- Regulatory compliance: 3DS2 is designed to meet the requirements of the Payment Services Directive 2 (PSD2) in Europe and the Strong Customer Authentication (SCA) requirements.
- Acceptance rates: 3DS2 is designed to reduce friction in the checkout process and improve the user experience, which can lead to higher conversion rates.
- Enhanced trust: 3DS2 provides additional data points that can be used to authenticate the cardholder, which can help reduce fraud and build trust with customers.
- Liability shift: 3DS2 supports the liability shift for transactions that are authenticated using the protocol, which can help protect merchants from fraud-related chargebacks.
Challenge flows
In case the card issuer decides to challenge the transaction, the cardholder will be redirected to the card issuer’s authentication page to complete the challenge. The challenges typically include entering a one-time password (OTP) or accepting a push notification on their mobile device. This process effectively implements a two-factor authentication (2FA) mechanism to verify the cardholder’s identity.Frictionless flows
In some cases, the card issuer may be able to authenticate the cardholder without requiring any action on their part. This is known as a “frictionless flow” and is designed to provide a seamless user experience for the cardholder. The card issuer may use data collected from the merchant, the customer, and the device to authenticate the cardholder without requiring any additional input.Authentication results
At the end of the 3DS2 authentication a so-called electronic commerce indicator (ECI) is returned. This ECI indicates the result of the authentication and can be used by the merchant to determine the next steps in the payment flow. The ECI can have different values, such as “authenticated”, “attempted”, or “not authenticated”, depending on the outcome of the authentication.- VISA, American Express, and others
- Mastercard
| ECI Value | Description | Liability Shift |
|---|---|---|
| 05 | Cardholder authentication was successfully completed. | Yes |
| 06 | Authentication was attempted but was not available at the issuer’s end. | Sometimes |
| 07 | Authentication was rejected or could not be attempted. | No |
Exemptions (PSD2 / SCA)
Specific transactions may be exempt from the 3DS2 authentication process. These exemptions are designed to reduce friction and improve the user experience for cardholders.| Exemption Type | Conditions | Limits/Notes |
|---|---|---|
| Low-Value Transactions | Amount ≤ €30 | Max 5 consecutive transactions or cumulative total ≤ €100 before SCA is triggered |
| Recurring Transactions | Same amount and same payee | SCA required only for the first transaction |
| Trusted Beneficiaries | Payee added to whitelist maintained by customer’s bank | Future payments to that payee can be exempt from SCA |
| Corporate Payments | Uses secure, dedicated corporate processes not available to the general public | Must meet security requirements equivalent to SCA |
| Transaction Risk Analysis (TRA) | Low fraud risk assessed by PSP based on transaction data | Value limits depend on PSP’s fraud rate: ≤€500/€250/€100 based on thresholds |
| Secure Corporate Processes | Applies to large-scale, internal payment systems | Must be isolated from consumer payment channels |
| Transaction Type | Description | Reason for Exclusion |
|---|---|---|
| MOTO (Mail Order / Telephone Order) | Payments made via phone or mail, not electronically initiated by the payer | Not considered electronic payment initiation |
| Anonymous Prepaid Cards | Gift cards or prepaid cards with no identifiable customer | Payer identity cannot be authenticated |
| Merchant-Initiated Transactions (MIT) | Transactions initiated by the merchant without payer’s active involvement | Not triggered by the customer at the time of payment |
| Direct Debits (e.g., SEPA) | Mandate-authorized debits, not initiated by the customer at each occurrence | No real-time action from the payer |
| Inter-PSP Transfers | Transfers initiated by a payment service provider or bank on behalf of the user | Not customer-initiated |
| One-leg-out Transactions | Where either the payer’s or payee’s PSP is outside the EEA | PSD2 applies only partially outside the EEA |