---
title: "What's the difference between 3D Secure 1, 2 and 2.3?"
date: 2020-12-17T15:01:00+00:00
author: Catherine Jones
canonical_url: "https://www.ravelin.com/blog/whats-the-difference-between-3d-secure-1-and-2"
section: Blog
---
Blog /[3DS &amp; SCA](/resources?search=&category%5B0%5D=134550#resourceContainer "Go to 3DS & SCA")

# What's the difference between 3D Secure 1, 2 and 2.3?

 Strong Customer Authentication is required in more and more countries around the world. Here’s a quick explanation of the key differences between the 3D Secure versions.

![What's the difference between 3D Secure 1, 2 and 2.3?](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_blogSmall/276036/477-3DS-Differences-Feature-image-885x505-1.webp)

Europe’s [Second Payment Services Directive (PSD2) requires SCA](https://www.ravelin.com/insights/ultimate-guide-psd2-strong-customer-authentication) on most payments. 3D Secure is a method for 2-factor authentication recognized as SCA compliant by the European Banking Authority (EBA).

In fact, secure authentication for CNP payments is mandated in several parts of the world, while even where it's not, Visa, Mastercard and other card schemes highly recommend using SCA.

How can you ensure you have the best chance minimizing unnecessary friction and converting customers?

There are major differences between 3DS versions 1 and 2, and smaller differences between 2.1 and 2.2. Importantly, we'll also look below at what is new in 3DS2.3 and why merchants might want to speed up adoption.

## **3D Secure 1**

The original version, 3DS1 can support SCA compliance for PSD2. It can also provide merchant fraud liability protection, but only until October 2021 for Visa Secure – 3DS1.

Although it’s compliant, 3DS1 was unpopular with consumers, and this caused big issues for merchants. 3DS1 comes from a time before mobile phones, so the user experience is varied at best, and frustratingly terrible at its worst. It often relies on a pop-up window where the customer must enter their details, which can make the merchant checkout page look even *less* secure, and it can be vulnerable to cyber-criminal attack.

3DS1 also doesn’t recognize soft-declines. An issuer can use a soft-decline if they receive a request from a merchant to authorize a payment, but they want to use authentication first. With 3DS1, the issuer would have to just decline the payment and the merchant would be forced to try again and risk the customer abandoning checkout.

Given its age and limitations, it’s no surprise it’s coming to the end of its life soon. From October 2021, 3DS started to be decommissioned by card schemes, starting with Mastercard. Even when still available, merchants lost the liability shift advantage with 3DS1.

**It's always important to move forward with the newer versions as soon as possible.**

## **3D Secure 2**

Like 3DS1, 3DS2.1, 3DS2.2 and 3DS2.3 tick the boxes for SCA compliance and merchant fraud liability protection. Keep in mind, however, that even when liability shifts, [these transactions can still count towards card scheme programs such as VAMP](https://www.ravelin.com/blog/visa-vamp-changes-chargeback-disputes).

**What does 3DS2 do differently?** It can enable better customer experience through less friction.

**How does this work?** With 3DS2, merchants have the ability to send far more data to the issuing bank than with 3DS1. Rather than only relying on static passwords, 3DS2 enables the use of dynamic authentication through biometrics and token-based authentication methods. With the extra data, issuers can apply frictionless authentication to approve a transaction without requiring any manual input from the cardholder.

This is called **frictionless flow**. This risk-based authentication is key to keeping the checkout processes friction-free for the majority of low-risk transactions from trusted customers.

3DS2 can also recognize soft declines, which 3DS1 didn’t support. For example, if the issuer receives an authorization request on a transaction, but wants authentication to take place beforehand, 3DS2 can enable this. This means there is less chance of the transaction being declined altogether by the issuer, and less risk of the transaction being abandoned by the customer.

Unlike 3DS1, 3DS2 can be used to set up merchant-initiated transactions. This is useful for a merchant who needs to set up recurring payments from a customer – e.g. for a subscription. The first payment requires SCA, but subsequent identical payments will not. A merchant can use 3DS2 to authenticate the first payment, and set up the following payments as merchant-initiated transactions.

