Glossary · Compliance

What is
EMV 3DS?

Complexity Expert
Shows up Monthly
Scope Network-native
Operator relevance Critical
Related cross border interchange chargeback ratio compelling evidence tokenization
Share definition X LinkedIn Reddit HN Email
Quick definition

EMV 3-D Secure (EMV 3DS) is the modern card-not-present authentication protocol that shifts fraud liability from merchant to issuer when a transaction is authenticated. The current version (2.2 / 2.3) supports frictionless authentication for low-risk charges and step-up challenge only when needed.

The short answer

EMV 3DS (often just "3DS" or "3DS2") is the successor to the original Verified-by-Visa / Mastercard SecureCode authentication protocol. On eligible card-not-present (ecommerce) transactions, the merchant's gateway forwards the transaction + ~100 risk-data fields (device fingerprint, IP, billing/shipping mismatch flags, transaction history, account tenure) to the card issuer, which runs risk scoring and either authenticates frictionlessly or triggers a step-up challenge (OTP, biometric, banking-app confirmation). On successful authentication, fraud liability for the transaction shifts from the merchant to the card issuer — the merchant is immune to fraud-related chargebacks on that charge.

3DS1 vs 3DS2 vs 3DS 2.2 vs 2.3

  • 3DS1 (Verified-by-Visa, MasterCard SecureCode): legacy. Always prompted the cardholder for a password. High cart abandonment (15–25%). Sunsetting fully by 2025–2026.
  • 3DS2 (2.1, 2.2, 2.3): modern. Uses risk-based authentication — most transactions authenticate frictionlessly with no cardholder interaction. Only high-risk or regulated transactions get a step-up challenge. Cart abandonment on 3DS2-authenticated charges is comparable to non-authenticated (under 3% friction rate).

What operators need to know

  • Liability shift is merchant-favorable. On a 3DS-authenticated transaction, if the customer later disputes as fraud ("I didn't authorize this"), the issuer eats the loss, not you. On non-authenticated charges, the merchant is responsible. Over time, this saves real money on fraud-reason chargebacks.
  • PSD2 SCA in Europe mandates it. European-issued cards on European-acquired transactions require Strong Customer Authentication (SCA) under PSD2. 3DS2 is the primary mechanism. Skipping 3DS on EU charges leads to failed authorizations.
  • US is voluntary but rising. In the US, 3DS is merchant-opt-in. Adoption is rising fast because the liability shift is real and frictionless authentication is low-cost.
  • Not a replacement for fraud scoring. 3DS reduces merchant liability on fraud chargebacks; it does not reduce authorization-decline fraud scoring at the issuer. Your chargeback ratio benefits from 3DS; your authorization rate doesn't automatically improve.
  • Step-up challenge friction exists. When the issuer triggers step-up (OTP or bank-app push), cart abandonment rises to 8–15% on that specific transaction. Fortunately, 3DS2's risk-based flow triggers step-up on only 5–15% of eligible transactions.
  • Challenge exemptions reduce friction. Under PSD2 there are several exemption categories: low-value (under €30), trusted merchant (on customer whitelist), low-risk (based on issuer risk analysis), recurring transaction (subsequent charges in a series). Configuring your gateway to request exemptions when eligible is standard.

Non-regulated vs. regulated 3DS dispute rights

  • Authenticated fraud dispute: issuer carries liability. Merchant automatically wins.
  • Authenticated non-fraud dispute (4853, etc.): 3DS does NOT protect against non-fraud reason codes. "Goods not as described" or "canceled recurring" chargebacks proceed normally.
  • Unauthenticated fraud dispute: merchant liable. Representment requires compelling evidence to win.

Implementation checklist

  1. Confirm your gateway supports 3DS 2.2 or 2.3 (2.1 is deprecated in most regions).
  2. Enable 3DS for all European-issued BINs by default (PSD2 compliance).
  3. Enable 3DS risk-based mode for US-issued BINs where liability shift is valuable.
  4. Configure device fingerprinting (browser, screen, timezone, language) — the more 3DS data fields you submit, the higher the frictionless rate.
  5. Track 3DS auth-rate, step-up rate, and liability-shift rate monthly.

How multiflow handles 3DS

Parent merchant accounts ship with 3DS 2.2/2.3 enabled by default, risk-based mode for US issuers, full SCA compliance for European issuers. Device fingerprinting is captured in the checkout SDK and passed into the 3DS authentication request. The operator portal tracks 3DS coverage and liability-shift rate per sub-brand, surfacing brands where configuration tuning would improve coverage. See cross-border interchange for the related international compliance context.

Related glossary terms

cross border interchange chargeback ratio compelling evidence tokenization

Processing across
multiple brands?

multiflow consolidates your ledger, keeps per-brand billing descriptors, and fans out payouts to the right legal entity.

Start your application How it works

The Operator Briefing

Twice-monthly. No fluff.

Processor shutdowns, reserve-hold playbooks, reconciliation lessons, and the merchant-account decisions that save operators six-figure years. Delivered to your inbox — never spam.

No spam. Unsubscribe in one click.

We use essential cookies · Privacy