EMV 3D Secure: The Technical Guide to 3DS2 for Merchants

EMV 3D Secure (EMV 3DS, or 3DS2) is the current version of the 3D Secure payment authentication standard, developed by EMVCo — the consortium of card networks (Visa, Mastercard, Amex, Discover) that manages global payment standards. Unlike its predecessor (3DS1), EMV 3DS was built for the modern web and mobile environment, using risk-based authentication rather than static passwords to verify cardholder identity.

The EMV 3DS Protocol Architecture

An EMV 3DS transaction involves four components:

1. 3DS Server (3DSS): The merchant-side component that initiates authentication, collects browser/device data, and communicates with the directory server
2. Directory Server (DS): Card network-operated — routes authentication requests to the correct issuer and manages the overall 3DS transaction flow
3. Access Control Server (ACS): Issuer-operated — evaluates risk, makes the authentication decision, and serves challenges when required
4. 3DS SDK (for native mobile): An in-app library that enables native 3DS flows on iOS and Android without browser redirects

Data Elements: What Makes 3DS2 Risk-Based

3DS2 transmits over 100 data elements to the issuer’s ACS for risk scoring — compared to roughly 15 in 3DS1. Key data categories include:

• Device fingerprint: Browser type, screen resolution, timezone, installed fonts — signals device legitimacy
• Behavioral data: How the form was filled out, typing cadence, mouse movement patterns
• Transaction history: Prior purchases at this merchant, account age, recent activity patterns
• Purchase details: Amount, currency, IP address, shipping address, delivery timeframe

This rich data set enables issuers to approve the vast majority of transactions frictionlessly — reserving challenges only for genuinely high-risk patterns.

Frictionless vs. Challenge Flow Technical Detail

In a frictionless flow, the ACS approves authentication without any customer interaction — the entire 3DS exchange happens in the background. In a challenge flow, the ACS returns a challenge URL or SDK interaction that the merchant’s UI must present — typically a one-time password sent to the customer’s phone, a push notification to their banking app, or a biometric prompt.

Mobile SDK Implementation

For native iOS and Android apps, EMV 3DS provides SDKs that enable authentication without browser redirects. The SDK handles device fingerprinting, challenge UI rendering, and result callbacks within the app — providing a seamless experience that significantly outperforms the redirect-based 3DS1 approach on mobile.

ConvesioPay’s EMV 3DS Implementation

ConvesioPay’s 3DS infrastructure is built on Adyen’s certified EMV 3DS implementation — supporting both web and native mobile flows, all SCA exemption types, and frictionless authentication optimization. Merchants don’t need to build or maintain 3DS infrastructure; ConvesioPay handles the complete protocol stack at 2.9% + $0.30 per transaction.