3DS 2.0 Explained for Businesses

In the first half of 2025, over £600 million was stolen by criminals in the UK, where card-not-present fraud cases rose by 22% from 2024. 

3DS 2.0 is one of the most significant tools available to address this, and understanding how it works is increasingly important for any UK SME selling online.

This guide explains what 3DS 2.0 is, how it works in practice, what it means for your checkout, and why it matters for fraud prevention, payment security, and your customers’ experience. 

What Does “3DS” Mean?  

3DS stands for Three-Domain Secure – a reference to the three parties involved in the authentication process:

• The acquirer domain – the merchant and their acquiring bank;
• The issuer domain – the bank or institution that issued the customer’s card;
• The interoperability domain – the card network infrastructure (Visa, Mastercard, and others) that connects the two.

The protocol was originally developed by Visa under the name Verified by Visa and later adopted by Mastercard (SecureCode), American Express (SafeKey), and others. 

It provides a standardised way for these three parties to communicate and verify a cardholder’s identity during an online transaction.

What Is 3DS 2.0?  

3DS 2.0, also referred to as 3DS2 or EMV 3-D Secure, is the current generation of the 3-D Secure authentication protocol. 

It was developed by EMVCo, the technical standards body owned by the major card networks, to address the significant shortcomings of the original 3DS 1.0 standard.

Where 3DS 1.0 was built for desktop browser payments, 3DS 2.0 is designed for the full range of modern digital payments – mobile apps, in-browser checkouts, digital wallets, and more. It introduces risk-based authentication, richer data exchange between merchants and card issuers, and a significantly improved customer experience compared to its predecessor.

For UK SMEs selling online, 3DS 2.0 is the authentication standard your payment provider should be using to verify cardholders during online transactions. 

How Does 3DS 2.0 Work?  

When a customer initiates an online card payment on your website or app, 3DS 2.0 runs an authentication process in the background – often without the customer noticing anything at all. 

Here is how this works.

Step 1: Data collection

At the point of checkout, your payment provider collects a range of transaction and device data.

This includes information on device type, browser information, transaction amount, shipping address, and the customer’s payment history with that merchant, where available. 

Over 150 data elements can be shared in a single 3DS 2.0 authentication request, compared to around 15 in version 1.0.

Step 2: Risk assessment

This data is passed to the card issuer’s access control server, which performs transaction risk analysis to evaluate the likelihood that the transaction is genuine. 

The issuer considers factors including the transaction amount, the customer’s typical behaviour, the device being used, and the merchant’s fraud profile.

Based on its risk assessment, the issuer chooses one of two paths – frictionless flow or challenge flow.

Frictionless Flow vs Challenge Flow  

One of the most important things to understand about 3DS 2.0 is the difference between frictionless and challenge flow. This is the core structural difference that makes 3DS 2.0 materially better for both merchants and customers than its predecessor.

The frictionless flow occurs when the issuer’s transaction risk analysis determines that the payment is low-risk. 

Authentication is approved automatically in the background, with no interruption to the customer’s checkout journey. The customer completes their purchase without being asked to do anything beyond entering their card details. 

The challenge flow, on the other hand, is triggered when the issuer requires additional user verification – typically for higher-value transactions, unusual behaviour patterns, or new device and card combinations. 

The customer is presented with an authentication step, which under 3DS 2.0 can take several forms depending on the issuer’s implementation:

• A one-time passcode sent by SMS or email;
• Approval through the card issuer’s banking app with biometric authentication (fingerprint or face recognition);
• A knowledge-based question.

This is a significant improvement over 3DS 1.0, which routed almost every transaction through a challenge step – a static password page that was unfamiliar, often broken on mobile, and directly linked to cart abandonment. Visa estimates merchants will benefit with up to 66% less cart abandonment rates.

Why Was 3DS 2.0 Introduced?  

The original 3DS 1.0 protocol was introduced in 2001 – before smartphones existed, before app-based payments were conceivable, and before the volume and sophistication of modern payment fraud had developed. 

By the mid-2010s it was widely regarded as technically outdated and commercially damaging, with high abandonment rates and poor mobile compatibility undermining its value for merchants.

Three converging pressures drove the development of 3DS 2.0.

Rising card-not-present fraud 

As chip-and-PIN made in-person card fraud harder, fraudsters shifted to online channels. 

Card-not-present fraud has consistently accounted for the majority of UK card fraud losses- making stronger ecommerce security a commercial and regulatory priority.

The shift to mobile payments

In 2025, more than 75% of e-commerce purchases in the UK were made on mobile devices.

The 3DS 1.0 redirect flow was poorly suited to mobile checkout and in-app payment environments, creating friction that cost merchants conversions without reliably improving security.

Regulatory requirements

The introduction of PSD2 and its Strong Customer Authentication requirements across Europe created a formal regulatory mandate for improved authentication on electronic payments.

As part of the requirements, standards that could deliver SCA-compliant verification while maintaining a workable customer experience were a must.

