TLDR
3D Secure (3DS) is both a fraud-prevention protocol and a legal requirement for online card payments in the UK. It has been enforced since 2022 and under PSD2's Strong Customer Authentication (SCA) rules.
When a 3DS-authenticated transaction is later disputed as fraudulent, liability shifts from you to the card issuer. Without 3DS, chargebacks default to the merchant.
The UK leads European 3DS success rates at 95%, but frictionless rates are falling globally — more customers are now encountering authentication prompts at checkout.
Teya's hosted checkout automatically manages 3DS on every qualifying transaction, with no technical configuration required on your part.
A convenience store in Brighton started taking online orders for gift hampers last Christmas. Card-present sales on the counter remained the core of the business, and the terminal handled the bulk of daily revenue without issue.
Three weeks into January, a chargeback notification arrived on an online order. The customer disputed the payment as fraudulent. The retailer had no authentication record, and the dispute went against them.
3D Secure exists exactly to prevent situations like that. For any business with an online payment channel, understanding how it works and making sure it's active directly affects your exposure to fraud and disputed transactions.
What Are 3D Secure Card Payments?
3D Secure (3DS) is a fraud-prevention protocol that adds an identity-verification step to online card payments. When a customer makes a purchase on a website, 3DS checks the cardholder's identity in real time between the card issuer and the payment provider before the transaction completes.
The "3D" refers to the three parties involved:
the acquiring bank (your payment provider),
the issuing bank (your customer's bank),
and the card network, such as Visa or Mastercard.
The current version, EMV 3DS (also called 3DS2), replaced the original from the early 2000s.
The old version redirected customers to a separate page to enter a static password: a slow, frequently abandoned step at checkout. 3DS2 runs the risk assessment silently behind the scenes, and in most cases, the customer doesn't see any movement.
PSD2, SCA, and the Compliance Requirement
3D Secure became a legal requirement in the UK under Strong Customer Authentication (SCA) regulations, which the Financial Conduct Authority (FCA) fully enforced for online payments starting in March 2022.
SCA requires that transactions above £30 be verified using at least two of three factors:
Something the customer knows (a password or PIN).
Something the customer has (their mobile phone or card reader).
Something the customer is (a fingerprint or face ID — a category that reflects how secure payment technologies continue to evolve).
Note: Even for purchases under £30, SCA will automatically be triggered if a customer makes multiple consecutive low-value purchases or reaches a combined spending total of £100.
Transactions that don't meet SCA requirements can be declined by the issuing bank outright: not disputed after the fact, but blocked at the point of payment. For a business relying on online orders, declined payments mean lost sales with no recourse.
In-person card transactions already satisfy SCA automatically: the physical card gives possession, and the PIN gives knowledge. Online, that work falls to your payment technology.
How 3DS2 works in practice
Most 3DS2 transactions are frictionless. The card issuer receives enough data (device fingerprint, IP address, transaction history, browser session) to assess risk without prompting the customer. The payment completes silently, and the shopper experiences no interruption.
When risk is higher, a challenge flow is triggered. The customer receives a push notification or one-time passcode from their bank to confirm the transaction. It adds a step, but it's brief and familiar to most UK cardholders who regularly use online banking.
According to Ravelin's 2026 3DS data, the UK leads European 3DS success rates at 95%, a global record. But frictionless rates are falling in 76% of tracked countries, meaning more customers are encountering challenge flows, and the checkout experience is under pressure across the board.
The case for 3DS: liability shift
When a transaction is authenticated via 3DS and a customer later disputes it as fraudulent, the liability for that chargeback moves from you to the card issuer. Without 3DS on an online transaction, the chargeback goes against the merchant by default.
For a gym selling class packs online or a retailer taking deposit payments through its website, a handful of disputed transactions each year adds up fast. With 3DS active, those disputes become the card network's responsibility, not yours.
Exemptions to 3D Secure Payments And Their Limits
Some online transactions fall outside SCA requirements. Low-value payments under approximately £25, recurring charges where the initial transaction was already authenticated, and payments from customers who have pre-approved a merchant can all qualify for exemptions.
Payment providers with very low fraud rates can also apply for Transaction Risk Analysis (TRA) exemptions, processing payments without triggering SCA checks as long as fraud stays within strict thresholds.
But exemptions are not automatic. The same Ravelin data shows 78% of merchants now use exemptions, and issuing banks are tightening their assessments and denying requests more frequently. Treating exemptions as a reliable shortcut carries a real risk of increased payment declines.
How Teya's hosted checkout handles 3DS
Setting up SCA compliance manually requires technical integration across your payment stack, which most local businesses aren't equipped to handle themselves.
Teya's hosted checkout for online payments manages 3D Secure as part of the standard payment flow. There's no separate configuration: authentication runs automatically on every transaction that requires it. You can find more detail on how hosted checkout works in the Teya Help Centre.
Card data never passes through the merchant's own systems. Customers enter payment details on a Teya-hosted, PCI DSS-compliant page, with all major cards, Apple Pay, and Google Wallet supported as standard.
Shopify and WooCommerce integrations are available for businesses that already run online stores through those platforms, with setup in minutes and no technical expertise needed.
For a pub taking advance deposits for function bookings, or a florist accepting online orders ahead of Valentine's Day, that means the authentication layer is in place, without adding anything to manage.
3D Secure Card Payments Protect Online Transactions
3D Secure is a legal requirement for online card payments in the UK, not an optional infrastructure. It protects your business from fraud, shifts chargeback liability away from you, and adds minimal friction for customers when correctly implemented.
The UK's 95% 3DS success rate is the highest in Europe, but that only applies to transactions going through authenticated checkout flows. Businesses processing online payments without 3DS active are exposed to risks on every single one.
If your online payments aren't yet covered, speak to Teya's team about how hosted checkout can handle authentication for you.
Secure Your Online Checkout With Teya
Team Teya
•