3D Secure in Morocco: How It Works and Why It's Mandatory

Introduction: Online Payment Security in Morocco

Moroccan e-commerce has reached a decisive milestone. With over 15 billion dirhams in online transactions in 2025 and double-digit annual growth, payment security has become a central concern for merchants, consumers, and regulators. At the heart of this security lies a protocol that every Moroccan online shopper has encountered, even if they cannot name it: 3D Secure.

This strong authentication mechanism is the security layer that appears at checkout when your bank asks you to confirm your identity -- typically through an SMS code or biometric validation. In Morocco, 3D Secure is not optional: it is a regulatory obligation imposed by Bank Al-Maghrib and enforced by the Centre Monetique Interbancaire (CMI) on all online card transactions.

This guide covers the technical workings of 3D Secure, the differences between versions 1.0 and 2.0, its impact on conversion rates, Morocco's regulatory framework, and integration best practices for merchants and developers. If you manage an e-commerce site or are integrating a payment gateway in Morocco, this is essential reading.

What Is 3D Secure?

3D Secure (3DS) is a security protocol designed to authenticate the cardholder during an online payment. The "3D" refers to the three domains involved in the process:

Acquirer domain -- the merchant's bank and payment gateway
Issuer domain -- the customer's bank that issued the card
Interoperability domain -- the card network (Visa, Mastercard) that orchestrates the exchange

The protocol is managed by EMVCo, a consortium owned by the major card networks. Each network markets its own implementation under a specific brand:

Visa: Visa Secure (formerly Verified by Visa)
Mastercard: Mastercard Identity Check (formerly Mastercard SecureCode)
American Express: American Express SafeKey

The fundamental purpose of 3D Secure is to verify that the person making the payment is the legitimate cardholder. Without this verification, a fraudster in possession of a card number, expiration date, and CVV could make purchases unchallenged.

How 3D Secure Works: The Complete Flow

The 3D Secure authentication process inserts itself into the standard payment flow between the moment the customer confirms their cart and the transaction authorization. Here are the detailed steps:

Payment initiation -- The customer enters card information on the merchant's site or application
Transmission to the gateway -- The merchant sends payment data to its payment gateway (Chari Pay, CMI, etc.)
Directory Server request -- The gateway sends a request to the card network's Directory Server to check if the card is enrolled in 3D Secure
Issuer verification -- The Directory Server queries the issuing bank's ACS (Access Control Server)
Cardholder authentication -- The ACS determines the required authentication level: SMS OTP, biometric validation (fingerprint, facial recognition), or automatic approval (frictionless)
Result -- The ACS returns the authentication result to the gateway via the Directory Server
Authorization -- If authentication succeeds, the gateway submits the transaction for authorization to the acquiring bank
Confirmation -- The merchant receives confirmation and the customer sees the payment validated

This flow completes in seconds. From the customer's perspective, they only see the authentication step (the pop-up or redirect to their bank). All the technical mechanics between the gateway, Directory Server, and ACS are invisible.

3D Secure 1.0 vs 2.0: Detailed Comparison

The first version of 3D Secure, deployed in the early 2000s, established the foundations of online authentication. However, it had major limitations that affected user experience and conversion rates. Version 2.0, ratified by EMVCo in 2017 and progressively deployed in Morocco since 2022, brings fundamental improvements.

Comparison Table

Criteria	3D Secure 1.0	3D Secure 2.0
User experience	Redirect to an external bank page, often slow	Authentication in an embedded iframe, smooth
Authentication methods	SMS code (OTP) only	OTP, biometrics, push notification, frictionless
Mobile support	Poor -- non-responsive pages, broken redirects	Native -- mobile SDK, no redirects
Data transmitted	15 data fields	Over 100 data fields for risk analysis
Frictionless flow	Non-existent	70-80% of transactions approved without intervention
Abandonment rate	10-30% additional abandonment	Significant reduction through frictionless
Fraud reduction	Good	Excellent -- behavioral and contextual analysis
Authentication time	30-45 seconds average	1-5 seconds (frictionless) or 15-25 seconds (challenge)

Key Advances in Version 2.0

Version 2.0 was designed to resolve the dilemma between security and conversion. Its main innovations:

Real-time risk analysis -- The issuer receives over 100 data points (device type, geolocation, transaction history, time, amount) enabling it to assess transaction risk without engaging the customer.

