3D Secure 2: How to Increase Approvals and Reduce Fraud

3D Secure has evolved from a clunky pop-up window that killed conversion rates into a sophisticated, risk-based authentication protocol that actually improves both security and approval rates. This guide explains how 3DS2 works, why it performs better than its predecessor, and how to implement it for maximum transaction success.

What Is 3D Secure?

3D Secure is an authentication protocol designed by the card networks to verify the cardholder’s identity during an online transaction. The “3D” refers to the three domains involved in every card-not-present authentication:

1. Issuer domain: The cardholder’s bank, which authenticates the customer
2. Acquirer domain: The merchant’s bank or payment processor, which initiates the authentication request
3. Interoperability domain: The card network (Visa, Mastercard) infrastructure that routes the authentication between the two

Each card network brands 3D Secure differently: Visa calls it Visa Secure, Mastercard calls it Mastercard Identity Check, and American Express calls it SafeKey. Under the hood, they all use the same EMVCo-managed 3DS2 protocol.

The core idea is simple: before a transaction is authorized, the issuer gets a chance to verify that the person making the payment is actually the cardholder. If the verification succeeds, the issuer takes on the liability for fraud—the liability shift—which protects the merchant from chargebacks on authenticated transactions.

3DS1 vs 3DS2: What Changed

The original 3D Secure (3DS1) launched in the early 2000s and was widely disliked. It redirected customers to a separate page, required them to enter a static password they often forgot, and added enough friction that many merchants saw conversion rates drop by 10–25%. The result: most merchants outside of Europe simply turned it off.

3DS2, released by EMVCo, is a fundamentally different experience:

The breakthrough in 3DS2 is the frictionless flow. Instead of challenging every customer, the issuer receives rich data about the transaction—device fingerprint, browser information, transaction history, IP geolocation, and more—and uses risk-based analysis to decide whether the transaction is low-risk enough to approve without customer interaction.

For low-risk transactions, the cardholder sees nothing—authentication happens invisibly in the background. For higher-risk transactions, the issuer sends a challenge—typically a push notification to the cardholder’s banking app, a biometric prompt, or a one-time passcode. Either way, the merchant gets the liability shift.

How 3DS2 Works: Step by Step

Here is the typical 3DS2 flow for a card-not-present transaction:

Why 3DS2 Improves Authorization Rates

It may seem counterintuitive that adding an authentication step increases approvals. But the data is clear: 3DS2-authenticated transactions are approved at higher rates than non-authenticated ones. Here is why:

• Issuer confidence: When an issuer receives an authorization request with a valid 3DS authentication, they know the cardholder was verified. This removes the primary reason for declining a transaction—uncertainty about the cardholder’s identity.
• Liability shift incentive: Issuers have a financial incentive to approve authenticated transactions because the liability for fraud shifts to the issuer on successfully authenticated transactions. They built the risk model; they own the decision.
• Rich data: The 100+ data elements sent during 3DS2 authentication give issuers far more context than a standard authorization request. More data means better risk decisions, which means fewer false declines.
• Reduced false declines: False declines—legitimate transactions incorrectly rejected—are a massive problem for card-not-present payments. 3DS2 authentication gives issuers the confidence to approve transactions they would otherwise decline.

3DS2 Integration: Two Approaches

There are two primary ways to integrate 3DS2 into your payment flow:

For the frictionless path, there is no visible difference between the two approaches—authentication happens in the background either way. The choice of integration mode only affects the challenge flow experience.

When to Use 3DS2

3DS2 is not always required, but it is increasingly recommended. Here is how to think about when to apply it:

Where 3DS2 Is Mandatory

• European Economic Area (EEA) & UK: Strong Customer Authentication (SCA) under PSD2 requires 3DS2 for most online card transactions. Exemptions exist for low-value, low-risk, and recurring payments, but the default is authentication.
• India: The Reserve Bank of India mandates additional factor authentication for all domestic online transactions.
• Other regulated markets: Several countries in Asia, the Middle East, and Latin America are adopting or planning SCA-equivalent rules.

Where 3DS2 Is Optional but Recommended

• United States: No SCA mandate, but 3DS2 is increasingly used to improve authorization rates and gain liability shift. For high-risk MCCs (money transfer, financial services), 3DS2 can significantly reduce declines and chargebacks.
• Cross-border transactions: When the cardholder and merchant are in different countries, 3DS2 provides the issuer with additional confidence, improving cross-border approval rates.
• High-value transactions: For larger transaction amounts, the risk of decline is higher. 3DS2 authentication gives issuers the confidence to approve.
• First-time customers: New customers with no transaction history at your business have higher decline rates. 3DS2 reduces this by providing issuer-level verification.

