Grasping 3D credit card security and its potential impact on your overseas trips

While organizing an international journey, you're probably using your computer for online transactions in foreign countries. For items with limited availability — such as sought-after train routes, must-see tourist spots, and specific guided tours — it's crucial to secure these bookings before they're fully booked.

Regrettably, you can't always depend on your travel credit cards to execute these international purchases smoothly. It ultimately hinges on the legal regulations surrounding credit card security — which can differ significantly based on your destination.

In principle, travel rewards credit cards should be perfect for travelers, but the rise of advanced technology may impact your forthcoming journeys beyond the U.S.

Here’s what you should know about credit card security technology and how to minimize your risk of facing issues during transactions.

What exactly is 3D Secure?

3D Secure (often referred to as 3DS) is a security measure for credit cards that helps confirm the legitimacy of online purchases. It evaluates various factors to validate a transaction, such as the user's location, the card's purchase history, and whether the provided personal information matches the bank's records.

If the technology detects any inconsistencies during this verification, it may initiate extra security measures through text messages, emails, or phone calls before finalizing the transaction.

The objective of 3DS is to enhance transaction authentication for all parties involved: customers, banks, and online merchants. Users enjoy a smoother experience with simplified transactions, banks see a decrease in fraud and chargebacks, and merchants benefit from an easier process that encourages consumers to complete their purchases.

However, there's more to 3DS than just these fundamentals.

The evolution of 3DS — and its enhancements

The credit card standards we recognize today originated in 1995, when three companies — Europay, Mastercard, and Visa — collaborated to establish the chip-based EMV technology for credit, debit, and prepaid cards. Since then, other institutions like JCB, China UnionPay, and Discover have also embraced EMV.

EMV has continued to advance over the years, leading to the introduction of new payment technologies such as contactless card payments.

In 1999, 3D Secure, an advanced iteration of EMV, was introduced. However, its initial rollout faced criticism due to browser redirects to verification portals that seemed fraudulent, leading many consumers to abandon their transactions. The launch of an updated version in 2016 marked a shift, establishing it as the industry standard for combatting fraud.

By offering additional contextual details, such as a card's transaction history and billing address during checkout, consumer skepticism regarding the verification process decreased. The updated procedure limited the number of transactions requiring authentication and introduced biometrics or mobile app verification, minimizing interruptions compared to the previous version.

"While users are authenticated and enjoy enhanced security, their transaction experience remains seamless," stated Ranjita Iyer, Mastercard's senior vice president of cyber and intelligence for North America. "It's entirely frictionless, and often, they don't even notice the authentication process."

The current status of U.S. credit card issuers in adopting 3DS.

Once the advantages of the revised 3DS technology became clear, the U.S. mandated credit card processing networks and issuing banks to implement it. Nonetheless, the adoption rates differ significantly among payment processors and banks. Merchants in the travel industry have embraced 3DS more readily than those in other sectors, according to Iyer.

For instance, Mastercard facilitates the implementation of the latest protocols on a large scale for all Mastercard issuers in the U.S., also aiding any merchant wishing to engage in transaction authentication, as stated by Iyer.

Wells Fargo has adopted the newest version of 3DS for all its consumer and small-business credit cards, as confirmed by a company representative. When authentication is needed for a transaction, Wells Fargo cardholders can opt to receive a code via SMS or a notification through the Wells Fargo app.

Similarly, Discover has fully integrated the second-generation 3DS through its proprietary product, ProtectBuy, according to a company spokesperson.

American Express has also developed its own proprietary solution — SafeKey 2.0 — which utilizes 3DS technology across its internal credit card offerings.

"Since we first adopted 3D Secure technology in 2010, our focus has been on enhancing the SafeKey experience to guarantee a positive customer interaction," stated J.J. Kieley, vice president of payment products at American Express.

However, this does not apply to American Express cards issued by other banks. "We are actively collaborating with our issuing bank partners and third-party providers to upgrade their cards for compatibility with SafeKey 2.0," Kieley noted.

What to anticipate in other countries.

