← InsightsRisk

3DS2 Authentication: The Complete Guide for Merchants

3DS2 is the most impactful fraud and chargeback reduction tool available to CNP merchants. Here's how it works, how to implement it correctly, and why the liability shift changes your chargeback economics fundamentally.

3 June 2026

3D Secure 2 (3DS2, or EMV 3DS) is the authentication protocol that card networks use to verify cardholder identity for card-not-present transactions. For online merchants, it's the single highest-impact fraud and chargeback reduction tool available — not because it prevents all fraud, but because it shifts liability for fraud disputes from merchant to issuer when authentication is completed.

Understanding 3DS2 properly — how it works, what the flows look like, and how to implement it without destroying checkout conversion — is essential knowledge for any CNP merchant in 2026.

3DS1 vs 3DS2: Why the Upgrade Matters

The original 3D Secure (now called 3DS1) introduced authentication for online payments in the early 2000s. It worked, but it was deeply unpopular with consumers: it redirected shoppers to a separate authentication page, often asking for a static password that many couldn't remember, and mobile experience was poor.

Cart abandonment during 3DS1 authentication ran as high as 20–30% in some merchant studies. Many merchants chose not to implement it despite the liability shift benefit because the conversion cost was too high.

3DS2 solves the conversion problem with the frictionless flow. In most transactions, authentication now happens entirely in the background — the issuer evaluates the risk based on transaction data and device information without the cardholder seeing any additional step. Only higher-risk transactions trigger a visible challenge.

How 3DS2 Works: Frictionless vs Challenge

The frictionless flow (70–85% of 3DS2 transactions):

  1. Merchant sends transaction data to 3DS server along with 150+ data elements: device fingerprint, IP address, browser characteristics, shipping/billing address, transaction history, and more
  2. 3DS server forwards to the card network's directory server
  3. Issuer's access control server (ACS) evaluates the risk score in real time
  4. Issuer authenticates the transaction without cardholder interaction and returns an authentication result
  5. Transaction proceeds to authorization

From the cardholder's perspective: nothing happened. They didn't see any additional step. Checkout felt normal.

The challenge flow (15–30% of 3DS2 transactions):

When the issuer's risk model identifies a higher-risk transaction, it returns a challenge request. The cardholder sees an authentication step:

  • OTP (one-time password) sent by SMS or email
  • Biometric authentication via banking app
  • Knowledge-based question

The challenge is designed to be lower-friction than 3DS1 — typically a simple OTP that takes 10–20 seconds to complete. Cart abandonment during 3DS2 challenge is typically 5–10%, compared to 20–30% for 3DS1.

After challenge completion, authentication is returned and the transaction proceeds.

The Liability Shift: Why This Changes Your Economics

When 3DS2 authentication is successfully completed — whether frictionless or challenge — fraud liability shifts from the merchant to the issuing bank.

What this means practically: if a 3DS2-authenticated transaction later receives a fraud chargeback (reason code 10.4 for Visa, 4837 for Mastercard), the merchant wins the representment automatically by presenting the authentication record. The issuer absorbed the liability at authentication and cannot recover it through a chargeback.

The authentication record — specifically the ECI (Electronic Commerce Indicator) value and the Authentication Value (CAVV) — is the evidence. An ECI of 05 (Visa) or 02 (Mastercard) indicates fully authenticated, and that's sufficient to win the dispute.

For merchants with significant fraud dispute rates, 3DS2 can eliminate most of their fraud chargeback exposure entirely on authenticated transactions. In practice, this means:

  • Fraud dispute win rates of 90–95% on 3DS2-authenticated transactions
  • Meaningful reduction in fraud chargeback ratio over 60–90 days post-implementation

At Fincoro, 3DS2 implementation is the first recommendation for CNP merchants with elevated fraud dispute rates. The chargeback ratio improvement is typically the most dramatic operational change available.

The 150+ Data Elements: What You Should Send

3DS2's frictionless flow quality — how often authentication succeeds without a challenge — depends heavily on the data quality you provide to the issuer. More complete, accurate data = better risk assessment = higher frictionless rates.

Critical data elements to populate:

  • Device fingerprint: Browser type, screen resolution, timezone, language, installed plugins
  • IP address: Cardholder's IP at checkout
  • Billing and shipping address: Full address with postal code
  • Transaction history: Prior purchases at your store (if available), account creation date
  • Account authentication: How the cardholder logged into your site for this session
  • Phone number and email: Cardholder contact details if available

Merchants who populate all available data elements see frictionless rates of 75–85%. Merchants who send minimal data see frictionless rates of 50–60% and higher challenge rates, which increases conversion friction.

PSD2 and SCA Requirements

In the European Economic Area and UK, Strong Customer Authentication (SCA) under PSD2 mandates 3DS2 (or equivalent) for most e-commerce transactions. Non-compliance results in payment processors declining non-authenticated transactions, not just shifting liability.

Exemptions exist for:

  • Low-value transactions (under €30 / £25)
  • Merchant-initiated transactions (MIT) on established recurring mandates
  • Low-risk transactions where the acquirer TRA (Transaction Risk Analysis) exemption applies
  • Trusted beneficiaries (cardholder has whitelisted the merchant with their bank)

Applying exemptions correctly reduces unnecessary authentication friction for low-risk scenarios while maintaining compliance. Most 3DS2 implementation guides from payment providers cover the exemption logic, which should be part of your implementation.

Implementation: Where Merchants Go Wrong

Sending incomplete data. The most common mistake. Minimizing the data elements sent to reduce engineering work degrades frictionless rates and creates more challenge friction for legitimate customers.

Not capturing the authentication result. The CAVV and ECI values must be stored per-transaction to be available as chargeback evidence. Some integrations complete 3DS2 but don't persist the authentication record. This loses the liability shift benefit.

Not enabling 3DS2 on mobile. Mobile checkout is 60%+ of e-commerce volume. 3DS2 must be implemented in your mobile app and mobile web checkout, not just desktop.

Blanket challenge exemption requests. Requesting transaction risk analysis exemptions for all transactions to avoid authentication friction trades short-term conversion for liability. Issuers that grant exemptions and see elevated fraud revoke the exemption and may require authentication for all subsequent transactions.

Ignoring 3DS decline handling. When a transaction fails 3DS2 authentication (not just a challenge — actual authentication failure), the right response is usually to decline the order, not to fall back to non-authenticated processing. Authentication failures are a strong fraud signal.

3DS2 implementation done correctly improves both conversion and fraud protection simultaneously. The merchants who report negative 3DS2 experiences are almost always dealing with implementation gaps — incomplete data sending, poor challenge UX, or missing the authentication result capture that makes the liability shift real.

Need help with chargebacks?

Fincoro delivers 94% average win rates across all clients.

Get in touch