3-D Secure 2.0: the threat of systematic authentication & workflow with or without friction

Cyril Blondel
Updated on 23 April 2024 by Cyril Blondel
Reading Time: 2 minutes


This regulatory evolution induces a profound paradigm shift. With implementation of EMVCo. 3DS 2.0 or 3DS2, new rules for liability shift allocation are set in Europe: banks will now have to support the obligation to reach defined fraud thresholds.

In order to be able to meet these thresholds, banks will have the opportunity to require strong authentication on all transactions (except regulatory exception). Thus, this potential friction at the end of the purchasing process could have an impact on the conversion rates of online merchants and in fact on their turnover.


3-D Secure 2.0 introduces a new authentication workflow, known as “frictionless”. Frictionless flow happens when cardholder is not explicitly asked to authenticate himself/herself in-app or via browser.

In this workflow, following steps occur:

1. Payment Authentication is initialized
2. Authentication Request/Response
3. Communication of results
4. Authorization messages

Customer authentication is finalized without additional intervention from the cardholder.

Special cases of Frinctionless workflow

Some specific payment operations will be considered out of the RTS SCA scope:



On the other hand, when a Strong Customer Authentication (SCA) is required by the Acquiring PSP or the Issuer, the authentication flow is referred as “challenge”. Challenge flow steps may be compared with prior 3-D Secure 1.0 experience.

In this workflow, the same initial steps as Frictionless flow occur, then:

4. If a strong authentication is required: Challenge is requested either by Acquiring PSP and/or Issuer
5. Request results are shared between Acquiring PSP and Issue
6. Results are forwarded to the Merchant
7. Authorization messages

Conditions to strong authentication

Strong Customer Authentication (SCA) validity is defined when using at least 2 of the 3 following criteria:

  • Knowledge: something only the user knows (PIN, password, etc.)
  • Possession: something only the user possesses : Credit card, smartphone, etc.
  • Inherence: something only the user is : (biometric identification like fingerprint, iris or voice recognition…)

Discover our special folder to prepare your company to new European requirements and anticipate the impacts on your turnover.

PSD2 Folder

Share this article
TwitterFacebookLinkedInCopy Link

Write a comment

Your email address will not be published. Required fields are marked *

Other posts that might
interest you