication (SCA) under PSD2 and other regulatory frameworks.
Better user experience (with 3DS2)
Supports frictionless flows, meaning many transactions authenticate without visible user interaction
Risk-based authentication
Issuers can authenticate silently when the transaction is considered low risk
3D Secure 2 (3DS2)
3DS2 introduces mobile-first flows, richer data exchange, frictionless authentication, and improved issuer decisioning.
Frictionless flow
Authentication may occur without a challenge, improving conversion rates
Mobile-native support
Optimized for mobile web and native applications
Modern authentication
Enables OTP, biometrics, and issuer app push approvals.
Rich data sharing
Merchants can provide contextual data to improve issuer risk evaluation.
Versioning and fallback
Supports 3DS versions 2.0–2.2 with fallback to previous versions when required.
3DS2 improves both security and payer experience through enhanced authentication and risk-based processing
How the 3D Secure Process Works
The 3D Secure (3DS) process relies on several components that work together to verify the cardholder’s identity and enhance transaction security.
1. 3DS Server
The process starts with the 3DS Server, which manages the authentication request on behalf of the merchant. It gathers relevant information about the transaction and the cardholder and securely prepares the data needed to initiate the 3DS process.
2. Directory Server (DS)
The Directory Server routes the authentication request to the correct Access Control Server (ACS). It ensures the request reaches the issuer’s domain securely.
3. Access Control Server (ACS)
The ACS is the issuer’s authentication domain. It evaluates the transaction’s risk and decides whether to approve it silently or issue a challenge for further verification.
4. Challenge & Verification
If a challenge is triggered, the cardholder is prompted to verify their identity — e.g., with an OTP, biometric check, or push notification. If successful, the transaction continues. Otherwise, it is declined.
5. Finalization
Once the ACS returns a decision (either frictionless approval or post-challenge confirmation) the result is relayed back. The transaction is either completed or rejected accordingly.
Integration Options
Bamboo supports two methods for integrating 3D Secure authentication. External authentication is currently available. Bamboo-managed flows will be available soon
Updated 1 day ago