What is the difference between 3DS2 and 3DS1?

EMV 3DS 2.0 (3DS2) sends over 100 data elements — including device fingerprint, browser characteristics, and transaction history — to the issuer's access control server, enabling risk-based frictionless authentication. 3DS 1.0 by contrast always triggers a redirect to a static password or OTP page, causing significant checkout friction and cart abandonment. Fyatu supports both protocols for backward compatibility but defaults to 3DS2 when the merchant's MPI supports it.

When is the frictionless flow used versus the challenge flow?

The frictionless flow is used when the issuer's risk score for the transaction falls below the configured challenge threshold. Inputs to the risk model include cardholder transaction history, device fingerprint match, billing address consistency, and transaction amount relative to typical behavior. Fyatu's defaults are tuned to challenge fewer than 5% of transactions while maintaining a low fraud rate.

Does liability shift apply to frictionless authentications?

Yes. A frictionless 3DS2 authentication result carries the same liability shift as a challenge flow authentication. The issuer (Fyatu's program) accepts liability for authenticated transactions, and fraud chargebacks that would otherwise fall on you are instead directed to the merchant's acquirer — regardless of whether the cardholder was prompted for a challenge.

How does Fyatu handle PSD2 SCA exemptions for EU cardholders?

Fyatu's 3DS server evaluates each transaction against PSD2 Article 10–18 exemptions: low-value (under €30 with cumulative caps), trusted beneficiaries, recurring payments, and corporate cards. When an exemption applies, Fyatu includes the correct exemption indicator in the authorization message. If the acquirer does not honor the exemption and soft-declines, Fyatu automatically retries with a full SCA challenge flow.

Can I receive 3DS authentication events in my webhook pipeline?

Yes. Fyatu emits `authentication.frictionless`, `authentication.challenge_initiated`, `authentication.challenge_completed`, and `authentication.failed` events to your configured event stream. Each event includes the authentication value (CAVV/AAV), ECI indicator, and transaction ID, enabling you to correlate authentication outcomes with downstream authorization records.

What is the difference between 3DS2 and 3DS1?

EMV 3DS 2.0 (3DS2) sends over 100 data elements — including device fingerprint, browser characteristics, and transaction history — to the issuer's access control server, enabling risk-based frictionless authentication. 3DS 1.0 by contrast always triggers a redirect to a static password or OTP page, causing significant checkout friction and cart abandonment. Fyatu supports both protocols for backward compatibility but defaults to 3DS2 when the merchant's MPI supports it.

When is the frictionless flow used versus the challenge flow?

The frictionless flow is used when the issuer's risk score for the transaction falls below the configured challenge threshold. Inputs to the risk model include cardholder transaction history, device fingerprint match, billing address consistency, and transaction amount relative to typical behavior. Fyatu's defaults are tuned to challenge fewer than 5% of transactions while maintaining a low fraud rate.

Does liability shift apply to frictionless authentications?

Yes. A frictionless 3DS2 authentication result carries the same liability shift as a challenge flow authentication. The issuer (Fyatu's program) accepts liability for authenticated transactions, and fraud chargebacks that would otherwise fall on you are instead directed to the merchant's acquirer — regardless of whether the cardholder was prompted for a challenge.

How does Fyatu handle PSD2 SCA exemptions for EU cardholders?

Fyatu's 3DS server evaluates each transaction against PSD2 Article 10–18 exemptions: low-value (under €30 with cumulative caps), trusted beneficiaries, recurring payments, and corporate cards. When an exemption applies, Fyatu includes the correct exemption indicator in the authorization message. If the acquirer does not honor the exemption and soft-declines, Fyatu automatically retries with a full SCA challenge flow.

Can I receive 3DS authentication events in my webhook pipeline?

Yes. Fyatu emits `authentication.frictionless`, `authentication.challenge_initiated`, `authentication.challenge_completed`, and `authentication.failed` events to your configured event stream. Each event includes the authentication value (CAVV/AAV), ECI indicator, and transaction ID, enabling you to correlate authentication outcomes with downstream authorization records.

PLATFORM FEATURE

3D Secure 2.0 Authentication

Frictionless cardholder authentication built into every issued card. Risk-based 3DS2 challenges only when needed — reducing checkout friction while eliminating chargebacks and satisfying PSD2/SCA compliance.

Get Started View Card Issuing API

REST API · Webhooks · Real-time

3DS 2.0 · 3DS 1.0

Protocol support

Frictionless + Challenge

Flow types

PSD2 / SCA

Compliance

Technical Deep-Dive

How It Works

The technical architecture behind 3D Secure 2.0 — built into every Fyatu card program.

3DS 2.0

Frictionless Flow

For low-risk transactions, 3DS2 completes entirely in the background using device fingerprinting, behavioral signals, and transaction history. The cardholder sees no additional prompt, checkout conversion is preserved, and the liability shift still applies to the issuer.

SCA

Challenge Flow

High-risk or SCA-required transactions trigger a challenge step — OTP, biometric, or push notification — delivered through the Fyatu SDK or a hosted challenge page. The challenge result is cryptographically bound to the transaction, satisfying the possession + inherence elements of strong customer authentication.

Risk-based Decisioning

Fyatu's 3DS server applies a risk score to each authentication request using transaction context, cardholder history, and device data. Only transactions exceeding your configured risk threshold are escalated to challenge, minimizing friction for genuine cardholders.

Merchant Exemptions

Automatically apply PSD2 SCA exemptions for low-value transactions (under €30), trusted beneficiaries, and merchant-initiated transactions. Fyatu manages exemption logic and communicates it correctly in the authorization message to acquiring banks.

Chargeback Liability Shift

Successfully authenticated 3DS2 transactions shift fraud chargeback liability from your program to the merchant's acquiring bank. This eliminates the most common dispute category for card-not-present transactions and significantly reduces your chargeback ratio.

Use Cases

Who Benefits from 3D Secure 2.0

Industries and platforms building with 3D Secure 2.0 through the Fyatu Card Issuing API.

E-commerce Platforms

Protect card-not-present transactions across your marketplace with frictionless authentication that preserves checkout conversion while shifting fraud liability.

Subscription Services

Authenticate the initial setup transaction with a full SCA challenge, then rely on MIT exemptions for subsequent recurring charges — no repeated friction for subscribers.

Travel Booking

Handle high-value travel transactions with robust authentication flows, reducing chargebacks from friendly fraud while meeting acquirer 3DS participation mandates.

Card Programs

Offer 3DS2 authentication as a value-add for program managers who distribute cards to end users, meeting enterprise client requirements for SCA compliance out of the box.

Online Marketplaces

Apply risk-based authentication across diverse merchant verticals, balancing fraud prevention with conversion optimization for high- and low-risk transaction segments.

Digital Goods

Authenticate purchases of gaming credits, software licenses, and digital media — categories historically prone to friendly fraud — with cryptographic proof of cardholder presence.

FAQ

3D Secure 2.0 FAQ

Common questions about 3d secure 2.0 on the Fyatu Card Issuing API.

Card Issuing Platform

Ready to build with 3D Secure 2.0?

Every Fyatu card program includes 3D Secure 2.0 out of the box. No add-ons, no extra config.

Get Started → View Card Issuing API

Platform Features

Go Live in Minutes

Transparent by Design