Introduction to 3DS

Online transaction is a condition where a physical card is not possible (CNP – Card not present) so then illegal usage and fraud often occur. There are many methods to minimize fraudulent transactions, and one of the most significant method is using 3DS.


About 3DS

3DS is Three Domains Secure, where the three domains are:

  1. Issuer (customer’s bank, customer)
  2. Interoperability (The middleman that works between Issuer and Acquirer)
  3. Acquirer (merchant’s bank/processor, merchant)

This protocol has adopted by VISA, Mastercard, JCB, and American Express with the services named Verified by VISA, MasterCard SecureCode, JCB J/Secure, and American Express SafeKey.

In the process, there are other services involved, such as ACS and MPI:

  1. Access Control Server (ACS) is in the issuer domain. Each card issuer is required to maintain an ACS is maintained to support cardholder authentication. A customer then authenticates to this ACS and ACS signs the result as either a success or a failure.
  2. The Merchant Plug-in (MPI) is in the acquirer domain. It is used as the communicator.


3DS processes

3-D Secure adds an authentication step for online payments, by authenticating the cardholder. Payment Gateway responsible to communicate with the Issuing Bank for them to provide the 3DS system. Here are the steps:

  1. Once customer decided to pay, customer will be redirected to Issuing Bank's page
  2. In the meantime, Issuing Bank sends OTP via SMS or USSD or email (usually the one that customer registered during credit card application)
  3. Customer then needs to fill in the Authorization Code in the page similar with the OTP he/she received.


3DS status: Electronic Commerce Indicator

Once 3DS is done, there will be a status that generated by 3DS and it is called Electronic Commerce Indicator (ECI). There will be 3 possible scenarios that may be generated as below:

VISA/ American Express/ JCB



Real case



Full Authentication

Issuer and Acquirer process 3DS, and cardholder successfully authenticate him/herself.

Both Issuer and Acquirer are 3DS-enrolled, and the customer successfully entered the right OTP.



Attempted Authentication

Issuer is not registered for 3DS, but the Acquirer is submitting a 3DS authentication process request.

Acquirer is 3DS-enrolled but the Issuer is not; so customer does not need to enter the OTP.



Failed Authentication

3DS fails (cardholder unsuccessfully authenticate him/herself) or not attempted.

Network error so 3DS can not be enrolled, or customer failed to enter the right OTP. Transaction will be denied.



Authentication could not be performed

Acquirer is not registered in 3D Secure

Acquirer is not enrolled with 3DS. Transaction can still go through but it is identified as non-3DS transaction.


In Midtrans, if you are have acquirer that is 3DS-enrolled, you can only see 2 out of 3 types of transactions based on 3DS: Full authentication or Attempted authentication. Failed authentication will be rejected and will not shown in the dashboard.

However, if your acquirer is not 3DS-enrolled, transactions will be identified as non-3DS/normal, no matter whether the issuing is 3DS-enrolled or not. Transactions will be identified as “No Auth” in the dashboard.



In case of fraudulent transaction, the liabilities go to different parties as in the details below:


Issuer is 3DS-enrolled

Issuer is not 3DS-enrolled

Acquirer is 3DS-enrolled

Full authentication

Issuing bank is responsible for fraud

Attempted authentication

Issuing bank is responsible for fraud

Acquirer is not 3DS-enrolled

Non-3DS transaction

Acquiring bank is responsible for fraud

Non-3DS transaction

Acquiring bank is responsible for fraud


In this case, Midtrans would highly recommend merchant (as the acquirer) to use 3DS to prevent any security issues or fraudulent transactions.




Was this article helpful?
2 out of 2 found this helpful
Can't find your answer? How about looking at our Tech Docs?

Tech docs

Our API and plug-ins play well with platforms from PHP, Shopify, Woo Commerce to Android and many more.

Learn more