3DS1 vs 3DS2: The Approval Rate Gap Most Merchants Are Ignoring
3DS2 replaces 3DS1's static passwords and redirects with risk-based, silent authentication. Merchants gain higher approval rates, lower fraud, and chargeback liability shift through EMV 3DS.
What Is the Difference Between 3DS1 and 3DS2?
3DS1 and 3DS2 are both authentication protocols for card-not-present transactions, but they work in fundamentally different ways. 3DS1 challenged every buyer with a password and a bank redirect. 3DS2 evaluates transaction risk in the background and approves low-risk purchases without interrupting the customer at all.
That distinction matters because checkout friction is a direct revenue cost. Under 3DS1, buyers hit a full-page redirect to their bank's site, were asked to enter a static password they had often forgotten or never configured, and then had to navigate back to complete the purchase. The experience was disorienting, poorly branded, and broken on mobile. Studies consistently showed abandonment rates of 10 to 25% on transactions that triggered a 3DS1 challenge.
3DS2 (also called EMV 3DS or 3DS 2.0) was built specifically to eliminate that cost. Instead of stopping the buyer, it runs a background data exchange between the merchant's platform and the card issuer during checkout. The issuer receives over 100 data elements including device fingerprint, transaction history, billing and shipping details, behavioral signals, and IP address. The issuer's fraud model processes this in milliseconds and either approves the transaction silently (frictionless flow) or requests a challenge only when the risk score justifies it.
According to EMVCo, the governing body behind the EMV 3DS specification, the protocol was designed to streamline consumer authentication without adding unnecessary friction. That engineering intent is visible in the outcomes: Mastercard estimates that approximately 90% of 3DS2 transactions proceed without any customer interaction (frictionlessly).
The difference between 3DS1 and 3DS2 is not a version bump. It is a completely different philosophy of how authentication should interact with conversion.
How Does 3DS2 Authentication Actually Work?
3DS2 routes every transaction through one of two paths: frictionless or challenge. Which path a transaction takes depends on the issuer's real-time risk decision, not a predetermined rule.

In the frictionless path, the merchant's checkout sends a rich data package to the Access Control Server at the issuer's end. The issuer evaluates risk against its fraud models and returns an authentication result in the background. The buyer experiences nothing. Payment completes normally.
In the challenge path, the issuer determines that additional verification is warranted. The merchant's integration surfaces an inline overlay, not a redirect, containing a one-time passcode, biometric prompt, or push notification. The buyer completes the step and returns to checkout without leaving the page.
Even in the worst case, 3DS2's challenge flow outperforms 3DS1's redirect. The challenge is branded, contextual, and contained within the merchant's checkout experience. Challenge completion rates under 3DS2 are measurably higher than under 3DS1 precisely because buyers are not being sent to an unfamiliar external page mid-purchase.
EMV 3DS 2.2 introduced soft-decline support, which is a capability that fundamentally changes the economics of declined transactions. A soft decline is an issuer response indicating that the transaction cannot be approved without authentication. Rather than losing the sale, the merchant's system retries the transaction with a challenge. That second attempt frequently succeeds. Without soft-decline handling, those transactions register as lost revenue. With it, they are recoverable.
EMV 3DS 2.3, the current leading-edge version, adds decoupled authentication, FIDO-based biometrics, and expanded exemption logic, giving issuers and merchants more tools to approve legitimate transactions accurately.
3DS1 vs 3DS2: Side-by-Side Comparison
| Feature | 3DS1 | 3DS2 (EMV 3DS) |
|---|---|---|
| Data sent to issuer | 8 elements | 100-plus elements |
| Frictionless authentication | No | Yes, up to 90% of transactions |
| Mobile and in-app support | No native SDK | Yes, native SDK available |
| Challenge method | Full-page redirect, static password | Inline overlay, OTP, biometrics |
| Soft-decline handling | No | Yes, from version 2.2 |
| Decoupled authentication | No | Yes, from version 2.3 |
| Chargeback liability shift | Withdrawn by schemes in 2022 | Yes, on authenticated transactions |
| Typical approval rate range | 60 to 70% | 85 to 95% |
| Cart abandonment rate | 15 to 25% | 2 to 5% |
| US legal requirement | No | No, but schemes incentivize adoption |
What Do the Approval Rate Numbers Actually Show?
The data on 3DS2 approval rates is unusually consistent across sources, which makes it more reliable than most payments benchmarks.
Visa's published data shows a 9% lift in authorization approval rates and a 45% reduction in fraud on transactions authenticated through Visa Secure (EMV 3DS), compared to non-authenticated eCommerce transactions. That combination is the key point. Most fraud-reduction tools trade approval rate for lower fraud. 3DS2 improves both simultaneously because richer issuer data reduces false positives, the declined-legitimate-transaction problem that costs merchants revenue every day.
