What's the difference between 3D Secure 1, 2 and 2.3?

Europe’s Second Payment Services Directive (PSD2) requires SCA on most payments. 3D Secure is a method for 2-factor authentication recognized as SCA compliant by the European Banking Authority (EBA).

In fact, secure authentication for CNP payments is mandated in several parts of the world, while even where it's not, Visa, Mastercard and other card schemes highly recommend using SCA.

How can you ensure you have the best chance minimizing unnecessary friction and converting customers?

There are major differences between 3DS versions 1 and 2, and smaller differences between 2.1 and 2.2. Importantly, we'll also look below at what is new in 3DS2.3 and why merchants might want to speed up adoption.

3D Secure 1

The original version, 3DS1 can support SCA compliance for PSD2. It can also provide merchant fraud liability protection, but only until October 2021 for Visa Secure – 3DS1.

Although it’s compliant, 3DS1 was unpopular with consumers, and this caused big issues for merchants. 3DS1 comes from a time before mobile phones, so the user experience is varied at best, and frustratingly terrible at its worst. It often relies on a pop-up window where the customer must enter their details, which can make the merchant checkout page look even less secure, and it can be vulnerable to cyber-criminal attack.

3DS1 also doesn’t recognize soft-declines. An issuer can use a soft-decline if they receive a request from a merchant to authorize a payment, but they want to use authentication first. With 3DS1, the issuer would have to just decline the payment and the merchant would be forced to try again and risk the customer abandoning checkout.

Given its age and limitations, it’s no surprise it’s coming to the end of its life soon. From October 2021, 3DS started to be decommissioned by card schemes, starting with Mastercard. Even when still available, merchants lost the liability shift advantage with 3DS1.

It's always important to move forward with the newer versions as soon as possible.

3D Secure 2

Like 3DS1, 3DS2.1, 3DS2.2 and 3DS2.3 tick the boxes for SCA compliance and merchant fraud liability protection. Keep in mind, however, that even when liability shifts, these transactions can still count towards card scheme programs such as VAMP.

What does 3DS2 do differently? It can enable better customer experience through less friction.

How does this work? With 3DS2, merchants have the ability to send far more data to the issuing bank than with 3DS1. Rather than only relying on static passwords, 3DS2 enables the use of dynamic authentication through biometrics and token-based authentication methods. With the extra data, issuers can apply frictionless authentication to approve a transaction without requiring any manual input from the cardholder.

This is called frictionless flow. This risk-based authentication is key to keeping the checkout processes friction-free for the majority of low-risk transactions from trusted customers.

3DS2 can also recognize soft declines, which 3DS1 didn’t support. For example, if the issuer receives an authorization request on a transaction, but wants authentication to take place beforehand, 3DS2 can enable this. This means there is less chance of the transaction being declined altogether by the issuer, and less risk of the transaction being abandoned by the customer.

Unlike 3DS1, 3DS2 can be used to set up merchant-initiated transactions. This is useful for a merchant who needs to set up recurring payments from a customer – e.g. for a subscription. The first payment requires SCA, but subsequent identical payments will not. A merchant can use 3DS2 to authenticate the first payment, and set up the following payments as merchant-initiated transactions.

3D Secure v2.3 – what's new and why it matters

Specification for 3DS v.2.3 was released by EMVCo back in October 2021, with subsequent small updates coming as recently as August 2023. and the sunset process for v2.1 started in October 2024, pushing the market toward later versions.

There are excellent reasons to adopt 3DS2.3, however, beyond card scheme pressure. Thanks to several new features that minimize friction and speed up shopper journeys, it promises significantly higher conversion rates, less churn, and lower operational costs.

Customers can enjoy more customized challenge interfaces, smoother transitions between apps, and certainly fewer interruptions, even compared to the previous version of 3DS.

3DS2.3 enhances the shopper experience as well as the merchant experience: Richer data and better decisions as well as key improvements to system management and resilience. For instance, the new OReq/ORes messages allow for proactive health monitoring of authentication systems, while there are more devices supported than ever.

Differences between 3D Secure 2.1 and 2.2

One key difference is the ability to support exemptions.

Both versions support issuer exemptions through risk-based authentication, e.g. the frictionless flow mentioned above.

3DS 2.2 also allows merchants to request exemptions through their acquirer. This includes the merchant or payment service provider can apply Transaction Risk Analysis (TRA) and use this data to request for a low-risk exemption. It also allows merchants to request an exemption as a Trusted merchant.

There are some variations between the schemes which are important to keep in mind. Mastercard has also announced that it has enabled the low-risk exemption based on TRA. This isn’t possible with Visa on 2.1. However, Visa will allow for the secure corporate transaction exemption on 2.1.

Delegated authentication and decoupled authentication are now supported.

Delegated authentication

Typically, authentication is performed by the issuing bank. Delegated authentication means that issuers can allow for a third-party to do the authentication. This could be a merchant, an acquirer, or a digital wallet provider.

So how does this work?

An example could be if a merchant has the ability to perform SCA at login through using FIDO authentication. This information can be passed on to the issuer so that they can confirm the customer’s identity, and there’s no need to authenticate. This would involve a lot less friction and deliver a better experience for the customer, and allows the merchant more control over how SCA is performed.

You can read up on the delegated authentication requirements for Visa here (page 530).

Decoupled authentication

Though the name is similar, this is not to be confused with delegated authentication.

Decoupled authentication is when a user conducts authentication through a methodology that is separate from the main authentication flow. This can take place even if the cardholder is offline.

An example use case is a customer who completes SCA on their smartphone to allow for authorization on another device, e.g. a desktop computer.

What happens if 3DS is attempted, but the issuer is not enrolled in the version requested?

The version that is supported by the issuer will be used instead, even if earlier.

So, let’s imagine a customer makes a payment and you request 3DS 2.2, but the customer’s issuer is only enrolled in version 2.1. In this case, 2.1 will be used instead. If the issuer is not enrolled in version 2, then 3DS1 will be used.

If the issuer is not enrolled in 3DS at all, then the card scheme Attempts Server will stand in on behalf of the issuer.

SCA around the world

It's not just on the Old Continent – countries from around the world are adopting SCA, including many in Asia. Browse the SCA Mandates section of our global authentication map to find out where merchants have to follow SCA for online payments.

Meanwhile, even in those countries that do not mandate SCA, the pressure is high from card schemes to merchants to use 3DS, as a means to keep fraud and dispute rates low, and customer trust high.

Ravelin's 3DS product is certified for 3DS2.