### 3DS2.3 – new features and benefits

New featureWhat it doesThe benefitSecure Payment Confirmation (SPC)Uses FIDO credentials to perform an almost invisible challengeStreamlines the web payment journey for shoppersDevice bindingSupports device binding and trusted device recognition for smoother step-up authentication (app flow only)Faster, seamless payments for customers – fewer SCA challenges on mobile devicesAutomated OOB transitionsImproves the handoff between merchant and issuer authentication experiences for out-of-band app flowsResolves a historic point of failure and frustration, resulting in faster authenticationMore recurring payments dataSimplifies and clarifies authentication for various recurring scenariosEasier for merchants to authenticate fixed subscriptions, free trials and variable paymentsMore data exchangedIncreases amount of data shared, including payment tokensConduct faster, simpler authenticationNew OReq/ORes message typeAdds operation messages to exchange status information from Directory ServersProactive health monitoring of authentication systemsDecoupled authentication fallbackSupports decoupled authentication (including fallback scenarios) to help complete authentication when standard challenge paths are unavailableReduces the likelihood of authentication failureSplit-SDK SpecificationSimplifies implementation across a wider range of platforms and devicesEnables 3DS on non-traditional ecommerce and IoT devicesBridging message extensionImproves interoperability when parts of the ecosystem still run 2.1/2.2Prevents technical deadlocks and delays

## 3D Secure v2.3 – what's new and why it matters

[Specification for 3DS v.2.3](https://www.emvco.com/dynamic/emv-3-d-secure-whitepaper-v2/3-d-secure-documentation/3-d-secure-specification-v2-3-1/) was released by EMVCo back in October 2021, with subsequent small updates coming as recently as August 2023. and the sunset process for v2.1 started in October 2024, pushing the market toward later versions.

There are **excellent reasons to adopt 3DS2.3**, however, beyond card scheme pressure. Thanks to several new features that minimize friction and speed up shopper journeys, it promises significantly higher conversion rates, less churn, and lower operational costs.

Customers can enjoy more customized challenge interfaces, smoother transitions between apps, and certainly fewer interruptions, even compared to the previous version of 3DS.

3DS2.3 enhances the shopper experience as well as the merchant experience: Richer data and better decisions as well as key improvements to system management and resilience. For instance, the new OReq/ORes messages allow for proactive health monitoring of authentication systems, while there are more devices supported than ever.

[**![SCA map](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/Screenshot-2025-10-22-at-16.55.44.png)**](https://www.ravelin.com/global-payment-regulation-map)**Explore Ravelin's SCA mandates map to see where Secure Customer Authentication is required around the world.**## **Differences between 3D Secure 2.1 and 2.2**

### One key difference is the ability to support exemptions.

Both versions support issuer exemptions through risk-based authentication, e.g. the frictionless flow mentioned above.

3DS 2.2 also allows merchants to request exemptions through their acquirer. This includes the merchant or payment service provider can apply [Transaction Risk Analysis (TRA)](https://www.ravelin.com/blog/why-psd2-gives-merchants-the-upper-hand-around-strong-customer-authentication) and use this data to request for a low-risk exemption. It also allows merchants to request an exemption as a Trusted merchant.

There are some variations between the schemes which are important to keep in mind. Mastercard has also announced that it has enabled the low-risk exemption based on TRA. This isn’t possible with Visa on 2.1. However, Visa will allow for the secure corporate transaction exemption on 2.1.

### Delegated authentication and decoupled authentication are now supported.

**Delegated authentication**

Typically, authentication is performed by the issuing bank. [Delegated authentication](https://www.ravelin.com/blog/how-does-delegated-authentication-promote-checkout-conversion) means that issuers can allow for a third-party to do the authentication. This could be a merchant, an acquirer, or a digital wallet provider.

So how does this work?

An example could be if a merchant has the ability to perform SCA at login through using [FIDO authentication](https://fidoalliance.org/). This information can be passed on to the issuer so that they can confirm the customer’s identity, and there’s no need to authenticate. This would involve a lot less friction and deliver a better experience for the customer, and allows the merchant more control over how SCA is performed.

You can read up on the delegated authentication requirements for [Visa here (page 530)](https://usa.visa.com/dam/VCOM/download/about-visa/visa-rules-public.pdf).

**Decoupled authentication**

Though the name is similar, this is not to be confused with delegated authentication.

Decoupled authentication is when a user conducts authentication through a methodology that is separate from the main authentication flow. This can take place even if the cardholder is offline.

