3DS Overview
Integrate 3D Secure authentication in Bamboo using external or Bamboo-managed flows. Compare integration options and learn how to include 3DS data in your purchase requests.
What is 3D Secure?
3D Secure (often abbreviated “3DS”) is a security protocol for online card payments intended to add an additional layer of protection in card-not-present (CNP) transactions. It’s designed to help confirm that the person making the purchase is the legitimate cardholder, reducing the risk of fraud.
When 3DS is active, the card issuer (or another identity authority) evaluates the transaction during checkout. If the issuer deems it necessary, the customer may be prompted to provide extra verification. For example, via a one-time password (OTP), biometric check, or other challenge, before the transaction proceeds.
Why use 3D Secure?
Implementing 3DS offers several advantages:
Fraud mitigation
By introducing a verification checkpoint, 3DS helps filter out unauthorized or suspicious transactions before funds move.
Liability shift (when applicable)
In many cases, if a transaction passes 3DS authentication, the liability for certain types of chargebacks shifts from the merchant to the issuer (depending on scheme rules).
Regulatory compliance
In regions with strong authentication requirements (e.g. PSD2), 3DS is often required or strongly recommended to comply with law.
Better user experience (with 3DS2)
The newer version, 3DS2, supports frictionless authentication and native mobile flows, reducing disruptions to the checkout flow.
Risk-based authentication
3DS2 enables risk assessment based on transaction data. Low-risk cases can be authenticated transparently (no extra steps), while higher-risk ones can receive a challenge.
3D Secure 2 (3DS2)
3DS2 is the evolved version of the original protocol and introduces improvements in security, flexibility, and usability.
Frictionless flow
Many legitimate transactions may be authenticated behind the scenes (i.e. no visible user challenge) by leveraging rich data (device, behavior, transaction details).
Mobile-native support
3DS2 is designed with mobile payments in mind, enabling smoother flows within apps or mobile web.
Modern authentication
In addition to OTPs, issuers can offer biometric validation, push notifications, or other newer methods.
Rich data sharing
Merchants can supply contextual information (device info, shipping, transaction history) to help issuers make better decisions.
Versioning and fallback
Supports multiple protocol versions (e.g. 2.0, 2.1, 2.2) with built-in compatibility fallback mechanisms.
Because of these features, 3DS2 strikes a better balance between security and user experience.
How the 3D Secure Process Works
The 3D Secure (3DS) process relies on several components that work together to verify the cardholder’s identity and enhance transaction security.
1. 3DS Server
The process starts with the 3DS Server, which manages the authentication request on behalf of the merchant. It gathers relevant information about the transaction and the cardholder and securely prepares the data needed to initiate the 3DS process.
2. Directory Server (DS)
The Directory Server routes the authentication request to the correct Access Control Server (ACS). It ensures the request reaches the issuer’s domain securely.
3. Access Control Server (ACS)
The ACS is the issuer’s authentication domain. It evaluates the transaction’s risk and decides whether to approve it silently or issue a challenge for further verification.
4. Challenge & Verification
If a challenge is triggered, the cardholder is prompted to verify their identity — e.g., with an OTP, biometric check, or push notification. If successful, the transaction continues. Otherwise, it is declined.
5. Finalization
Once the ACS returns a decision (either frictionless approval or post-challenge confirmation) the result is relayed back. The transaction is either completed or rejected accordingly.
Integration Options
Bamboo supports two methods for integrating 3D Secure authentication. External authentication is currently available. Bamboo-managed flows will be available soon
External Authentication
Include authentication data from a third-party provider in the purchase request.
This enables external 3DS verification to be recognized within Bamboo’s processing flow.
Bamboo Authentication
Handle the full 3DS flow via Bamboo.
Redirection to the issuer’s challenge page is triggered automatically when needed via the Direct API.
Updated 15 days ago