How 3DS 2.0 Supports SCA Under PSD2  

Directive (EU) 2015/2366 (PSD2), introduced in Europe, is a regulatory measure for payment services, e-money and financial institutions that seeks to add extra layers of protection in the online and mobile purchasing process. 

Strong Customer Authentication (SCA) is a regulation under PSD2, which aims to reduce fraud in online payments and make them more secure.

3DS 2.0 is not the same thing as SCA – it is a protocol that can be used to satisfy SCA requirements for online card payments. When a cardholder authenticates via a banking app using biometric authentication, or confirms a payment with an SMS code alongside their card details, the transaction meets the SCA standard.

3DS 2.0 vs 3DS 1.0: What Changed?  

3DS version 1.0 entailed a process of verification through which the customer entering their card details on a website received an added layer of verification by entering a password on a new page to verify their identity.

While this extra layer of protection was helpful, it was necessary to introduce new and improved security measures in the online and mobile purchasing process, hence, the introduction of 3DS 2.0.

The following table summarises the main differences between the two:

Feature	3D Secure 1.0 (3DS 1.0)	3D Secure 2.0 (3DS 2.0)
Risk Analysis Data	Limited data shared for risk analysis	Much larger and more diverse data shared for risk analysis
Mobile & In-App Support	Poor mobile and in-app support	Native mobile and in-app support
Authentication Methods	Relies on static passwords	Uses OTP, biometrics, and app-based authentication
Risk-Based Authentication	Not available	Available
Frictionless Flow	Not available	Available, enabling smoother customer experiences

What Are the Benefits of 3DS 2.0 for Businesses?  

For UK SMEs selling online, the commercial and operational benefits of 3DS 2.0 over its predecessor are:

• Stronger fraud prevention – The richer data exchange at the heart of 3DS 2.0 gives card issuers significantly more information for transaction risk analysis, improving their ability to identify genuine fraud while approving legitimate transactions.
  
• Merchant liability shift – When a transaction is successfully authenticated through 3DS 2.0, liability for fraud-related chargebacks typically shifts from the merchant to the card issuer. This means that if a fraudulent transaction passes authentication, you are generally not the party that bears the loss.
  
• Better checkout conversion – The frictionless flow means that low-risk transactions complete without interruption.
  
• SCA compliance – For UK merchants selling to customers whose cards are issued by UK or European banks, 3DS 2.0 provides a reliable mechanism for meeting Strong Customer Authentication obligations, reducing the risk of declined payments due to SCA failures.
  
• Customer trust – A checkout experience that is visibly secure but not unnecessarily disruptive builds confidence. Customers who encounter a smooth, branded authentication experience are more likely to complete the purchase and return.

myPOS merchants involved in the e-commerce space have added fields to their checkout pages, in line with the new security measures. This change will be an automatic one, and myPOS merchants will not need to take additional steps to ensure that they are compliant with 3DS 2.0.

What Are the Benefits of 3DS 2.0 for Customers?  

From the customer’s perspective, 3DS 2.0 addresses the two main complaints about its predecessor – it is more secure and considerably less disruptive.

For low-risk transactions, the frictionless payments flow means most purchases are completed without any additional step – the authentication happens invisibly. 

When a challenge is required, modern authentication methods like biometric authentication through a banking app, for example, are faster and more intuitive than a static password on an unfamiliar redirect page.

The result is a digital transaction security experience that matches customers’ expectations of modern digital services.

What 3DS 2.0 Means for E-Commerce Merchants  

The practical implications of 3DS 2.0 for e-commerce merchants extend across checkout design, payment operations, and fraud management

Your checkout must support the required data fields

3DS 2.0 authentication is more effective when the full set of transaction and customer data is available. 

Checkouts that fail to collect or pass billing address, email, and phone number provide less information for risk assessment, potentially resulting in more challenge flows and lower approval rates.

Your payment provider’s implementation matters

Not all 3DS 2.0 integrations are equal. 

Providers that actively manage exemption requests, pass rich transaction data, and keep current authentication flows will deliver better frictionless payment rates and approval outcomes than those with minimal implementations.

Authentication outcomes affect your payment reporting

Failed authentication, abandoned challenge flows, and issuer-declined exemptions all appear in your payment data. 

Monitoring these metrics is the most direct way to identify checkout friction that is costing you conversions.

Recurring payments require specific handling

For subscription businesses or any merchant taking recurring payments, SCA applies to the initial transaction. 

Subsequent recurring charges use a merchant-initiated transaction flag rather than re-authenticating each time, but the initial setup must be correctly authenticated, or the entire series may be affected.

What Should Businesses Do To Prepare for 3DS 2.0?  

If you’re a small business in the UK that still hasn’t reviewed your online payment setup against current 3DS standards, here are a few useful tips: 

• Use a payment provider that supports current 3DS standards – Ensure your provider implements 3DS 2.0 – not the legacy 1.0 protocol – and actively maintains its integration with card network authentication infrastructure.
  