Frictionless flow -- For low-risk transactions, authentication happens in the background. The customer sees no additional steps. This is a major change for conversion rates.

Native mobile SDK -- No more redirects that break the mobile experience. The SDK integrates directly into the merchant's application.

Biometric authentication -- Beyond simple SMS codes, version 2.0 supports facial recognition, fingerprint scanning, and banking app push notifications.

Why 3D Secure Is Mandatory in Morocco

Morocco has adopted a clear and strict position on online payment security. 3D Secure is mandatory for all e-commerce card transactions, without exception. This obligation rests on several regulatory pillars:

Bank Al-Maghrib Directives

Bank Al-Maghrib, Morocco's central bank, has issued specific directives requiring strong authentication for online payments. These directives fall within the broader framework of banking law (Law 103-12) and circulars relating to payment system security. The dual objective: protecting Moroccan consumers and strengthening confidence in electronic commerce.

CMI Enforcement

The Centre Monetique Interbancaire (CMI), which operates Morocco's card payment infrastructure, systematically enforces 3D Secure on all online transactions. Any merchant wishing to accept card payments through the CMI must support the 3D Secure protocol. All approved payment gateways, including those compared in our guide, integrate this requirement.

Concrete Results

The imposition of 3D Secure in Morocco has produced measurable results. The fraud rate on online card payments has been significantly reduced since the protocol's widespread adoption. Disputes related to unauthorized transactions have decreased, and consumer confidence in online payments has strengthened -- a key factor in Moroccan e-commerce growth.

Impact on Conversions: Data and Optimization

One of the most debated topics around 3D Secure is its impact on conversion rates. The reality is nuanced and heavily depends on the version deployed.

The Version 1.0 Problem

With 3D Secure 1.0, international studies show an additional abandonment rate of 10 to 30% at the authentication step. The main causes:

Redirect to an external bank page that inspires distrust
Pages not optimized for mobile
Slow loading times
SMS codes arriving late or not at all
Confusing interface for customers unfamiliar with the process

The Version 2.0 Improvement

3D Secure 2.0 changes the equation. Thanks to frictionless flow, 70 to 80% of transactions are approved without any customer intervention. The abandonment rate on remaining transactions (those requiring a challenge) is also reduced through a better-designed interface and more practical authentication methods.

How to Optimize Your Conversions

For Moroccan merchants, several levers can maximize conversions while meeting the 3D Secure requirement:

Migrate to 3D Secure 2.0 -- If your gateway still uses version 1.0, migration is a priority
Transmit maximum data -- The more fields you send to the gateway, the better the risk analysis and the more frequent the frictionless flow
Optimize the mobile experience -- Use a native mobile SDK rather than a web redirect
Inform your customers -- A clear message explaining the verification step reduces anxiety and abandonment

Frictionless Flow Explained

Frictionless flow is the most important innovation in 3D Secure 2.0. It allows cardholder authentication to be validated without asking them to take any action.

How the Issuer Decides

When the issuing bank receives the authentication request, its ACS analyzes a set of data to assess transaction risk. If the risk is deemed low, the transaction is approved in frictionless mode. Here are the main data points used:

Cardholder history -- Purchase frequency with this merchant, typical amounts
Device -- Is the device known? Has it been used for successful transactions before?
Geolocation -- Is the purchase from a location consistent with the cardholder's profile?
Amount -- Is the amount within the cardholder's usual range?
Timing -- Is the purchase at a consistent time?
Browser data -- Digital fingerprint, language, timezone
Delivery address -- Has this address been used before?

Frictionless Rates in Morocco

Moroccan banks are progressively adjusting their risk models to optimize the balance between security and fluidity. In 2026, observed frictionless rates in the Moroccan market range between 50% and 75% depending on the issuer, with an upward trend as scoring models improve.

Liability Shift

An often-overlooked aspect of 3D Secure is the liability shift in case of fraud. This mechanism has a direct financial impact on merchants.

Without 3D Secure

If a merchant processes a transaction without 3D Secure authentication and it turns out to be fraudulent, the financial liability falls on the merchant. They must refund the amount to the cardholder (chargeback) and bear the associated fees.

With 3D Secure

When the transaction has been authenticated via 3D Secure, the liability shifts to the issuing bank. In case of fraud despite successful authentication, it is the cardholder's bank that bears the chargeback cost, not the merchant.

