Understanding 3D credit card security and how it could affect your trips to other countries

30 March 2023

Editor’s note: This is a recurring post, regularly updated with new information.

When planning an international trip, you’re likely using your computer for online purchases in other countries. And for items with a limited supply — like high-demand train routes, popular tourist attractions and specific guided tours — it’s critical to confirm these reservations before they sell out.

Unfortunately, you can’t always rely on your travel credit cards to successfully complete these international transactions. It all comes down to the legal requirements associated with credit card security — which can vary greatly, depending on where you are going.

In theory, travel rewards credit cards should be ideal for travel, but increasingly sophisticated technology could affect your upcoming trips outside the U.S.

Here’s what you need to know about credit card security technology and what you can do to reduce your chances of encountering problems along the way.

What is 3D Secure?

3D Secure (or 3DS, as it’s sometimes called) is a credit card security technology that helps verify the authenticity of online transactions. It checks several factors to authenticate a purchase, including the user’s location, the history of purchases on that card and whether the personal data provided during the transaction matches the bank’s records.

POIKE/GETTY IMAGES

If the technology identifies any abnormalities during this verification process, it may use additional security checks via text message, email or phone call before completing the purchase.

The goal of 3DS is to provide better authentication of transactions to help everyone involved: customers, banks and online merchants. Users benefit from an improved experience with a simpler transaction. Banks benefit from reduced fraud and chargebacks. And merchants benefit by having an easier process for consumers so that they actually complete the transaction and spend money with the merchant.

However, there’s more to 3DS than these basics.

How 3DS came about — and improved

Credit card standards as we know them date back to 1995 when three companies — Europay, Mastercard and Visa — came together and created the chip-based EMV technology added to credit, debit and prepaid cards. Since then, other banks like JCB, China UnionPay and Discover have also adopted EMV.

EMV continued to evolve over the years, ushering in new credit technology like contactless card payments.

In 1999, 3D Secure — a more modern version of EMV — emerged. However, its first iteration faced some criticism. The main issue? Browsers redirecting to verification portals appeared fraudulent, and many consumers abandoned their transactions. But when an updated version was unveiled in 2016, it quickly became the new industry standard for reducing fraud.

By providing more contextual information (such as a card’s transaction history and mailing address) during checkout, fewer consumers questioned the legitimacy of the verification process. That is because the revised process — which limited the number of transactions requiring authentication and supported authentication via biometrics or a bank’s mobile app — lacked the noticeable interruptions or burdens of the former version.

“While they are being authenticated and getting the benefits of higher security, they’re not disrupted in their experience in terms of the flow of the transaction,” said Ranjita Iyer, Mastercard’s senior vice president of cyber and intelligence for North America. “It is completely frictionless. Many times, they don’t even really see the authentication.”

Where US credit card issuers stand in adopting 3DS

Once the revised 3DS technology’s benefits became apparent, the U.S. began requiring credit card processing networks and issuing banks to use it. However, where the payment processors and issuing banks stand on implementation is unequal. Merchants in the travel sector have adopted 3DS at a higher rate than merchants in other categories, according to Iyer.

THE POINTS GUY

For example, Mastercard supports the latest protocols at scale for every issuer of Mastercard products in the U.S. and supports implementation for every merchant wanting to participate in authentication during transactions, according to Iyer.

At Wells Fargo, the latest iteration of 3DS has been applied across all of its consumer and small-business credit cards, according to a company spokesperson. When authentication is required for a transaction, Wells Fargo cardholders can choose to receive a code via SMS or a notification in the Wells Fargo app.

Likewise, Discover has fully implemented the second-generation version of 3DS via a proprietary product called ProtectBuy, according to a company spokesperson.

American Express also has a proprietary product — SafeKey 2.0 — that applies 3DS technology across its in-house credit card products. “Since first implementing 3D Secure technology in 2010, we’ve been hyper-focused on optimizing the SafeKey journey to ensure a positive customer experience,” said J.J. Kieley, vice president of payment products at American Express.

However, the same can’t be said for American Express cards issued by other banks. “We are continuing to work with our bank issuing partners and third-party providers as they uplift their cards to be SafeKey 2.0 compatible,” Kieley said.

