RZ
← Essays
Payment Infrastructure

EMV 3DS2: Step-Up Logic, Frictionless Flow and the Auth-Rate Optimisation Nobody Explains

May 20, 2026·11 min read·By Rizwan Zafar

3DS2 is the most consequential auth-rate lever most merchants don't touch. The default configuration on every payment gateway gives you maximum step-up and minimum conversion. Teams that ship card acquiring well treat the 3DS2 exemption layer as a product surface that gets owned and optimised; teams that don't ship it well treat 3DS2 as an integration checkbox.

This is the operator-grade map: what EMV 3DS2 actually does, the three flows (frictionless / attempt / challenge), the exemption logic that decides which flow fires, the auth-rate math, and the six failure modes that show up when teams leave it on defaults.

What EMV 3DS2 is

EMV 3DS2 (sometimes called 3DS 2.x, EMV 3-D Secure, or just "3DS2") is the EMVCo-specified protocol for card-not-present authentication. It's the successor to the older 3DS 1.0 (which most consumers experienced as a popup window with a password — clunky, conversion-killing).

3DS2 carries ~150 data elements about a transaction from the merchant to the issuer at authorisation time. The issuer scores the transaction risk, and depending on the score plus regulatory rules, the issuer chooses one of three flows:

  1. Frictionless — issuer approves authentication invisibly. Consumer experiences no interruption.
  2. Attempt — issuer can't authenticate but allows the transaction to proceed with a "best effort" signal.
  3. Challenge — issuer requires consumer step-up (biometric, OTP, app push, password).

The merchant doesn't choose the flow. The issuer does. But the merchant has significant influence — through the 150 data elements they send, the exemption flags they request, and the gateway-level risk configuration they ship.

This is the part most teams miss. They assume 3DS2 is the issuer's product. It's not. It's a joint product where the merchant's signal quality decides which flow fires for most transactions.

The three flows in detail

Frictionless

The default goal. The issuer reviews the 150 data elements, decides the transaction is low-risk, returns an authentication signal that the merchant can present to the acquirer for full liability shift. Consumer never sees a popup, an OTP screen, anything.

For a well-configured merchant in 2026, frictionless flow is the outcome for 60–85% of transactions. The exact percentage depends on:

  • The richness of the data elements the merchant sends (device fingerprint, IP, cardholder behavioural history, transaction context)
  • The exemption flags requested (TRA, low-value, recurring, trusted beneficiary)
  • The issuer's risk-decisioning maturity (US / EU / UK issuers are typically more frictionless-favourable than emerging-markets issuers)
  • The card-not-present risk pool the merchant sits in (subscription < marketplace < high-value e-commerce < gambling)

Attempt

The issuer can't fully authenticate but allows the transaction to proceed. Common reasons:

  • The card BIN's issuer doesn't support 3DS2
  • The 3DS2 server is down
  • Some regional regulatory mode

Attempt flow returns a signal that the acquirer treats as partial liability shift. Auth approval rate is lower than frictionless but higher than challenge.

Challenge

The issuer requires the consumer to step up. Biometric on a banking app, OTP via SMS, password, or push notification. Conversion drops materially — typical drop-off ranges:

  • App-based biometric: 5–12% abandonment
  • OTP SMS: 15–25% abandonment
  • Password: 20–35% abandonment

Challenge flow exists for genuinely risky transactions. The problem is that default gateway configurations trigger challenge on too many low-risk transactions — particularly recurring, low-value, and trusted-merchant flows.

The exemption logic that decides everything

PSD2 (EU) and equivalent regulations elsewhere define exemptions from SCA. A transaction that qualifies for an exemption can request the exemption from the issuer, and if granted, the transaction skips challenge flow regardless of risk score.

The five exemptions worth knowing:

1. TRA — Transaction Risk Analysis

The acquirer's own fraud engine has scored the transaction low-risk. Available to acquirers whose fraud-loss rate sits below specific thresholds (PSD2 RTS specifies the bands). This is the most powerful exemption — it puts the auth-rate decision in the merchant's hands.

