3-D Secure, also called 3DS, is a globally accepted authentication solution designed by card schemes' network "EMVCo" to make card-not-present (CNP) transactions more secure. The three domains consist of the merchant / acquirer domain, issuer domain, and the interoperability domain (e.g., payment systems).

3-D Secure provides an additional layer of security for CNP transactions before authorization. It enables the exchange of data between the merchant, card issuer and, if necessary, the cardholder to verify that the rightful owner of the account is making the transaction.

HiTRUST is a certified EMVCo vendor supporting major solutions in the 3-D Secure ecosystem: 3DS Server, Access Control Server (ACS), Risk-based authentication (RBA) and SDK for Android and iOS. HiTRUST not only occupies the market in the greater China region, also has been providing global authentication services for over two decades.

In 3-D Secure 2.0, there are two transaction flows, Challenge and Frictionless. When risk-based authentication is performed in the ACS, frictionless flow allows issuers to approve a transaction without interacting with the cardholder. For cardholders, simply click "Buy" and the payment is approved. With Frictionless flow, you can have a better customers checkout experience, fewer redirecting pages, faster approval and minimized checkout abundance.

On the other hand, Challenge flow requires OTP or OOB where cardholder is asked to authenticate themselves to make sure the transaction is initiated by the rightful owner.


3DS Server is the component that initiates the authentication, providing merchants, acquirers and payment gateways with 3DS protection, which shifted away the fraud loss liability. Also, 3DS Server enhances transaction security and reduces cart abandonment. HiTRUST3DSsvr supports all six major card schemes: Visa, Mastercard, American Express, China Union Pay, JCB and Discover.

Risk-based authentication (RBA), usually works with Access Control Servers (ACS), is to perform evaluation of a transaction's risk profile, analyzing various data related to the transaction, cardholder and merchant.

RBA allows the issuers to authenticate their cardholders for low-risk transaction without asking additional information (Frictionless flow) for low-risk transaction, and to perform authentication only for suspicious transactions (Challenge flow) through methods such as OTP.

Veri-ID is the risk-based authentication solution of HiTRUST. The AI modules can self-learn and generate a customized RBA model to protect the financial institutions from, fraud, increase the frictionless rate and deliver a better experience for all stakeholders.

The Payment card Industry Data Security Standard (PCI-DSS) is an information security standard mandated by the card schemes to ensure that a secure environment is maintained for all parties involved in receiving, processing, storing, or transmitting credit card information. Specifically, it refers to the technical and operational standards that all parties need to follow to protect credit card data.

For customers who implement HiTRUST 3DS Cloud Service, since HiTRUST has already obtained PCI-DSS certification and is updated annually, the customers' 3DS environment does not need to pass PCI-DSS certification.

For both HiTRUST3DSsvr and HiTRUSTacs, HiTRUST provides On-premise and Cloud Service solutions. On-premise requires you to build the testing/production environment and maintain the servers. Cloud Service is ready to go and you may follow our APIs to go through the integration process.

HiTRUST supports all six major card schemes: Visa, Mastercard, American Express, China Union Pay, JCB and Discover.

For HiTRUST 3DS Cloud Service, we have created easy-to-use interfaces. Simply integrate the servers based our APIs and the cloud service is ready to use.

For On-premise solutions, please contact us for more information.

Merchants may choose to take advantage of the benefits of 3DS, including liability shift protection. It means that when an issuer authenticates an e-commerce transaction, they are confident that the rightful owner initiates the transaction and if the transaction turns out to be fraudulent, they will take responsibility for the fraud. Conversely, if the merchant sends a transaction without 3DS, the fraudulent liability falls to the merchant.

Issuers are mandated for 3DS. In some cases, if an issuer is not participating in the 3DS, the directory server (DS) operated by the card schemes will step in and bypass the authentication. However, the liability remains with the issuer.

When 3DS 1.0 first launched in the online card schemes 20 years ago, mobile shopping was still not a major trend. Therefore, there are some compatibility issues when cardholders use diverse devices. All major card schemes have announced that the time for 3DS 1.0 sunset will be mid-October 2022.

3-D Secure 2.1 supports mobile device (both browser and APP), OOB authentication (for example, Face-ID or Touch-ID authentication in APP) and the most crucial feature called Frictionless flow, which provides an excellent user experience.

3-D Secure 2.2 supports SCA exemptions for EEA region, payment authentication in merchant-initiated transaction (3RI Environment) and decoupled authentication. Mastercard required all endpoints to support 3-D Secure 2.2 before July 2023.

HiTRUST hybrid solution supports all the above versions. Although 3DS 1.0 is going to sunset, during the period of transition that some issuers and merchants are still using 1.0 and some have adopted 2.x, it would be wise to have the ability to support all of them.


ACS is the component operates in issuer domain to verify if the rightful owner of the account is making a transaction. In most cases, ACS works with risk-based authentication server to prevent fraud and determine whether Frictionless flow or Challenge flow should be applied. In addition to RBA, ACS generally works with card systems, Hardware Security Modules (HSM), (OTP) and Short Message Service (SMS).


SDK provides 3DS transaction functionality for merchants using native APPs. HiTRUST3DSSDK offers easy-to-use and straightforward integration to a fully certified and highly advanced SDK for data retrieving/transmitting, and processing challenges on behalf of 3DS Server.

The PCI-3DS Core Security Standard provides a framework for these critical 3-D Secure functions to implement security controls that support the integrity and confidentiality of 3DS transactions. The standard applies to parties that perform or provide 3DSs, DS, and ACS functions. Third-party service providers that can impact these 3DS functions or the security of the environments where these functions are performed may also be required to meet PCI-3DS requirements.

For customers who implement HiTRUST 3DS Cloud Service, since HiTRUST has already obtained PCI-3DS certification and is updated annually, the customers' 3DS environment does not need to pass PCI-3DS certification.

HiTRUST 3DS Cloud Service is easy to access via APIs, and is maintained and upgraded by HiTRUST. This will benefit for those looking for a solution that can be deployed in a short time without the need for a large number of in-house IT engineers.

HiTRUST On-premise solution requires on-site deployment and should be connected with card schemes for integration tests. PCI-DSS, and in some cases PCI-3DS certifications are required. But all the transaction data are stored domestically.

HiTRUST has rich experience assisting our customers in enrolling in each card schemes.

HiTRUST will guide you through the setup requirements.