3DS vs 3DS2: What Changed and Why It Matters for Global Merchants

13 min read Jul 2026

3D Secure 2 (3DS2, formally EMV 3-D Secure) is the card authentication protocol that replaced the original 3D Secure (3DS1) worldwide. The difference is architectural: 3DS1 challenged every shopper with static passwords and clunky redirects, while 3DS2 sends 10x more transaction data to the card issuer so most legitimate payments are authenticated silently, in a "frictionless" flow. 3DS1 was decommissioned by the card networks in October 2022. Today, 3DS2 is the only version in production, and regulators in Europe, India, Japan, and Australia now mandate or are mandating its use.

What Is 3D Secure and How Does It Work?

What is 3D Secure?

3D Secure (3DS) is a security step known as an authentication protocol for online card payments. Its main job is to verify the cardholder's identity and make sure the real owner is making the purchase before the transaction is authorized.

The "3D" stands for the three main groups involved in this process. These are the acquirer domain which includes the merchant and its bank, the issuer domain which is the cardholder's bank, and the interoperability domain which is the card network infrastructure that connects everyone together.

Illustration of image showing acquirer domain, interoperability domain, and issuer domain, which covers the flow of 3DS.

How Does It Work?

In the payment journey, 3D Secure happens right after checkout but before authorization. When a customer buys something online, the merchant's 3DS Server sends an authentication request. This message travels through the card network's Directory Server and lands at the issuer's Access Control Server (ACS).

The issuer then decides if they believe the actual cardholder is making the purchase. The answer goes back exactly the same way before the payment moves on to the authorization stage. It is important to know that authentication and authorization are two completely separate steps, and 3DS only takes care of the first one.

A Brief History

This standard has a long history. Development started in 1999 for Visa. In 2001, Visa officially released it to the public under the brand name "Verified by Visa." Soon after, other major networks like Mastercard and American Express created their own versions based on this exact same standard.

Why It Matters Today

The need for security has only grown over time. In 2024, global payment card fraud losses hit $33.41 billion out of a massive $51.9 trillion in total card volume. Experts predict that over the next ten years, total losses could reach $407.6 billion. The biggest problem driving these numbers is card-not-present fraud, which happens when a physical card is not swiped at a terminal. Because of this massive risk, strong authentication is the industry's best defense at the point of payment.

What 3D Secure Cannot Do

It is very important to understand that 3D Secure is not a complete fraud-screening platform. Its only job is to authenticate the cardholder at checkout. It cannot spot other complex issues like account takeover, promo abuse, friendly fraud, or merchant-side risk patterns. To stay fully protected, merchants still need to use specialized risk tooling alongside 3DS.

Illustration of image showing the flow of 3DS 2.0

Why Was 3DS1 Retired?

The original version, 3D Secure 1, was eventually shut down because it frustrated shoppers, cost merchants sales, and its security model became outdated.

Major card networks officially pulled the plug in the fall of 2022. Visa stopped supporting its version on October 15, 2022, and Mastercard followed on October 18, 2022. If any transactions are sent to the old directory servers after these dates, they simply fail and return errors. American Express ended its SafeKey 1.0 globally on October 14, 2022, but waited until October 13, 2023, to shut it down in India. Visa also delayed its shutdown in India and parts of South Asia. This shows that retiring old payment protocols can happen at different speeds depending on the region.

The Main Problems with the Old System:

There were five major reasons why the industry had to move on from 3DS1:

  • Static Passwords: The system required cardholders to sign up and memorize a specific password. When shoppers inevitably forgot these passwords, they would often give up and leave abandoned carts.
  • Full-page redirects and pop-ups: During checkout, shoppers were redirected to unfamiliar bank pages or pop-up windows. To many users, these full-page redirects looked like phishing scams or fake websites.
  • No Mobile Support: This protocol was built almost a decade before smartphones even existed. Because of this, the screens looked terrible and were hard to use on mobile devices, which is where most e-commerce traffic comes from today.
  • Unnecessary Friction: Every single purchase was forced through the exact same security challenge, no matter how safe it looked. A basic $5 repeat purchase was treated with the same high suspicion as a risky $5,000 first-time order.
  • Falling Behind Regulations: New laws in Europe, specifically the PSD2 Strong Customer Authentication (SCA) rules, required two-factor authentication and smarter, risk-aware security checks. The original 3DS1 was simply never built to handle these modern requirements.

How Is 3DS2 Different from 3DS1?

EMV 3-D Secure 2, published by EMVCo in October 2016, redesigned the protocol around data instead of passwords. 3DS2 lets the merchant transmit a far richer set of transaction context to the issuer, including device characteristics, shipping address, and transaction history, so the issuer can assess risk without interrupting the shopper. According to GPayments, 3DS2 collects roughly 10x more data than 3DS1, and Visa has reported up to 66% lower cart abandonment when the frictionless flow applies.

