Reviewed by Mayer Hyman, Payments Specialist | Reviewed for accuracy July 2026
Key Takeaways
- EMV 3-D Secure 2.0 (3DS2) is the current global standard for authenticating card-not-present (CNP) transactions, replacing the older, higher-friction 3DS 1.0 protocol.
- Card-not-present fraud accounted for an estimated 71% of all U.S. card fraud losses in 2024, making CNP authentication a priority for any business selling online.
- 3DS2 uses risk-based authentication to route most transactions through a “frictionless” flow, with a step-up “challenge” (like biometrics or an OTP) reserved for higher-risk purchases.
- When a transaction is successfully authenticated through 3DS2, liability for fraud-related chargebacks generally shifts from the merchant to the card-issuing bank.
- In markets with mandatory Strong Customer Authentication, real-world data shows 3DS2 can meaningfully cut fraud, though it requires careful implementation to avoid unnecessary checkout friction.
Why Card-Not-Present Fraud Is Still a Top Priority
Online and card-not-present purchases remain the primary target for payment fraud. Card-not-present (CNP) transactions accounted for an estimated 71% of all card fraud losses in the United States in 2024, totaling roughly $10 billion, according to Clearly Payments’ 2024 credit card fraud analysis. Because a fraudster never has to present a physical card, CNP channels — ecommerce checkouts, mobile apps, and phone/mail orders — carry a disproportionate share of fraud risk compared to in-person, chip-based transactions.
For merchants, that risk shows up in two ways: direct fraud losses and chargebacks, plus the operational cost of false declines that turn away legitimate customers. EMV 3-D Secure 2.0 was built specifically to address both problems at once.
What Is EMV 3-D Secure 2.0?
“3-D Secure” stands for “Three Domain Secure,” referring to the three parties involved in verifying a transaction:
- Acquirer domain — the merchant and its acquiring bank.
- Issuer domain — the bank that issued the customer’s card.
- Interoperability domain — the card network infrastructure that enforces the 3DS protocol between the two.
3DS2 is the current version of this authentication protocol, developed and maintained by EMVCo, the organization jointly owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa. EMVCo describes EMV 3DS as designed to “prevent card-not-present fraud and increase the security of e-commerce payments” while minimizing checkout friction. The specification has continued to evolve — EMVCo recommends version 2.2 or higher for merchants that need to support European Strong Customer Authentication (SCA) requirements, and the organization published further specification updates as recently as mid-2025.
How 3DS2 Works: Risk-Based Authentication
Unlike the original 3DS 1.0, which routed nearly every transaction through a disruptive pop-up questionnaire, 3DS2 is built around risk-based authentication. Here’s the basic flow:
- A customer enters their card and checkout details on a merchant’s site or app.
- The merchant’s payment gateway or 3DS2 provider sends that data — along with more than 150 possible data points, including device ID, IP address, billing/shipping match, and transaction history — to the card issuer for a real-time risk assessment.
- The issuer’s risk engine scores the transaction. Low-risk transactions are approved instantly with no visible interruption to the customer — this is the frictionless flow.
- Higher-risk transactions are routed to a challenge flow, prompting the customer to verify their identity — typically via a one-time passcode, push notification, or biometric check (fingerprint or face ID) inside their banking app.
Because most legitimate transactions carry a rich data trail, the majority can clear the frictionless path. Real-world results vary significantly by market, data quality, and issuer risk appetite, but the design intent is consistent: authenticate as many good transactions as possible without ever showing the customer a challenge screen.
Frictionless vs. Challenge: A Real-World Example
Japan’s 2025 regulatory mandate requiring 3DS2 for domestic ecommerce offers a useful case study in how the frictionless/challenge tradeoff plays out at scale. According to Adyen’s analysis of the mandate’s early impact, businesses in scope saw fraud notifications drop by as much as 75% in a preliminary post-mandate assessment — a substantial security gain. At the same time, gross transaction success rates dipped by roughly 1.6 percentage points immediately after the mandate took effect, illustrating the real tension between fraud reduction and checkout conversion when challenge flows are triggered more often than necessary.
That tradeoff is exactly why data quality matters so much in a 3DS2 implementation: the more complete and accurate the transaction data sent to the issuer, the more confidently the issuer’s risk engine can approve a transaction frictionlessly instead of defaulting to a challenge.
