What is 3DS 2.0 ?#

3DS 2.0 is an authentication protocol for payment of online transactions that has 3 levels of validation (3D): trade, brand and issuer.

It is the most current version of the 3-Domain Secure (3DS) authentication protocol, designed to authenticate e-commerce transactions with credit, debit or prepaid cards. It adds a layer of protection by requiring cardholder authentication through unique codes per transaction (such as tokens via SMS or available through the issuing bank's app), PINs, or other validation methods (such as a direct action through the app via a push). Its security protocol is used by the main card brands around the world.

In its version 2.0, the 3DS protocol brings a significant update compared to the original 3Ds version, with improvements mainly in security and user experience.

Carat offers support for 3D-Secure 2.0 transactions through two different integrations:

  • 3DS Server
  • Web Checkout

Some of the key improvements in 3DS 2.0 include:

  • Risk-based authentication: 3DS 2.0 utilizes additional information, such as the buyer's transaction history and device information, to assess fraud risk in real-time. This enables the card issuer to evaluate risk more accurately and determine whether additional validation is necessary.
  • Streamlined user experience: 3DS 2.0 offers a simplified and less intrusive authentication flow for the buyer, with fewer redirects to other pages or the need to enter passwords.
  • Mobile device support: 3DS 2.0 is designed to work seamlessly on mobile devices, with features like biometric authentication that make the authentication process easier and more convenient for the buyer.

In summary, 3DS 2.0 is a significant upgrade to the 3-Domain Secure authentication protocol, making e-commerce transactions more secure and convenient for buyers.

Benefits for the consumer#

  • Greater acceptance of debit cards: allows the use of the card in the debit function when purchasing online.
  • More security: as safe as in-person purchases with a chip/password or by contact.
  • Fraud reduction: the system performs authentication to confirm that the buyer is truly legitimate, preventing card scams.

Benefits for the online retailer#

  • International safety standard.
  • Possibility of expanding sales with debit card transactions and, in normal scenarios, greater conversion compared to the traditional process (CNP).
  • Authenticated transactions prevent fraud chargebacks. The issuing bank now guarantees the transaction, as upon successful authentication there is a change of responsibility (“Liability Shift”). If the transaction is authenticated, responsibility passes from the Merchant to the Issuing Bank.
  • Reduction of fraud and greater security, both on debit cards and credit cards.
  • Broad integration for a better authentication experience during the purchase process.

How does 3DS 2.0 work?#

During the payment process, if the buyer's card BIN is enabled in the respective brand's 3D-Secure, when entering the card details on the payment screen, the 3DS 2.0 APIs enable the collection of purchase information and send the data to the Issuing Bank. This one, using the data provided, will decide whether the cardholder's identity should be verified or not. If the data is sufficient, buyer authentication will be carried out without interaction on your part. This is then called silentor frictionless authentication. Some of the major improvements in 3DS 2.0 include:

If, during authentication, the data is not sufficient to validate the cardholder, an additional process (known as “step up”) requested by the issuing bank may be necessary, with the aim of verifying the identity of that cardholder. This authentication process in which an interaction is required from the cardholder is called challenge. In this additional step, various methods can be included, such as security code verification, biometric authentication, token validation, approvals on the buyer's mobile device or others.

That's why, it is important to emphasize that the more data the merchant can send about the transaction and the customer, the greater the chances of obtaining silent authentication.

What are the advantages of 3DS 2.0?#

The main advantage is the Liability Shift of fraudulent chargebacks. If the transaction is authenticated, the liability shifts from the Merchant to the Issuing Bank. In other words, for authenticated transactions, the Merchant does not receive chargebacks due to fraud, thus mitigating financial losses. Additionally, there are several other benefits, such as:

  • Broad support for devices and authentications
  • Streamlined checkout flow
  • Smarter decision-making based on risk analysis
  • Higher authorization rates and fewer false positives

Authentication vs Authorization#

During a payment with authentication, one might have the impression that the authorization and authentication processes are the same. However, a successful authentication does not guarantee payment authorization as these are distinct features:

  • Authentication: process to ensure that the cardholder is the legitimate owner of the card.
  • Authorization: process used by an Issuer to approve or decline a Purchase Transaction from a Merchant/Acquirer.

While Authentication is the process that validates the user's identity, Authorization is the process that verifies whether the presented card can be used for the purchase after the authentication is validated. It is important to be aware that these features occur in the same flow but can have different outcomes, which will reflect in the final response.


The 3DS 2.0 protocol is valid for all online transactions with cards, both debit and credit, and for debit cards, the use of 3DS is mandatory (except for businesses registered in the “debit without password” program). in the Abecs model), and for credit cards, the use of the 3DS is optional.

The main acquirers in Brazil are available for the Fiserv Gateway, as well as the most important brands.

How to activate#

The merchant must contact Fiserv's commercial representative and request the inclusion of the 3DS 2.0 service in the Carat contract. After requesting and contracting the service, with the assistance of the implementation team, the retailer must access the Carat online documentation in the 3DS Overview section and begin the technical integration in your site.

To configure the environment, the merchant needs to provide the following information:

  • Merchant ID of the acquirer: unique identification code generated by the acquirer for the merchant
  • MCC (Merchant Category Code): standard code that identifies the merchant’s field of activity

If you are not a Fiserv (BIN) purchaser, also inform:

  • Acquire Bin.


Check below is the acceptance of issuers regarding 3DS.

Important: Authentication Results.

Banco do Brasil-Credit/DebitCredit/DebitCredit/Debit
Banestes-CréditoNo informationNo information
Banco Pan--Credit/DebitCredit/Debit
Digio ---Credit/Debit
C6 Bank--Credit/Debit-
Agibank--No informationNo information
Tribanco--No informationNo information
BS2--No informationNo information
BTG Pactual--Credit/Debit-
Porto Seguro--CreditCredit
Banese -Credit--
Realize --CreditCredit
Crefisa -Credit/Debit--
Will Bank--Credit/Debit-