What to expect in other countries

Despite most U.S. issuers making strides in implementing 3DS technology — note that it is not required for U.S. merchants — the same can’t be consistently said for other countries.

JACOBLUND/GETTY IMAGES

Within the European Union, 3DS is mandatory for all online transactions. Additionally, countries including the United Kingdom, Bangladesh, India, Malaysia, Nigeria, Singapore and South Africa require 3DS for online transactions.

However, others like Australia have blocked prior attempts to make 3DS mandatory. The chief justification was extra costs that would be passed on to consumers.

Curious to see what 3DS is like in other countries and if any issues arise when using certain credit cards for online purchases, we decided to test transactions for two popular tourist destinations: Greece and Japan.

Tourist sites in Greece

First, we attempted to purchase tourism tickets for the Agora in Athens from the Hellenic Organization of Cultural Resources Development.

ETICKETS.TAP.GR

Our first purchase used Capital One Venture X Rewards Credit Card. The ticketing website required verification with a one-time code sent via text message.

Purchases with the Chase Sapphire Reserve (a Visa card), the World of Hyatt Credit Card (a Visa card) and the Barclaycard Arrival Plus® World Elite Mastercard® passed and were frictionless.

I received an error message when attempting to buy tickets with my Alaska Airlines Visa® credit card.

The information for the Barclaycard Arrival Plus has been collected independently by The Points Guy. The card details on this page have not been reviewed or provided by the card issuer. 

ETICKETS.TAP.GR

Bank of America flagged the purchase as potentially fraudulent. I had to call to complete a multi-step verification process before the bank would authorize the transaction. However, the website timed out during this process, and I had to start my ticket purchase again from the beginning.

We could not test any American Express cards, as the website does not accept them for purchases.

Train tickets in Japan

We attempted to purchase bullet train (Shinkansen) tickets from Japan Railways Smart Ex for Japan. Before purchasing these tickets, you must create a user profile and register a default payment method. The website specifically states that the card must meet 3DS requirements before you can add it to your profile.

SMART-EX.JP

I attempted to add three different Visa cards — the World of Hyatt card, the Chase Sapphire Reserve and the Alaska Airlines Visa credit card — to my user profile during registration. All three failed. An error message stated that the issuing bank had not set up the required security protocols for 3DS authentication.

Next, I tried The Platinum Card® from American Express. After adding it to my profile, the website routed me to American Express’ intermediary page (SafeKey). The request processed for a few seconds before I received a “success” message and was routed back to the Smart Ex website.

Adding my Arrival Plus card to my profile generated a similar response as the Amex Platinum. I was routed to the SecurPass website, where I received a one-time code via email.

SMART-EX.JP

This is a very mixed bag of results. Some of the most popular cards for travel purchases required additional verification. Others simply couldn’t be used with select international merchants.

What you can do to reduce or avoid issues

If you are planning a trip to another country and want to avoid issues with online purchases — both during your trip and for reservations you want to make before leaving home — what can you do?

We asked the credit card issuers what advice they have for people experiencing authentication problems.

Discover’s spokesperson suggested regularly checking and updating your contact information on file with your bank since that’s how the bank will contact you if authentication is required. Having incorrect information on file also can increase your odds of a transaction being flagged as fraudulent. It will look suspicious if the address and phone number you provide during the online purchase don’t match what your bank has on file.

Should you run into issues while making an online purchase, consider contacting the merchant directly, according to a spokesperson for Wells Fargo. This is because the merchant’s acceptance policies (not the bank’s or credit card issuer’s) are likely behind the trouble you’re experiencing. If this doesn’t work or proves too time-consuming, the spokesperson recommends finding another way to pay.

HISPANOLISTIC/GETTY IMAGES

Bottom line

Understanding the security features built into your credit card and how these interact with laws in other countries can help you mitigate potential issues when using your credit card in another country. It also can reduce the chances you encounter a problem using your credit card for online purchases related to an upcoming international trip.

All banks and credit card processing networks in the U.S. require 3D Secure, so your credit cards should be accepted and not require extra authentication. However, that doesn’t mean the merchant (where you are making a payment) will always interpret the rules correctly. Ensuring your contact information is updated with your credit card company will help you pass extra security authentication if prompted.

Need Help?

Please use the contact form to get support or send an email to [email protected].