EMV 3‑D Secure (3DS) - Payment Authentication Protocol
EMVCo EMV 3-D Secure (3DS), the messaging protocol that enables consumer authentication for card-not-present e-commerce transactions (the basis of Visa Secure, Mastercard Identity Check, etc.). 3DS uses a three-domain model (Acquirer, Issuer, Interoperability domains) and the roles 3DS Requestor, 3DS Server, Directory Server (DS), Access Control Server (ACS) and 3DS SDK, exchanging Authentication (AReq/ARes), Challenge (CReq/CRes) and Results (RReq/RRes) messages to support frictionless (risk-based) and challenge (step-up) authentication across browser and app channels. The full EMV 3DS Protocol and Core Functions Specification and SDK Specification are copyrighted EMVCo material available under EMVCo registration/licence; this node represents the publicly documented protocol architecture, not the gated normative text.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (6)
EMV 3DS - Authentication Flows
| Code | Title |
|---|---|
| EMV3DS-11 | Frictionless flow |
| EMV3DS-12 | Challenge flow |
| EMV3DS-13 | Decoupled authentication |
| EMV3DS-14 | Challenge authentication methods |
EMV 3DS - Authentication Messages
| Code | Title |
|---|---|
| EMV3DS-07 | Authentication Request and Response (AReq/ARes) |
| EMV3DS-08 | Challenge Request and Response (CReq/CRes) |
| EMV3DS-09 | Results Request and Response (RReq/RRes) |
| EMV3DS-10 | Message integrity and protocol versioning |
EMV 3DS - Channels and Device Data
| Code | Title |
|---|---|
| EMV3DS-15 | Browser-based channel |
| EMV3DS-16 | App-based channel and device information |
| EMV3DS-17 | 3DS Requestor-Initiated and non-payment authentication |
EMV 3DS - Risk-Based Authentication and SCA
| Code | Title |
|---|---|
| EMV3DS-18 | Risk-based authentication |
| EMV3DS-19 | Strong Customer Authentication support and exemptions |
EMV 3DS - Security and Conformance
| Code | Title |
|---|---|
| EMV3DS-20 | Message security and key management |
| EMV3DS-21 | Cardholder data protection and minimisation |
| EMV3DS-22 | EMVCo approval and conformance |
EMV 3DS - Three-Domain Model and Roles
| Code | Title |
|---|---|
| EMV3DS-01 | Three-domain model |
| EMV3DS-02 | 3DS Requestor and 3DS Client |
| EMV3DS-03 | 3DS Server (Acquirer Domain) |
| EMV3DS-04 | Directory Server (Interoperability Domain) |
| EMV3DS-05 | Access Control Server (Issuer Domain) |
| EMV3DS-06 | 3DS SDK |
Your Compliance Coverage
If you comply with EMV 3‑D Secure (3DS) - Payment Authentication Protocol, you already cover:
Maps to 3 other frameworks
Frequently Asked Questions
What is EMV 3‑D Secure (3DS) - Payment Authentication Protocol?
EMV 3‑D Secure (3DS) - Payment Authentication Protocol is a compliance framework from International (EMVCo - standards consortium) with 6 domains and 22 controls. EMVCo EMV 3-D Secure (3DS), the messaging protocol that enables consumer authentication for card-not-present e-commerce transactions (the basis of Visa Secure, Mastercard Identity Check, etc.). 3DS uses a three-domain model (Acquirer, Issuer, Interoperability domains) and the roles 3DS Requestor, 3DS Server, Directory Server (DS), Access Control Server (ACS) and 3DS SDK, exchanging Authentication (AReq/ARes), Challenge (CReq/CRes) and Results (RReq/RRes) messages to support frictionless (risk-based) and challenge (step-up) authentication across browser and app channels. The full EMV 3DS Protocol and Core Functions Specification and SDK Specification are copyrighted EMVCo material available under EMVCo registration/licence; this node represents the publicly documented protocol architecture, not the gated normative text. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does EMV 3‑D Secure (3DS) - Payment Authentication Protocol have?
EMV 3‑D Secure (3DS) - Payment Authentication Protocol has 22 controls organised across 6 domains. The largest domains are EMV 3DS - Three-Domain Model and Roles (6 controls), EMV 3DS - Authentication Flows (4 controls), EMV 3DS - Authentication Messages (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does EMV 3‑D Secure (3DS) - Payment Authentication Protocol map to?
EMV 3‑D Secure (3DS) - Payment Authentication Protocol maps to 3 other compliance frameworks. The top mapping partners are GDPR (14% coverage), NIST SP 800-63 Digital Identity Guidelines (14% coverage), ISO 27701:2019 (5% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with EMV 3‑D Secure (3DS) - Payment Authentication Protocol compliance?
Start your EMV 3‑D Secure (3DS) - Payment Authentication Protocol compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about EMV 3‑D Secure (3DS) - Payment Authentication Protocol requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 22 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required