Illustration of image showing the comparison between 3DS1 and 3DS2

The table below compares the two protocol generations across the dimensions that matter operationally; 3DS2 wins on nearly every axis, which is why the networks forced the migration.

Feature The Old System (3DS1) The New System (3DS2)
Authentication Method (How You Verify Your Identity) You had to sign up and remember a static password. Uses smart, risk-based checks like face scans (biometrics), one-time passwords (OTP), or a tap in your banking app.
Information Sent to the Bank Very little data was shared. Shares over 100 details like your device type, History and location to help the bank recognize you.
Standard Checkout Experience Every single purchase was interrupted by a security challenge. Safe purchases get a "frictionless flow" with no extra steps.
Mobile and in-app Support Clunky browser redirects that looked bad on phones. Built smoothly directly into iOS and Android apps using native SDKs.
Recurring Payments (Handling Subscriptions) Poor support Easily handles automatic billing after the first Strong Customer Authentication (SCA) check.
Regulatory fit (Following the Rules) Built long before modern European security laws like PSD2. Designed specifically to follow modern SCA rules and legal exemptions.
Where Are They Now? Permanently shut down in October 2022. The undisputed global standard used today.

The benefits of upgrading are clear and easy to measure. For example, Visa shared performance data on its own version of the new system, called Visa Secure. They found a 9% increase in authorization approval rates and a huge 45% drop in fraud when compared to standard e-commerce transactions that use no authentication at all.

Normally, when a business adds stronger fraud tools, it accidentally blocks some good customers. However, 3DS2 improves both security and approvals at the exact same time. Because the new system sends so much richer data to the bank, it causes far fewer false declines. A false decline happens when a real customer is mistakenly blocked from buying something. By reducing these annoying errors, 3DS2 stops merchants from losing legitimate revenue.

Frictionless vs Challenge Flow: How 3DS2 Decides

The standout feature of 3DS2 is known as the "frictionless flow." In this path, the cardholder's bank (the issuer) silently authenticates the transaction in the background using the shared data, and the shopper sees absolutely nothing.

However, there is a backup option called the "challenge flow." If a purchase looks slightly risky or if local laws require it, the bank will pause the transaction and prompt the shopper to verify their identity. This is usually done by entering a one-time password (OTP), tapping an approval in a banking app, or using a biometric check like a fingerprint or Face ID.

How the System Chooses the Path

The route a transaction takes depends on several factors. These include the bank's own risk models, the quality of the data the merchant sends, specific legal exemptions, and the country where the purchase is taking place. This means the global reality of how 3DS2 works can look very different from region to region.

For example, in Europe, the PSD2 law requires Strong Customer Authentication (SCA) but allows special exemptions for low-value and low-risk transactions. Research shows that European merchants lose about 20 to 25 % of their sales when a shopper is forced into a challenge flow. Because of this high drop-off rate, having a smart strategy to get those legal exemptions is crucial for businesses.

In contrast, India's regulations have required an extra layer of authentication for local online card payments for a long time. There, the challenge flow is the standard experience, and shoppers are completely used to it. Even though both regions use the exact same protocol, consumer expectations are completely opposite.

A Crucial Warning for Merchants

It is important to understand one final point: upgrading to 3DS2 does not mean payments automatically become frictionless. The frictionless flow is just a capability, not a guarantee. If a merchant sends very little data during checkout or operates in a country with strict challenge mandates, they can use 3DS2 and still end up challenging almost every single transaction.

Where Is 3DS2 Mandated? The Global Regulatory Map

3DS2 adoption is increasingly driven by regulation, not merchant choice, and the mandates now span four continents. The table below summarizes the major authentication regimes as of mid-2026; the direction of travel is unmistakably toward mandatory strong authentication.

Market What is Required? Current Status
Europe (EU / EEA / UK) The law requires Strong Customer Authentication (SCA). 3DS2 is the standard card-rail mechanism used to meet this law. These rules have been fully in force since 2020 and 2021. An updated version of the law, called PSD3, is currently in progress.
India The Reserve Bank of India (RBI) mandates an additional factor of authentication for all domestic online card transactions. This rule has been strictly in force for well over a decade, making India one of the most experienced markets for mandatory authentication.
Japan The Ministry of Economy, Trade and Industry (METI) issued Credit Card Security Guidelines 5.0. This requires EMV 3DS on all e-commerce credit card transactions, including both domestic and cross-border purchases. This requirement has been fully in force since April 1, 2025.
Australia The Australian Competition and Consumer Commission (ACCC) authorized the payments industry to coordinate a massive cleanup. The goal is to migrate all card payments to the enhanced authentication standard. The migration is currently underway across the country.
Latin America (Brazil, Mexico & LatAm) Scheme-driven 3DS adoption; requirements vary by country Use of the protocol is growing quickly, but it is not yet uniformly mandated across every country in the region.