This liability shift is a powerful incentive for merchants. Beyond the regulatory obligation, 3D Secure provides direct financial protection against fraudulent chargebacks. For merchants handling high volumes or high average order values, this advantage is considerable.

Technical Integration Guide

3D Secure integration is managed by the payment gateway. Merchants generally do not need to implement the protocol directly -- the gateway orchestrates the entire authentication flow. However, understanding the technical process is essential for optimal integration.

Typical API Flow

Create a payment session -- The merchant calls the gateway API with transaction details (amount, currency, reference) and cardholder data
Receive the authentication URL -- The gateway returns a URL or session identifier for 3D Secure authentication
Redirect or display the iframe -- In 3DS 2.0, the gateway can provide an iframe to embed directly in the payment page
Receive the callback -- After authentication, the gateway sends a webhook with the result (success, failure, attempt)
Finalize the transaction -- If authentication succeeds, the merchant confirms the transaction via the API

Webhooks and Result Handling

The gateway sends a webhook containing the 3D Secure authentication result. The main statuses to handle:

Y (Authenticated) -- Authentication successful. Proceed with authorization. Liability shift active.
A (Attempted) -- Authentication attempted. The cardholder or issuer does not fully support 3DS. Partial liability shift.
N (Not Authenticated) -- Authentication failed. Do not proceed with the transaction.
U (Unavailable) -- The authentication server is unavailable. Decision depends on your risk policy.
R (Rejected) -- The issuer rejected authentication. Do not proceed.

For e-commerce merchants using platforms like Shopify or recurring payment solutions, these technical details are abstracted by the platform. But for direct API integrations, correctly handling these statuses is critical.

For complete technical documentation on payment API integration, consult our API documentation.

How ChariBaaS Simplifies 3D Secure

ChariBaaS, through its Chari Pay solution, natively integrates 3D Secure 2.0 in its payment gateway. Here is what this means concretely for merchants:

Zero-effort integration -- 3D Secure 2.0 is enabled by default on all transactions. No additional configuration required. The gateway handles the entire authentication flow, from the Directory Server request to the final callback.

Optimized for Moroccan cards -- Chari Pay is optimized for the specificities of the Moroccan market: direct integration with the CMI, support for all Moroccan issuing banks, and settings adapted to local risk models.

Maximized frictionless -- By automatically transmitting over 100 data fields to issuers, Chari Pay maximizes the frictionless flow rate. Result: less friction for your customers, more completed transactions.

Monitoring dashboard -- Track authentication rates, frictionless rates, failures, and their causes in real time. This data helps you identify and resolve issues quickly.

Multi-channel support -- Whether you integrate via API, e-commerce plugin, or hosted payment page, 3D Secure 2.0 is handled transparently across all channels.

To get started with Chari Pay and benefit from 3D Secure 2.0, contact our team or consult the technical documentation.

FAQ

Is 3D Secure mandatory in Morocco?

Yes. Bank Al-Maghrib and the CMI require 3D Secure authentication for all online card transactions in Morocco. This fraud protection measure applies to both Moroccan and international cards.

What is the difference between 3D Secure 1.0 and 2.0?

3D Secure 1.0 redirects to a bank page to enter an SMS code. 3D Secure 2.0 is smoother: authentication happens in an embedded iframe, uses biometrics and risk analysis, and can approve low-risk transactions without customer intervention (frictionless flow).

Does 3D Secure reduce conversions?

3D Secure 1.0 could reduce conversions by 10-30% due to friction. 3D Secure 2.0 reduces this impact through frictionless flow (70-80% of transactions approved without intervention) and a better user experience.

How do I integrate 3D Secure on my e-commerce site in Morocco?

3D Secure is handled by your payment gateway. With Chari Pay, 3D Secure 2.0 is natively integrated -- there is nothing to develop. The gateway manages authentication, redirection, and callback automatically.

What happens if 3D Secure authentication fails?

If authentication fails (status N or R), the transaction must not proceed. The customer can retry the payment, use a different card, or contact their bank to verify that their card is enrolled in 3D Secure and that their phone number is up to date.

Does 3D Secure work on mobile?

3D Secure 1.0 had a degraded mobile experience. 3D Secure 2.0 was designed for mobile with native iOS and Android SDKs that enable smooth authentication directly within the application, without external redirects.