Many U.S. issuers are progressing in the adoption of 3DS technology (although it's not mandatory for U.S. merchants). However, the same cannot be reliably said for other countries.

In the European Union, 3DS is a requirement for all online transactions. Furthermore, nations such as the U.K., Bangladesh, India, Malaysia, Nigeria, Singapore, and South Africa also mandate 3DS for online transactions.

Conversely, some countries, like Australia, have rejected previous efforts to enforce 3DS as a requirement. The main argument against it was the additional costs that would ultimately be passed on to consumers.

Eager to explore how 3DS operates in other nations and whether issues arise when using specific credit cards for online purchases, we chose to test transactions in two popular tourist locations: Greece and Japan.

Popular tourist sites in Greece.

Initially, we attempted to buy tickets for the Agora in Athens through the Hellenic Organization of Cultural Resources Development.

Our first purchase was made using the Capital One Venture X Rewards Credit Card. The ticketing site required a verification step with a one-time code sent via SMS.

Transactions using the Chase Sapphire Reserve® (a Visa card), the World of Hyatt Credit Card (also a Visa), and the Barclaycard Arrival Plus® World Elite Mastercard® went through smoothly without any issues.

I encountered an error message while trying to purchase tickets with my Alaska Airlines Visa Signature® credit card.

The information regarding the Barclaycard Arrival Plus has been gathered independently by Dinogo. The card details presented on this page have not been reviewed or supplied by the card issuer.

Bank of America flagged the transaction as potentially fraudulent. I had to make a call to go through a multi-step verification process before the bank would approve the purchase. Unfortunately, the website timed out during this process, forcing me to restart my ticket purchase from scratch.

We were unable to test any American Express cards, as the website does not accept them for transactions.

Bullet train tickets in Japan.

We attempted to buy bullet train (Shinkansen) tickets from Japan Railways Smart Ex. Prior to making these purchases, you need to create a user profile and set up a default payment method. The website specifically mentions that the card must comply with 3DS requirements before it can be added to your profile.

I attempted to register three different Visa cards — the World of Hyatt card, the Chase Sapphire Reserve, and the Alaska Airlines Visa credit card — to my user profile. Unfortunately, all three attempts failed. An error message indicated that the issuing bank had not configured the necessary security protocols for 3DS authentication.

Next, I tried The Platinum Card® from American Express. After successfully adding it to my profile, the website redirected me to American Express' intermediary page (SafeKey). The request processed for a few seconds before I received a "success" message and was redirected back to the Smart Ex website.

Adding my Arrival Plus card to my profile yielded a response similar to that of the Amex Platinum. I was directed to the SecurPass website, where I received a one-time code via email.

The results were quite varied. Some of the most popular travel cards required additional verification, while others were simply not accepted by certain international merchants.

How to minimize or prevent issues.

If you're planning a trip abroad and want to avoid complications with online purchases—either during your travels or before you leave home—what steps can you take?

We reached out to credit card issuers to gather their advice for individuals facing authentication challenges.

A spokesperson from Discover recommended that you frequently check and update your contact details with your bank; this ensures the bank can reach you if authentication is necessary. Having incorrect information on file can also raise the likelihood of a transaction being flagged as fraudulent. If the address and phone number you provide during the online purchase do not match what your bank has recorded, it may appear suspicious.

If you encounter difficulties while making an online purchase, a spokesperson from Wells Fargo suggests reaching out to the merchant directly. The issues you're facing are likely due to the merchant's acceptance policies rather than those of your bank or credit card issuer. If this approach fails or becomes too cumbersome, the spokesperson advises seeking alternative payment methods.

In summary,

Familiarizing yourself with the security features of your credit card and understanding how these relate to regulations in other countries can help you prevent potential issues when using your card abroad. This knowledge also decreases the likelihood of facing problems during online purchases for your upcoming international travel.

All banks and credit card processing networks in the U.S. mandate 3D Secure, so your cards should be accepted without requiring additional authentication. However, this doesn't guarantee that the merchant will interpret the rules accurately. Keeping your contact information current with your credit card issuer will facilitate passing any extra security checks if necessary.