Many industry reports focus heavily on Europe, but they often miss a very important piece of global context. India actually started running mandatory, challenge-based card authentication across the entire country more than a decade before Japan introduced its mandate, and years before Europe set its own PSD2 SCA deadlines. As a result, the environment with the highest volume of payment authentication in the world is also the oldest.

Payment platforms that were built specifically to handle India's strict rules learned very early how to engineer challenge flows that keep transactions secure without destroying merchant conversion rates. These valuable lessons are now being applied directly as other major markets like Japan and Australia transition to mandatory authentication rules.

Juspay, which orchestrates payments across 150+ countries from that vantage point, processes 300+ million transactions daily and has operated under authentication mandates since its founding.

3DS 2.1 vs 2.2 vs 2.3: Which Version Matters Now?

Today, the big question for businesses is no longer whether to use the old 3DS1 or the new 3DS2. Instead, it is all about which specific 2.x sub-version your payment software uses. The organization that manages these standards, EMVCo, has steadily updated the technology over time:

  • Version 2.1: This version established the basic foundation for the new system.
  • Version 2.2: This update added special exemption flags and delegated-authentication support. These tools are what make modern European security laws like PSD2 SCA actually work smoothly in the real world.
  • Version 2.3: This newer update adds advanced features like device-binding, FIDO-based biometric security checks, and decoupled authentication.

Major card networks began shutting down support for the older 3DS 2.1 version in October 2024, forcing the entire industry to upgrade to version 2.2 and beyond.

The Financial Cost of Using an Older Version

Sticking with an outdated version creates a direct financial penalty for businesses. If a merchant's payment gateway is old and still sends version 2.1 messages, it cannot flag legal SCA exemptions.

Because it lacks this ability, their transactions are forced into a challenge flow in Europe much more often than necessary. Every single one of these unnecessary identity checks causes more shoppers to abandon their purchases, feeding directly into the 20 to 25 percent sales drop-off that hurts business revenue.

Where 3DS2 Implementations Commonly Fail

When companies set up 3DS2, things can still go wrong. Surprisingly, these failures are usually caused by simple setup mistakes rather than flaws in the actual technology. Here are the most common reasons why these setups fail:

  • Sharing Too Little Data: Some merchants make the mistake of only filling out the bare minimum mandatory fields during checkout. This deprives the cardholder's bank (the issuer) of the context it needs to trust the transaction. As a result, the bank cannot grant a frictionless approval, forcing the business into old-fashioned, high challenge rates.
  • Relying on a Single Provider or Version: Bank support for different security systems varies wildly by country and software version. If a merchant's software stack is permanently tied to just one 3DS provider on a single version, they cannot bypass a specific bank that is performing poorly or running slowly.
  • Ignoring Exemption Strategies: In countries with strict security laws like Europe's PSD2, special low-risk and low-value exemptions exist specifically to protect merchant sales. Businesses that automatically force every single transaction through full authentication end up losing sales unnecessarily, paying a steep conversion price that the law never actually required.
  • Treating Every Country the Same: Applying a security policy built for Europe in a market like India, or an India-style policy in the United States, will actively hurt a business. In the U.S., 3DS usage is highly selective and bank behavior is completely different. Because of these differences, a proper authentication strategy must be customized for each individual market.
  • Ignoring Bank Outages and Timeouts: Running an identity check adds an extra digital round-trip to a banking system that the merchant does not own or control. Without automated backup plans and active monitoring, a temporary outage at a major bank can silently break the merchant's checkout page, stopping shoppers from buying anything.

How Juspay Orchestrates Authentication Across Markets

Juspay's 3DS authentication suite operates as a capability within its payment orchestration layer, handling authentication across card networks, 3DS versions, and regulatory regimes from a single integration. Merchants can configure when 3DS triggers, which transactions pursue exemptions, and how challenge flows render inside their own app or checkout, then adapt those policies per market rather than shipping one global default.

That design reflects where the infrastructure was built. Juspay processes 300+ million daily transactions across 150+ countries, USD 1 trillion+ in annualized payment volume at 99.999% uptime, for enterprises including Amazon, Google, HSBC, Agoda and more. Its highest-volume market has mandated challenge-based authentication for over a decade, and its Dublin operations give it on-the-ground perspective on SCA and the PSD3 revision as European rules evolve.