2. Low-Value

Transactions under €30 (EU; equivalent thresholds in other regions). With a counter-limit: 5 consecutive low-value exemptions per card, then the next transaction triggers challenge regardless.

3. Trusted Beneficiary

The consumer has explicitly marked this merchant as trusted (via their issuer app). Skip challenge. Adoption of this is low because consumers rarely know the feature exists, but where it works, it works.

4. Recurring (subsequent merchant-initiated)

After the first cardholder-initiated transaction, subsequent same-merchant same-amount recurring transactions are exempt. Critical for subscription businesses.

5. Corporate / B2B

Transactions where both parties are corporates and PSD2 SCA doesn't apply. Narrow but valuable for B2B-focused PSPs.

The default behaviour on most gateways: none of these exemptions are requested unless the merchant explicitly enables them. Which means by default, every transaction goes into a risk-scored challenge funnel. Which means challenge flow fires for transactions that should have been frictionless.

The auth-rate math

A concrete illustration. Imagine a merchant doing 1M transactions / month. Default 3DS2 configuration, no exemption logic:

  • Frictionless flow: 40% (400K) — these convert at ~94%
  • Attempt: 5% (50K) — convert at ~85%
  • Challenge: 55% (550K) — convert at ~70% (after drop-off)

Net auth-rate: ~80%.

Now the same merchant after exemption layer is wired (TRA + low-value + recurring):

  • Frictionless: 75% (750K) — convert at ~94%
  • Attempt: 5% (50K) — convert at ~85%
  • Challenge: 20% (200K) — convert at ~70%

Net auth-rate: ~89%.

A 9-point lift. On 1M transactions × $50 average ticket × 9% = $4.5M / month of recovered revenue at the same fraud-loss risk.

This is why 3DS2 optimisation is the highest-leverage product surface a payments PM owns.

What the merchant actually controls

Six levers. In rough order of impact:

1. The 150 data elements

The richer the signal sent at 3DS2 initiation, the more frictionless flow the issuer will return. Most merchants send the bare minimum — billing address, IP, device user-agent. The merchants ranking in the top quartile of frictionless rate send a full kit: device fingerprint, screen resolution, browser language, time-zone offset, cardholder previous-purchase signal (if available), merchant risk score, account age, login state.

The data isn't hard to collect. It just has to be wired explicitly.

2. TRA exemption logic

The single biggest lift. Your gateway exposes a TRA exemption flag; you have to flip it for transactions your fraud engine scores low-risk. If your own fraud signal is mature, this can push 30–50% of transactions from challenge into frictionless.

3. Low-value exemption + counter management

Easy to wire, modest lift on its own, important in aggregate. Track the 5-transaction counter per card to avoid the next transaction hitting an unexpected challenge.

4. Recurring exemption

Mandatory for subscription businesses. Tag the first cardholder-initiated transaction as the "initial" and subsequent merchant-initiated transactions with the exemption flag.

5. 3DS2 challenge UX

When challenge does fire, the consumer's experience determines drop-off. App-based biometric beats OTP beats password by a wide margin. The issuer chooses the challenge mode, but the merchant can influence by sending hints (e.g., "consumer prefers app-based"). Several gateways now expose this signal.

6. Re-attempt logic

Some challenges fail (consumer enters wrong OTP, biometric fails). The merchant can re-attempt with the same exemption flag. Default re-attempt logic is "give up after one"; smarter merchants re-prompt with a different challenge type.

The six failure modes

1. Default gateway config

Already covered. No exemption flags requested, every transaction in the challenge funnel. The fix is wiring TRA + low-value + recurring as the baseline configuration.

2. TRA without a real risk engine

Requesting TRA exemption when your fraud engine isn't ready means the issuer grants the exemption based on your assertion — and the fraud-loss rate on your acquirer's reporting balloons. Eventually your acquirer pulls your TRA permission. Don't request TRA until your fraud signal is mature enough to sustain the loss rate.

3. Recurring exemption mis-tagged

The first cardholder-initiated transaction has to be tagged correctly so subsequent recurrings can claim the exemption. Some merchants forget this and every subscription renewal hits challenge.

