3-D Secure 2 and Strong Customer Authentication exist to answer one question on a card-not-present payment: is this actually the cardholder? Done well it shifts fraud liability and barely touches good customers. Done badly it adds friction and bleeds conversion. Here is the 3DS2 flow, SCA and its exemptions, the liability shift, and the fraud it is fighting.
SCA is the regulation; 3DS2 is how cards actually do it online. Conflating the two is the most common confusion in this space.
3-D Secure (3DS) is the protocol that authenticates a cardholder during a card-not-present (CNP) transaction by looping in the card issuer — the "three domains" are the acquirer, the issuer, and the interoperability network between them. EMV 3DS2 is the modern version that replaced the clunky, conversion-killing 3DS1 (the old pop-up password).
Strong Customer Authentication (SCA) is the regulatory requirement, introduced by the EU’s PSD2, that most electronic payments be authenticated with at least two independent factors from: something you know (password/PIN), something you have (phone/device), something you are (biometric). 3DS2 is the main technical mechanism that delivers SCA for cards online.
So: SCA is the rule (mainly EU/UK), 3DS2 is the rails that satisfy it for cards. Outside the EU/UK, 3DS2 is widely used for fraud reduction and the liability shift even where SCA is not legally mandated — including across much of Africa, where issuers and acquirers adopt it via the schemes.
// EMV 3DS2 authentication decision checkout → 3DS Server → DS (scheme) → issuer ACS (sends ~150 data elements: device, context, history) | issuer risk assessment / \ FRICTIONLESS CHALLENGE (authenticated silently) (biometric / OTP / app) \ / v v authentication result + liability shift
3DS2’s big advance is risk-based, frictionless authentication. The merchant/PSP sends a rich set of data elements (device, behaviour, transaction context — far more than 3DS1 carried) to the issuer’s Access Control Server (ACS), which decides whether it can authenticate silently or must challenge the cardholder.
| Exemption | Condition | Note |
|---|---|---|
| Low-value | Under €30 (cumulative caps: 5 txns or €100 since last SCA) | Simple; capped to limit abuse. |
| Transaction Risk Analysis (TRA) | PSP’s fraud rate below thresholds; value up to €100 / €250 / €500 by fraud-rate band | The big lever — earns frictionless via demonstrably low fraud. Liability stays with the party that applied it. |
| Trusted beneficiary | Cardholder whitelists the merchant with their issuer | Issuer-side allow-list; subsequent payments skip SCA. |
| Recurring / MIT | Fixed recurring amounts; merchant-initiated transactions | First payment SCA’d; subsequent MITs are out of SCA scope (correct flagging is essential). |
| Corporate / secure | Lodged cards, secure corporate processes | B2B contexts using dedicated secure protocols. |
SCA is mandatory for in-scope EU/UK electronic payments, but the regulation (the EBA RTS) defines exemptions that let a payment proceed without a challenge when risk is low. Requesting an exemption is how merchants protect conversion — but an exemption may forfeit the liability shift, so it is a trade.
The core target: a fraudster uses stolen PANs online. 3DS2 + SCA directly counters it by forcing issuer authentication — this is where it works best and where the liability shift bites.
The fraudster becomes the legitimate user — phished credentials, SIM-swap intercepting OTPs, social engineering. SCA helps only if the second factor is genuinely independent; SIM-swap defeats SMS-OTP. Device-bound biometrics are far stronger.
A real cardholder, properly authenticated, later disputes a genuine purchase ("I didn’t make this"). 3DS does not stop it — the authentication actually becomes evidence for the merchant in representment. See the disputes leaf and Visa CE 3.0.
The victim is tricked into authorising a payment themselves. SCA is satisfied — the customer really did authenticate — so SCA offers no protection. This is the fastest-growing fraud and is driving new scam-reimbursement rules (e.g. UK).
Aggressive challenge rules to "be safe" crater conversion and train customers to abandon. The goal is maximal frictionless authentication via good data, not maximal challenges.
The strategic frame: authentication is not only a compliance checkbox, it is a conversion and liability instrument. The best programmes maximise frictionless-authenticated traffic.
The more accurate device/context/history data you pass, the more issuers authenticate frictionlessly. Thin data forces challenges and bleeds conversion. This is the single biggest lever you control.
A low, well-managed fraud rate unlocks the TRA exemption and higher frictionless thresholds. Manage fraud down and you earn smoother checkout — the incentives align. But know you may carry liability on exempted flows.
Mis-flagged merchant-initiated and recurring transactions trigger needless SCA failures and declines. Correct transaction-type flagging is unglamorous and high-impact.
Device-bound biometrics > app push > SMS-OTP. SMS-OTP is defeated by SIM-swap and is the weak link in many ATO cases. Push your issuers/wallets toward stronger factors where you can.
In Africa and elsewhere, 3DS2 is worth it for fraud reduction and the liability shift even without an SCA mandate — CNP fraud does not respect borders. The schemes increasingly expect it.
Two failure modes: too little authentication → fraud losses + chargebacks + scheme monitoring programmes; too much → abandoned carts and lost revenue that dwarfs the fraud you prevented. Both are expensive; tune for the frictionless middle.