SCA, PSD2, and Why 3DS2 Matters Beyond Europe
In the European Economic Area, the second Payment Services Directive (PSD2) requires Strong Customer Authentication (SCA) on most electronic payments — meaning at least two of three factors (something the customer knows, has, or is) must be verified. EMV 3DS2 is the mechanism most card-based merchants use to meet that requirement, since its challenge flow is built around exactly this kind of two-factor verification.
Merchants operating in SCA-regulated markets can also apply for specific exemptions — such as low-value transactions or recognized low-risk merchants — that allow issuers to skip the challenge step for qualifying purchases, provided fraud rates stay below regulator-set thresholds. Even outside SCA-mandated regions, U.S. and other global merchants increasingly rely on 3DS2 because card networks and issuers use it as a primary fraud-prevention signal, and because it directly affects who bears financial responsibility when fraud occurs.
The Liability Shift: What It Means for Merchants
One of the most important — and most misunderstood — benefits of 3DS2 is the liability shift. In a standard card-not-present transaction, if a customer disputes a charge as fraudulent, the merchant typically bears the loss. But when a transaction is successfully authenticated through 3DS2 and later disputed as fraud, liability for that chargeback generally shifts to the card-issuing bank instead.
This matters for two distinct reasons:
- Reduced fraud losses. Merchants that successfully authenticate a transaction are largely protected from the direct cost of a fraud-related chargeback on that sale.
- Lower chargeback ratios. Because fraud-related disputes on authenticated transactions are typically coded and processed differently, they’re less likely to count against a merchant’s chargeback ratio with their processor — a ratio that, if too high, can put a merchant account at risk of increased fees or termination.
It’s worth noting the liability shift is not unconditional. It generally requires that the merchant use a properly integrated 3DS2 solution and that the transaction actually completes authentication (a transaction where the issuer doesn’t participate, or where authentication fails or is bypassed, does not carry the same protection).
Implementing 3DS2: What Merchants Should Know
3DS2 is typically implemented through a merchant’s payment gateway or 3DS2 service provider rather than built from scratch, so most of the technical complexity is handled for you. Still, a few implementation choices materially affect outcomes:
- Data completeness. Sending richer transaction data (device fingerprinting, full billing/shipping details, account history) gives issuers more confidence to approve frictionlessly rather than defaulting to a challenge.
- Selective triggering. Not every transaction needs to go through 3DS2 — many providers let merchants apply it selectively to higher-risk order profiles rather than universally, balancing security against checkout friction.
- Mobile and in-app support. 3DS2 was designed to work natively across browsers, mobile apps, and digital wallets, so merchants should confirm their provider’s implementation covers all the channels they actually sell through.
Working with a payment processor that actively manages and tunes 3DS2 rules — rather than treating it as a one-time setup — tends to produce better results over time, since issuer risk models and fraud patterns both shift. Cartis Payments works with merchants to configure 3DS2 and related fraud tools as part of a broader payment processing setup, rather than as a bolt-on afterthought.
Frequently Asked Questions
Is 3DS2 the same as Strong Customer Authentication (SCA)?
Not exactly. SCA is a regulatory requirement under PSD2 in the European Economic Area, mandating two-factor verification on most electronic payments. EMV 3DS2 is the technical protocol most merchants use to satisfy that requirement. Outside SCA-regulated markets, merchants can still use 3DS2 voluntarily for fraud prevention and liability shift benefits, independent of any SCA mandate.
Does 3DS2 slow down checkout?
Not for most transactions. 3DS2’s risk-based design routes low-risk purchases through a frictionless flow with no visible interruption. Only transactions flagged as higher-risk are routed to a challenge step, such as an OTP or biometric check. The proportion of transactions that hit a challenge varies by issuer, market, and how complete the transaction data is.
Does 3DS2 guarantee protection from chargebacks?
No. It shifts liability for fraud-related chargebacks on successfully authenticated transactions from the merchant to the card issuer, but it does not eliminate chargebacks for other reasons, such as customer disputes over product quality, non-delivery, or billing errors. It’s a fraud-liability tool, not a general chargeback shield.
Do all card networks support 3DS2?
EMV 3DS2 is maintained by EMVCo, which is jointly owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa — meaning it’s supported across all major global card networks, though specific implementation details can vary by network and issuer.
Do I need a specific payment gateway to use 3DS2?
Most modern payment gateways and processors support 3DS2 natively or through a integrated add-on, so most merchants don’t need to build anything custom. The main thing to confirm with a payment processor is whether their 3DS2 implementation covers all the channels you sell through (web, mobile app, digital wallets) and whether they actively tune risk rules rather than using default settings.