Optimizing Your 3DS2 Implementation

Not all 3DS2 implementations perform equally. The difference between a good and a great implementation can be several percentage points of authorization rate. Here are the key optimization levers:

1. Send Maximum Data

The more data you include in the 3DS authentication request, the better the issuer’s risk model performs, and the more likely the transaction qualifies for frictionless authentication. Key fields to always populate:

• Customer email address and phone number
• Billing and shipping address (even if your business does not ship physical goods)
• Customer account age and transaction history with your business
• Device and browser information (collected automatically by the 3DS SDK)
• IP address and geolocation data

2. Use the Correct Transaction Type

The 3DS2 protocol includes a threeDSRequestorAuthenticationInd field that tells the issuer what kind of authentication is being requested. Set this correctly:

• 01: Payment transaction (standard)
• 02: Recurring transaction
• 03: Installment transaction
• 04: Add card (card-on-file enrollment)
• 05: Maintain card (update stored card)

Issuers use this indicator to apply the correct risk model. A recurring payment flagged as a standard payment may receive unnecessary challenges.

3. Handle Soft Declines with Retry

If an authorization is declined after a frictionless 3DS2 authentication, the issuer may return a soft decline code suggesting the transaction should be retried with a challenge. Your payment flow should detect these codes and automatically trigger a 3DS2 challenge flow rather than showing the customer a failure message.

4. Request Exemptions When Appropriate

In SCA-regulated markets (EEA, UK), you can request exemptions from strong authentication for certain transactions:

• Low-value exemption: Transactions under €30 (up to a cumulative limit)
• Low-risk exemption (TRA): If the acquirer’s fraud rate is below a threshold, transactions up to €500 can be exempted
• Recurring payment exemption: After the first authenticated payment, subsequent recurring charges can be exempted
• Trusted beneficiary: Customers can whitelist merchants they trust, exempting future transactions

Exemptions skip the 3DS challenge entirely, reducing friction. However, exempt transactions do not receive liability shift—the merchant retains fraud liability. Use exemptions selectively for low-risk transactions where the speed benefit outweighs the liability trade-off.

5. Monitor and Iterate

Track these metrics to continuously optimize your 3DS2 performance:

• Frictionless rate: What percentage of 3DS2 authentications complete without a challenge? Target: 70–85%.
• Challenge completion rate: Of customers who receive a challenge, how many complete it? Low rates indicate UX or technical issues.
• Authentication success rate: Overall percentage of successful 3DS2 authentications.
• Post-authentication authorization rate: Approval rate for transactions that passed 3DS2. This should be higher than your non-3DS authorization rate.
• Chargeback rate on authenticated vs non-authenticated: Validates the fraud reduction benefit.

3DS2 for Money Transfer & AFT Programs

Money transfer businesses and AFT programs benefit significantly from 3DS2 because their transactions typically carry higher risk flags:

• High-risk MCCs: MCC 4829 (money transfer) and MCC 6540 (stored value) have higher baseline decline rates. 3DS2 authentication provides the issuer confidence needed to approve.
• Cross-border element: Many remittance transactions involve a US cardholder sending to an international recipient. The cross-border flag increases issuer scrutiny; 3DS2 offsets this.
• Higher transaction amounts: Money transfers are typically larger than average card purchases. Higher amounts trigger additional issuer risk checks that 3DS2 satisfies.
• New customer risk: First-time senders on a money transfer platform have no transaction history with the business. 3DS2 gives the issuer a verification mechanism beyond the card data alone.

For AFT programs specifically, combining proper AFT transaction classification with 3DS2 authentication creates the optimal authorization profile: the issuer sees a correctly coded money transfer with verified cardholder identity, leading to the highest possible approval rates.

Frequently Asked Questions

Does 3DS2 slow down the checkout experience?

For frictionless authentications (70–85% of transactions), the customer sees no delay—authentication happens in under two seconds in the background. For challenged transactions, the customer completes a verification step that typically takes 10–30 seconds. Overall, 3DS2 reduces cart abandonment by up to 70% compared to 3DS1.

Is 3DS2 required in the United States?

No. The US does not have an SCA mandate. However, 3DS2 is increasingly used by US merchants and payment platforms to improve authorization rates, gain liability shift, and reduce chargebacks. For high-risk categories like money transfer, it is strongly recommended.

Does 3DS2 eliminate chargebacks?

Not entirely. 3DS2 with successful authentication shifts liability for fraud-related chargebacks to the issuer. However, chargebacks for reasons other than fraud (product not received, service disputes) are not covered by the liability shift. For money transfer businesses, the fraud liability shift is the most relevant benefit.

Can I use 3DS2 with mobile apps?

Yes. 3DS2 includes a native mobile SDK that provides in-app authentication without redirecting to a browser. The SDK collects device data automatically and renders any challenge UI natively within the app, providing a seamless mobile experience.