4. 150 data elements left empty

The merchant sends bare minimum signal; the issuer can't make a frictionless decision; default to challenge. Audit what your checkout actually sends at 3DS2 initiation. Most merchants find half the available signal isn't being collected.

5. Challenge UX never measured

Drop-off rates by challenge type aren't tracked. The merchant doesn't know whether OTP or biometric is winning. Without that signal, the challenge UX never improves.

6. Single global threshold

Treating "step up if risk > X" as a one-size-fits-all threshold. Different merchants, categories, and transaction types deserve different thresholds. Recurring subscription should have a different threshold than first-time high-value e-commerce.

Beyond PSD2 — global 3DS2

PSD2 is the EU regulation. Equivalent regimes exist:

  • UK — PSR (similar to PSD2, post-Brexit divergence on details)
  • India — RBI mandates AFA (Additional Factor of Authentication) on card-not-present, similar effect
  • Brazil — Open Finance + Pix coexistence; 3DS2 for card-not-present
  • MENA — UAE / KSA / Egypt have central-bank-driven SCA mandates
  • South Asia — Pakistan SBP, Bangladesh, Nepal — various stages of mandate

The 3DS2 protocol is the same; the regulatory wrapper around exemptions differs. A multi-region merchant has to configure per-region exemption logic. Default behaviour: most gateways ship one global config and let it apply everywhere — which usually means "EU-style exemptions" applied where they don't quite fit.

Why this matters

A senior product hire at any acquirer or payment orchestrator will be asked about 3DS2 auth-rate optimisation within the first interview. So will a head of fraud, a head of checkout, a head of merchant product.

The candidate who treats 3DS2 as "we integrated it, the gateway handles it" gets a polite end-of-interview thank-you. The candidate who can walk through the frictionless / attempt / challenge funnel, name the 5 exemptions, articulate the TRA prerequisites, and quote the 9-point auth-rate lift from real optimisation — that candidate gets the job.

FAQ

Is 3DS2 the same as PSD2 SCA? No. 3DS2 is the protocol. PSD2 SCA is the EU regulation that mandates strong customer authentication in many cases. 3DS2 is the most common technical mechanism merchants use to satisfy PSD2 SCA. Outside the EU, 3DS2 is used without PSD2 driving it.

Frictionless or no 3DS2 at all — which is better? Frictionless. No 3DS2 (where allowed) loses liability shift; frictionless retains it.

Can I disable 3DS2 entirely? In regions where it's regulator-mandated, no. In regions where it's optional, you can — but you keep the fraud liability instead of the issuer. The economics rarely work out.

Does Click to Pay handle 3DS2? Click to Pay's authentication signal can satisfy PSD2 SCA for participating transactions. The gateway handles the exemption marking.

How long does 3DS2 optimisation take? First pass (wiring TRA + low-value + recurring) is 4–6 weeks. Continuous optimisation (data-element enrichment, threshold tuning, challenge-UX experiments) is ongoing — it's a product surface, not a one-time integration.

What's the floor on frictionless rate? Heavy gambling / adult / dating: 30–40%. Standard e-commerce: 60–80%. Subscription with recurring exemption: 85–95% post-initial.

The single biggest sign a merchant has under-invested in 3DS2? Their auth rate sits in the high 70s and they blame "issuer declines." Half the issuer declines on a 78% acquirer would have been frictionless approvals if the merchant had wired the exemptions.

Tags
EMV 3DS3DS2PSD2 SCAfrictionless flowstep-up authenticationcard acquiringpayment infrastructureauth rate optimisation

Related reading

Fraud & Risk
Layered Fraud Controls in the Payments Stack

No single fraud control survives a determined attacker. Layered controls do, and they do it without crushing conversion.

Payment Infrastructure
Why Local Payment Methods Are a Developer-Experience Problem

A merchant adopts a local payment method only if integrating it is as easy as integrating cards. Most LPM integrations fail that test.

Settlement & Reconciliation
Ledger Design for Multi-Rail Payments

The ledger is the source of truth for the entire platform. Most teams discover this after they have shipped the wrong one.