> 3DS is double-edged: too aggressive kills conversion, too loose invites fraud and chargebacks. A clear take on 3DS2, SCA, exemptions, and deciding dynamically by transaction.

[← Blog](/en/blog)

🛡️

Compliance

# 3DS2 and European SCA: Compliant Without Killing Conversion

2026-05-24

3DS (3-D Secure) is an extra verification the issuer runs on the cardholder. It’s double-edged: too aggressive and users hit an extra step, dropping conversion; too loose and fraud and chargebacks rise. In Europe especially, SCA (Strong Customer Authentication) is mandated by law. Here’s how to stay compliant without killing conversion.

## Concepts first

-   **3DS2**: the new-generation protocol with a “frictionless” flow — the issuer judges from risk data, waves low-risk transactions through invisibly, and only challenges high-risk ones. A big experience upgrade over old 3DS1.
-   **SCA (Strong Customer Authentication)**: a mandatory requirement under Europe’s PSD2 — basically unavoidable when charging European cards cross-border. Meeting SCA usually means going through 3DS2.
-   **Exemptions**: SCA has legitimate exemptions — low-value transactions, low-risk transactions (TRA), merchant-initiated renewals (MIT), trusted-merchant lists — that can skip the challenge.

## The core play: don’t paint with one brush

“3DS always on” and “3DS always off” are both lazy. The smart move is to **decide dynamically by transaction characteristics**:

-   **High-risk transactions** (large amount, unfamiliar device, unusual region) → trigger 3DS and shift fraud liability to the issuer;
-   **Low-risk transactions** (small amount, returning user, trusted device) → request an exemption, wave through invisibly, protect conversion;
-   **European cards** → default to meeting SCA (via 3DS2 or a legitimate exemption) — don’t get declined outright for lacking authentication.

## An overlooked benefit: liability shift

For a transaction that went through 3DS, fraud-chargeback liability usually shifts from merchant to issuer. So 3DS isn’t just a “compliance obligation” — used well, it **offloads a chunk of fraud loss**. Especially worth it for high-risk categories (digital goods, virtual top-ups).

## How to do it

1.  Implement **3DS2**, favor the frictionless flow, and don’t challenge every charge by default;
2.  Build an **exemption ruleset**: decide whether to request an exemption by amount, risk score, and user trust;
3.  Handle European cards separately to ensure SCA compliance;
4.  Watch the data continuously: 3DS trigger rate, frictionless share, post-auth conversion, fraud rate — and tune thresholds.

> 3DS / SCA authentication is live today (Vault, and reusable across PSPs once authenticated); rule-based “decide verification by transaction” orchestration is handled by Flow (coming soon). [Book a demo](/en/) to balance compliance and conversion on your book.