Key Takeaways

  • 3DS2 is now the standard: 3DS2 (EMV 3-D Secure) has completely replaced the original 3DS1, which major card networks decommissioned in October 2022.
  • Smarter authentication protects sales: The most important upgrade is risk-based authentication. 3DS2 sends about 10 times more data to card issuers, which enables a smooth frictionless flow. Visa's data shows that this invisible security check can lead to up to 66% lower cart abandonment.
  • Higher approvals and less fraud: Figures published by Visa show that EMV 3DS lifts transaction approval rates by 9% while cutting fraud by 45% compared to completely unauthenticated transactions. This is a rare and highly valuable benefit because it improves both security and sales at the same time.
  • Rules differ around the world: Strict authentication mandates now span multiple regions. This includes the EU and UK under PSD2 SCA, India under the RBI, Japan under METI as of April 2025, and Australia where a migration was authorized in September 2025. Because of these differences, global merchants must use a custom per-market authentication strategy instead of relying on a single default setup.
  • The technology continues to evolve: The earliest version, 3DS 2.1, began sunsetting in October 2024. Today, version 2.2 acts as the working baseline for managing SCA exemptions, while the newer version 2.3 adds advanced features like FIDO biometrics and decoupled authentication.
  • Setup errors are the main problem: Most 3DS2 failures are not caused by the protocol itself, but rather by configuration failures. These include sending sparse data, neglecting an exemption strategy, and applying identical security policies across completely different global markets.

Frequently Asked Questions

What is the difference between 3DS and 3DS2?

The older 3DS1 protocol relied on shoppers memorizing static passwords and dealing with annoying full-page redirects. The newer 3DS2 replaces this with a system called risk-based authentication.

Instead of treating every purchase the same, 3DS2 sends about 10 times more transaction data to the cardholder's bank (the issuer). This allows most safe, low-risk purchases to go through silently using a frictionless flow. It also supports modern features like biometrics (face or fingerprint scans) and in-app challenges, matching the level of security directly to the actual risk.

Is 3D Secure 1 still supported?

No. The major card networks have completely shut down the first version. Visa stopped supporting 3DS 1.0.2 on October 15, 2022, and Mastercard shut down 3DS 1.0 on October 18, 2022. American Express also ended its SafeKey 1.0 globally in October 2022, with India following in October 2023. Today, any transactions sent to the old systems will simply return errors. The modern EMV 3DS 2.x standard is the only version in production.

Is 3DS2 mandatory for online payments?

3DS2 is effectively mandatory in Europe and the United Kingdom under the PSD2 Strong Customer Authentication (SCA) laws. It is also required in India under the Reserve Bank of India (RBI) rules, and in Japan under official METI guidelines since April 2025.

However, in the United States and most of Latin America, using 3DS2 is still optional. Merchants in these regions use it selectively to manage fraud risk and protect themselves from chargebacks.

Does 3DS2 hurt conversion rates?

It can if it is poorly configured. When a shopper is forced to complete a security check (a challenge flow), research from Forter shows that European merchants typically see a 20 to 25 percent drop-off in completed sales.

On the other hand, a well-configured 3DS2 setup actually helps sales. By using a frictionless flow and sending richer data, it raises transaction approvals. In fact, Visa's own data shows a 9% lift in authorizations on authenticated transactions. The secret to success lies in high data quality, smart exemption strategies, and custom per-market tuning.

What is the liability shift in 3DS2?

When an online payment is successfully approved using 3DS2, the financial responsibility for fraudulent chargebacks shifts from the merchant to the cardholder's bank (the issuer). This protects merchants from losing money to "unauthorized transaction" disputes.

However, this protection is not absolute. It depends on card network rules, the region, and the transaction type. Additionally, the liability shift only covers fraud; it never protects a merchant from standard disputes like "item not received" claims.

What is the difference between 3DS 2.1, 2.2, and 2.3?

3DS 2.1 was the very first baseline version of the new protocol, and card networks began shutting it down in October 2024.

3DS 2.2 is today's working standard. It added critical features like exemption flags and delegated-authentication, which are necessary to make European PSD2 SCA laws run smoothly.

3DS 2.3 (originally released in late 2021 with updates in 2022) is the latest upgrade, introducing advanced features like FIDO-based biometrics, device-binding, and decoupled authentication.

How does Juspay handle 3DS authentication for global merchants?

Juspay provides a unified 3DS authentication suite within its orchestration layer, covering multiple card networks, 3DS versions, and regulatory regimes through one integration. Merchants configure 3DS triggers, exemption logic, and challenge rendering per market. The infrastructure processes 300+ million daily transactions across 150+ countries and was built in the world's longest-running mandatory-authentication market.







Related Articles
Payment Orchestration: An Operating System for Streamlining Payments
Sandeep KuppiliDivyansh Sharma
Sandeep Kuppili, Divyansh Sharma
Jan 2025 14 min read
The Hidden Costs of Payment Fraud for Businesses
Apurva Patel
Apurva Patel
Oct 2024 5 min read
Payment Networks: Everything businesses need to know
Apurva Patel
Apurva Patel
Oct 2024 14 min read