3DS2 and European SCA: Compliant Without Killing Conversion

3DS (3-D Secure) is an extra verification the issuer runs on the cardholder. It’s double-edged: too aggressive and users hit an extra step, dropping conversion; too loose and fraud and chargebacks rise. In Europe especially, SCA (Strong Customer Authentication) is mandated by law. Here’s how to stay compliant without killing conversion.

Concepts first

• 3DS2: the new-generation protocol with a “frictionless” flow — the issuer judges from risk data, waves low-risk transactions through invisibly, and only challenges high-risk ones. A big experience upgrade over old 3DS1.
• SCA (Strong Customer Authentication): a mandatory requirement under Europe’s PSD2 — basically unavoidable when charging European cards cross-border. Meeting SCA usually means going through 3DS2.
• Exemptions: SCA has legitimate exemptions — low-value transactions, low-risk transactions (TRA), merchant-initiated renewals (MIT), trusted-merchant lists — that can skip the challenge.

The core play: don’t paint with one brush

“3DS always on” and “3DS always off” are both lazy. The smart move is to decide dynamically by transaction characteristics:

• High-risk transactions (large amount, unfamiliar device, unusual region) → trigger 3DS and shift fraud liability to the issuer;
• Low-risk transactions (small amount, returning user, trusted device) → request an exemption, wave through invisibly, protect conversion;
• European cards → default to meeting SCA (via 3DS2 or a legitimate exemption) — don’t get declined outright for lacking authentication.

An overlooked benefit: liability shift

For a transaction that went through 3DS, fraud-chargeback liability usually shifts from merchant to issuer. So 3DS isn’t just a “compliance obligation” — used well, it offloads a chunk of fraud loss. Especially worth it for high-risk categories (digital goods, virtual top-ups).

How to do it

1. Implement 3DS2, favor the frictionless flow, and don’t challenge every charge by default;
2. Build an exemption ruleset: decide whether to request an exemption by amount, risk score, and user trust;
3. Handle European cards separately to ensure SCA compliance;
4. Watch the data continuously: 3DS trigger rate, frictionless share, post-auth conversion, fraud rate — and tune thresholds.

KeepPay’s orchestration layer turns 3DS / SCA / exemptions into configurable rules — deciding by transaction characteristics instead of all-on or all-off. Book a demo to balance compliance and conversion on your book.