• Audit your checkout data fields – Confirm that your checkout collects and passes billing address, email, phone number, and cardholder name to your payment provider.
  
• Review your mobile checkout experience – Test your checkout on multiple mobile devices and browsers. A challenge flow that works cleanly on desktop but breaks on mobile is a conversion problem hiding in plain sight.
  
• Monitor authentication metrics in your payment dashboard – Look for patterns in failed authentications, abandoned challenge flows, and transaction declines that may indicate authentication issues rather than genuine customer decisions to abandon.

Don’t forget to communicate clearly during challenge flows. 

If a customer encounters a challenge step, make sure your checkout states what is happening and why, reducing confusion and the likelihood of abandonment.

3DS 2.0 and Chargebacks: What Businesses Should Know  

3DS 2.0 authentication and chargeback liability are directly connected, and this is one of the most practically important aspects to understand.

When a transaction is authenticated through 3DS 2.0 and subsequently disputed as fraudulent, the merchant liability shift means the issuing bank – not the merchant – typically bears responsibility for the fraud loss. 

This is a meaningful protection for online retailers, where card-not-present fraud disputes would otherwise fall on the merchant.

However, there are important caveats:

• Authentication does not eliminate all chargebacks – Liability shift applies specifically to fraud-related chargebacks. Disputes based on non-delivery, items not as described, or merchant error remain the merchant’s responsibility regardless of authentication status.
  
• Exempted transactions carry different liability – If a transaction proceeds under a low-value or TRA exemption (bypassing the full authentication step), the liability position depends on which party requested the exemption.
  
• Failed or incomplete authentication removes protection – If 3DS authentication was attempted but not completed – for example because the customer abandoned the challenge step – the transaction does not benefit from liability shift. Merchants who then proceed to authorise the payment carry the fraud risk themselves.

For UK SMEs with meaningful online transaction volumes, the chargeback protection offered by properly implemented 3DS 2.0 authentication is one of its most commercially significant benefits.

How myPOS Supports Secure 3-D Secure Payments  

For merchants using myPOS online payment tools, 3-D Secure authentication is built into the payment processing flow. This means that merchants don’t need to implement or manage the authentication protocol independently.

When a customer pays through a myPOS-supported online checkout or payment link, the 3DS 2.0 authentication flow is handled automatically, including the exchange of transaction data with the card issuer and the management of frictionless and challenge flows depending on the issuer’s risk assessment. 

This means merchants benefit from the fraud prevention and liability shift protections of 3DS 2.0 without requiring technical configuration on their part.

Authentication requirements and outcomes depend on the card issuer’s decisions and the specific transaction context – myPOS facilitates the authentication process but cannot determine how individual issuers assess risk or apply exemptions.

Conclusion  

3DS 2.0 is the current standard for authenticating online card payments – and for UK SMEs selling online, it is the mechanism that connects secure payments, SCA compliance, fraud prevention, and checkout performance in a single framework.

As a myPOS merchant, you can rest assured that we’re fully compliant with all our regulatory obligations and that we have taken all the necessary steps to ensure a smoother checkout process for your customers.

Frequently Asked Questions 

What checkout data helps issuers approve more 3DS payments frictionlessly?

Complete billing address, email, phone number, and device fingerprint data all improve frictionless approval rates. Transaction history helps too – issuers are more confident approving repeat customers. Incomplete checkouts that skip address or contact fields push more transactions into the challenge flow unnecessarily.

When should a UK business request a 3DS exemption instead of forcing authentication?

Exemptions work best for low-value transactions, established customers, and recurring payments after the initial authenticated transaction. Avoid requesting exemptions on high-value or first-time transactions – issuers will likely decline them anyway, and if fraud follows a granted exemption, liability may stay with the merchant rather than shifting to the issuer.

Can failed 3DS checks cause legitimate online orders to be declined?

Yes. If a customer abandons a challenge – because an OTP didn’t arrive or the banking app timed out – the transaction fails and the issuer declines it. The customer may simply see a card refusal with no explanation. Tracking authentication failure rates separately from payment declines is the only way to measure how much revenue this is costing.

How does 3DS 2.0 affect conversion rates on mobile and app checkouts?

Positively, when implemented well. The frictionless flow removes interruptions for low-risk transactions entirely, and app-based challenge flows are faster and less disruptive than legacy redirects on mobile. Poorly configured implementations that default to challenge flows unnecessarily will still damage conversion regardless of the protocol version.

When does 3DS authentication shift fraud chargeback liability away from the merchant?

When authentication is completed successfully and the dispute is fraud-based. It does not apply to non-fraud disputes, incomplete authentication, or transactions processed despite a failed authentication response.

Do recurring payments and merchant-initiated transactions need 3DS each time?

No. SCA applies to the first transaction only. Subsequent recurring charges are exempt, provided the initial transaction was correctly authenticated and the recurring arrangement was clearly disclosed upfront. If the first transaction was skipped or incorrectly handled, issuers can decline the entire series.