3DS Overview

▶ Run in Postman

The Three-Domain Secure (3DS) security protocol, created and branded by Visa and Mastercard as Visa Secure and Mastercard SecureCode, respectively, further protects online payments by enabling cardholders to authenticate their purchases.

3DS authentication

3DS adds a layer of security, prior to authorization, to help authenticate online transactions by requiring customers to complete an additional verification with the card issuer. For example, when the merchant initiates 3DS at checkout, the cardholder needs to enter a one-time passcode received via email or Short Message Service (SMS) text to continue with their purchase. The one-time password (OTP) is a six-digit number.

3DS setup options supported by Nium

Nium supports the following forms of 3DS authentication setups:

OTPThe OTP mode of authentication is used to verify users before completing a transaction or running a session in an app or website.
OTP plus knowledge-based authentication (KBA)The OTP plus KBA mode of authentication is a two-factor authentication that combines one-time passwords and KBA for enhanced online card transaction security.
Out-of-band (OOB) authenticationThe OOB mode of authentication is used for secure online card transactions using alternative communication channels. For example, a push notification with Approve or Decline.
OOB with fallback (OTP)The OOB with fallback OTP authentication mode is used with the provision of one-time passwords in the event of a response timeout for secure online card transactions.
OOB with fallback (OTP and KBA)The OOB authentication with fallback OTP and KBA mode is used with the provision of one-time passwords and KBA in the event of a response timeout for secure online card transactions.



The OOB with fallback (OTP and KBA) and OTP plus KBA option are relevant in the European Economic Area (EEA) and the UK due to the Payment Service Directive (PSD2) Strong Customer Authentication (SCA) regulation which mandates the application of two of three factors of authentication.

In an OOB authentication, the channel that's used to authenticate a transaction is separate from the channel used by the cardholder to sign in or perform a transaction. OOB authentication is a type of two-factor authentication, such as Face ID, Touch ID, or something you have which is your mobile device, rather than multifactor authentication (MFA).

If the primary method of authentication is OOB, then it's required to have a fallback mechanism. If the cardholder doesn't have mobile data or Wi-Fi service to receive push notifications or is unable to authenticate themselves via the mobile app or biometrics, the system moves to the fallback option.

Depending on the region you're in, you can decide to go with either of these options:

RegionOption 1Option 2
Asia-Pacific (APAC)OOB authentication with OTP as a fallbackOTP only
European Union and United Kingdom (EU/UK)OOB authentication with OTP plus KBA as a fallbackOTP plus KBA

For 3DS configuration, you can let Nium manage it entirely for you or you can choose to be consulted on every transaction on the type of authentication to be made. If you're in the EU and UK, you can further choose to let Nium manage and validate the KBA on your behalf or you can manage and validate it.

A diagram showing Nium handles 3DS authentication.

A diagram showing how Nium handles 3DS authentication.

The table below details the above diagram's flow which explains the level of API integration needed for each type of authentication and the entity that performs it.

ScenarioManaged byAPI integrationImplement API
Consult on every transactionNiumNo-
Consult on every transactionYouYesCheck Authentication Method V2
OTP authenticationAlways NiumNot applicable-
OTP plus KBA authenticationNiumYes
  • Add or Update Passcode
  • 3DS Passcode Enrollment Status
  • OTP plus KBA authenticationYouYesPasscode Validation V2
    OOB authenticationAlways youYes
  • Initiate OOB Authentication V2

  • OOB Authentication Callback
  • Implementation details

    You need to implement and provide Nium with a URL if you opt for:

  • Being consulted on every transaction or
  • Choose to enable the OTP plus KBA flow and manage the validation or
  • Choose to enable the OOB authentication