The Real Power of EMV 3D Secure

EMV 3D Secure (commonly referred to as 3D Secure 2.0) has been part of our world since 2016. Developed in response to the Strong Customer Authentication (SCA) requirements of PSD2, this protocol is one of the most comprehensive standards aimed at ensuring the security of card payments in the online environment. Yet to this day, misconceptions on both the industry and user side have overshadowed the true potential of this system.

Today, many PSPs, banks and merchants still view EMV 3D Secure as nothing more than a "legal obligation," unaware of or unable to take advantage of the strategic benefits it offers. The purpose of this article is not to explain what EMV 3D Secure is, but rather what it is not, how it is being misapplied, and why it deserves renewed attention today.

What is EMV 3D Secure? Technical and Historical Background

The 3-D Secure protocol was first introduced by Visa in 2001. Other schemes such as Mastercard, JCB and American Express adopted the same model under their own brands with similar systems. In version 1.0 of the protocol, the primary goal was to create a verification bridge between the cardholder and their bank to make CNP (card-not-present) transactions secure. However, the first version introduced numerous problems from a user experience perspective.

EMV 3D Secure (also known as 3DS 2.x), published by EMVCo in 2016, was developed as a solution to these issues. Unlike the old system, 3DS 2.x is compatible with mobile devices and multiple authentication methods, operates with rich data sharing, and only directs the user to a verification screen when necessary.

EMVCo's specifications, ranging from v2.0 through to v2.3.1.1, demonstrate how this protocol has evolved not only in terms of security, but also user experience and commercial efficiency.

Differences Between EMV 3DS and 3DS 1.0

User Experience (UX)

In 3DS 1.0, users were forced to enter passwords on iframe pages they were redirected to. The pages appeared untrustworthy, creating fertile ground for phishing incidents. Cart abandonment rates increased by 10–12%.

EMV 3DS, on the other hand, offers a structure that can integrate with banks' mobile applications and supports methods such as biometric authentication (fingerprint, face recognition), mobile push notifications and passkeys. Users can now approve a payment with a single tap in their app, rather than waiting for an SMS.

Technical Infrastructure

EMV 3DS allows nearly 100 data fields to be sent to the card-issuing institution during a transaction. These fields include details such as device information, IP address, transaction location and previous purchase history. The issuing bank analyses the transaction risk using this information and, if it deems it appropriate, completes the transaction without directing the user to any verification screen (frictionless flow).

Risk-Based Authentication (RBA)

The risk scoring system (RBA – Risk Based Authentication) is one of the strongest aspects of EMV 3DS. Through analyses based on user habits, the system can avoid unnecessary challenge screens. For example, if a user is making a payment from the same device at a site where they regularly shop, the system may assess the transaction as low risk and approve it automatically.

Common Misconceptions in the Industry

The "3DS drives customers away" perception

This frequently heard remark is a bias left over from the 3DS 1.0 experience. When EMV 3DS is correctly integrated, it actually increases transaction approval rates. As long as users are not forced into verification, cart abandonment rates fall.

Dependence on OTP

Many banks still use only SMS OTP for verification today. Yet alternatives offered by EMV 3DS, such as push notifications and biometrics, speed up the verification process and make it more secure.

Viewed only as a legal obligation

EMV 3DS systems integrated at a minimum level to achieve PSD2 and SCA compliance lack the potential to create real value. Yet when used correctly, this system reduces fraud risk, prevents chargebacks and optimises the customer experience.

EMV 3DS Message Structure and Data Sharing

Transactions are managed through message pairs such as AReq (Authentication Request) and ARes (Authentication Response). The payment service provider or virtual POS sends these messages to the card-issuing bank via the 3DS server. An EMV 3DS AReq message can contain more than 150 data elements. This enables the system to conduct more accurate risk analysis, increase frictionless flows and reduce unnecessary "challenge" steps.

Thanks to this data set, the bank can evaluate the transaction in the background and route it towards a "frictionless," i.e. verification-free, approval.

1. Demographic and Device Information: Browser/IP language, device model, operating system, browser version, device fingerprint, mobile app ID
2. Transaction and Card Details: MCC (Merchant Category Code), transaction amount, currency type, transaction timestamp, card registration age
3. Cardholder History: Previous successful/failed transaction counts, recurring patterns in card-based transactions
4. Merchant–Cardholder Interaction: Whether the cardholder is logged in to the merchant, federatedID, FIDO usage, account age and address change indicators
5. Risk–Analytic Information: Browser language, DS transaction ID, requestor ID, operator ID and other specific fields

Regulations and Liability Shift

In the European Union, PSD2 requires all online transactions to be subject to SCA (Strong Customer Authentication). EMV 3DS is the most effective solution meeting this requirement.

For transactions processed through EMV 3DS: if verification is successful, liability shifts to the card-issuing institution in the event of fraud. If verification fails or has not been applied, liability remains with the merchant. This makes a critical difference for merchants. Chargeback costs arising from fraud — particularly for high-volume e-commerce operations — can be significantly reduced in this way.

Risks Created by Incorrect Integrations

Many PSPs and banks today are still unable to fully benefit from the advantages offered by EMV 3DS due to the following reasons:

• Use of a single, OTP-based challenge type
• Lack of mobile SDK integration
• Populating only a handful of the 100 available data fields
• Failure to define exemptions (e.g. low-value transactions, trusted merchants)
• Use of outdated challenge screens on the issuer side

Such shortcomings not only increase cart abandonment rates but also fail to reduce fraud risk.

New Features in EMV 3DS v2.3.1.1

With the release of EMV 3DS v2.3.1.1 in 2023, significant new features were introduced:

• Secure Payment Confirmation (SPC): The user approves a transaction via a secure biometric registered to their device directly within the browser.
• Out-of-Band (OOB) authentication: Approval is obtained through an independent channel via the bank's mobile application.
• Passkey support: Passwordless, device-based identity verification support.

These features reduce the vulnerabilities created by password-dependent systems and optimise the user experience.

Strategic Recommendations for Correct Integration

1. Analyse the frictionless rate: Ensure that non-high-risk transactions are not being routed to a challenge.
2. Integrate SDKs: Native flows should be designed for mobile applications.
3. Ensure data richness: As much contextual data as possible should be transmitted to the 3DS server.
4. Diversify authentication: Biometric, push and passkey methods beyond OTP should be activated.
5. Support risk scoring with AI: More accurate decisions should be made through real-time behavioural analytics.
6. Apply PSD2 exemptions: Trusted merchant, low-value and recurring payment exceptions should be defined.

A Security Standard That Needs to Be Redefined

EMV 3DS is not merely an obligation — when used correctly, it is a competitive advantage. As an industry, we must understand this protocol "correctly," reshape our integration strategies, and provide customers with a genuinely secure yet frictionless experience.

"Those who misapply EMV 3D Secure today will not be ready for tomorrow's passkey-based world either."

For this reason, we must reunderstand the past, optimise the present, and invest in the future today. EMV 3D Secure is still far behind its potential. Now is the time to close that gap.