An example use case is a customer who completes SCA on their smartphone to allow for authorization on another device, e.g. a desktop computer.

### 3DS1 vs 3DS2

3D Secure v1 (3DS1)3D Secure v2 (3DS2)High frictionLow frictionPoor mobile experience (built before smartphones)Designed for mobile, supports native SDKs and app-based flowsLimited data points (8–15) shared+10x more data points (100–150) sharedNo frictionless flowFrictionless flow enabled – issuers can approve without shopper interruptionsNo soft declines supportedSoft declines supported – issuers can request authentication instead of decliningNo liability shift supported todayLiability shifts fully supported, protecting merchants from fraud liabilityDifficult to manage recurring payments for merchant-initiated transactionsMerchant-initiated transactions supported for use cases such as subscriptions

## **What happens if 3DS is attempted, but the issuer is not enrolled in the version requested?**

The version that is supported by the issuer will be used instead, even if earlier.

So, let’s imagine a customer makes a payment and you request 3DS 2.2, but the customer’s issuer is only enrolled in version 2.1. In this case, 2.1 will be used instead. If the issuer is not enrolled in version 2, then 3DS1 will be used.

If the issuer is not enrolled in 3DS at all, then the card scheme Attempts Server will stand in on behalf of the issuer.

## SCA around the world

It's not just on the Old Continent – countries from around the world are adopting SCA, including many in Asia. Browse the SCA Mandates section of our [global authentication map](https://www.ravelin.com/global-payment-regulation-map) to find out where merchants have to follow SCA for online payments.

Meanwhile, even in those countries that do not mandate SCA, the pressure is high from card schemes to merchants to use 3DS, as a means to keep fraud and dispute rates low, and customer trust high.

**Ravelin's 3DS product is certified for 3DS2.**

![Ravelin Logo](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/ravelin-symbol-logo-transparent.webp)

## Ravelin is prepared for 3DS v2.3

We continue to be proactive in our support of 3DS. See the advantages of Ravelin's 3DS products.

[Explore the solution ](https://www.ravelin.com/solutions/3ds-product-3d-secure-server-sdks)

  

## Authors

![Catherine Jones](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_avatarSmall/76597/kit-photo.webp)

Catherine JonesProduct Director

Product Director Catherine has been with Ravelin for over six years and likes to call herself a payments and authentication nerd. Across…

[More from this author](https://www.ravelin.com/author/catherine-jones)

![James Hogan](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_avatarSmall/274718/james-hogan.webp)

James HoganSenior Product Manager – Payments Engineering

For the past 12 years, James has led product teams at iconic companies such as Ebay, Mastercard, Worldpay and Ocado, specializing in…

[More from this author](https://www.ravelin.com/author/james-hogan)

## Related content

[Blog / Fraud analytics

### Refund abuse KPIs: How to measure and reduce refund fraud rates

What you need to know to assess and quantify refund abuse – as well as to measure whether your refund abuse solution and strategy are delivering results.

![Can](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_33x33_crop_center-center_none_ns/280078/can.webp)Can Colak,Senior Product Manager](https://www.ravelin.com/blog/how-to-measure-refund-abuse-kpis)

[Blog / Press release

### Driven by AI, customers now rival criminals for ecommerce fraud, say merchants

Global ecommerce fraud enters a new phase as losses continue to climb. Merchants now view criminals and their own customers as presenting a comparable risk, and there's a gap in AI adoption.

![Ravelin Symbol Blue 1](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_33x33_crop_center-center_none_ns/187712/Ravelin-Symbol-Blue-1.webp)Ravelin Technology](https://www.ravelin.com/blog/ravelin-fraud-survey-2026-press-release)

[Blog / Payments &amp; payment fraud

### Safeguarding agentic commerce – fraud strategy advice by Ravelin's CPO

"If there’s anything fraudsters like, it’s a new thing." Here's how to protect your online shop from agentic commerce fraud – which can target you no matter whether you're actively adopting AI shopping or not.

![RAVELIN STAFF Mark Barlow Head Of product website](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_33x33_crop_center-center_none_ns/175066/RAVELIN_STAFF_Mark_Barlow_Head_Of_product_website.webp)Mark Barlow,Chief Product Officer](https://www.ravelin.com/blog/agentic-commerce-fraud-prevention-strategy-analysis)