According to Visa and Mastercard scheme data on EMV 3D Secure implementation: 3DS1 transactions typically achieve 60–70% approval rates, while properly implemented 3DS2 flows reach 85–95%. Cart abandonment shifts from 15–25% under 3DS1 down to 2–5% under 3DS2.
Merchants implementing 3DS2 typically see a 1 to 3% overall increase in authorization rates, according to published data from Inyo, a payment infrastructure provider. In high-risk verticals such as travel, gaming, and digital subscriptions, the gains are larger because issuer uncertainty in those categories is higher and 3DS2 data resolves more of it.
"Frictionless authentication through EMV 3DS removes the single largest source of authentication-related checkout abandonment while simultaneously improving the data quality issuers need to approve more genuine transactions," according to Visa's EMV 3DS program documentation.
If your team is already tracking authorization rates by authentication method, this comparison is straightforward to run. If you are not segmenting that data yet, our guide to approval rate drop analysis covers how to structure that diagnostic.
Does 3DS2 Matter for US Merchants Who Face No Legal Mandate?
Yes, and this is the most underappreciated part of the 3DS1 vs 3DS2 conversation in US market content.
3DS2 is not legally required in the United States. There is no US equivalent of the European Payment Services Directive (PSD2) or its Strong Customer Authentication requirements. That regulatory absence leads many US merchants to treat 3DS2 as optional infrastructure, a priority for European operations but not a domestic urgency. That framing is wrong on two counts.
First, card-not-present fraud rates in the US run approximately 7.5 times higher than card-present rates, according to EMVCo industry data. The US is one of the highest-value targets for CNP fraud globally. That environment creates a direct business case for any tool that gives US issuers more signal to approve legitimate transactions accurately, which is exactly what 3DS2 provides.
Second, the liability shift is already available. Visa Secure and Mastercard Identity Check, the US scheme programs built on EMV 3DS, transfer chargeback liability from the merchant to the issuer on authenticated transactions, regardless of whether US law requires authentication. A US merchant running 3DS2 gets that protection today. A merchant running unauthenticated CNP transactions or sitting on legacy 3DS1 does not.
A 2023 Forrester report on payment fraud management noted that merchants in markets without SCA mandates who voluntarily adopt EMV 3DS consistently outperform peers on both approval rate and chargeback ratio metrics, because proactive adoption drives issuer familiarity and confidence before regulatory pressure forces the issue.
For merchants managing chargeback exposure in high-risk verticals, understanding how the 3DS2 liability shift interacts with dispute outcomes is directly relevant. Our breakdown of chargeback reason codes covers which code categories the liability shift actually covers and where gaps remain.
How Do You Implement 3DS2 Without Hurting Conversion?
Getting the frictionless rate above 80% is the practical benchmark that separates a well-tuned 3DS2 integration from a poorly configured one. Below that threshold, too many low-risk transactions are being sent into the challenge path unnecessarily, and you are adding friction that should not exist.
Here is the implementation checklist that actually moves that number:

- Send a complete data package on every authentication request. The fields with the highest impact on issuer confidence are: cardholder email, billing address, shipping address, device fingerprint, browser accept-header and language, transaction history with that card, and account age at the merchant. Partial data puts the issuer in an information deficit and they will challenge more.
- Use an inline iFrame or native SDK integration, not a redirect. Redirect-based 3DS implementations carry the highest session drop rate even under 3DS2. Inline or SDK integrations keep the buyer in context and produce materially better challenge completion rates.
- Handle soft declines with an automatic retry. When your issuer returns a soft-decline response code (typically U or 65 in Visa's scheme), your integration should automatically re-attempt the transaction with a challenge flow, not surface a hard failure to the customer. Most merchants are not handling this correctly and are losing those sales.
- Monitor your frictionless rate by BIN range. Frictionless rates vary significantly across issuer BINs. If a specific BIN cluster is producing a high challenge rate, it may indicate a data-matching issue with that issuer's configuration. BIN-level analysis surfaces these patterns early before they compound into revenue loss.
- Ensure you are on EMV 3DS 2.2 minimum. Version 2.1 does not support soft declines or the exemption framework. If your payment gateway or PSP is still routing on 2.1, you are leaving material recovery capability on the table.
- Track authentication timeout rates. Timeout errors are the most common cause of unexplained frictionless rate drops. If your authentication request does not receive a response within the window, the transaction falls back to a standard CNP flow with no liability shift and no issuer confidence benefit. Monitor this separately from decline rates.
- Apply SCA exemptions correctly for eligible transactions. Low-value transactions (under 30 euros in SCA markets), trusted beneficiaries, and recurring transactions with an initial authenticated payment all qualify for exemption from the challenge flow under 3DS2. Applying exemptions correctly reduces unnecessary challenges without reducing coverage.
- Migrate off 3DS1 immediately if you have not already. Card schemes withdrew liability shift coverage for 3DS1 transactions in 2022. Any volume still routing through 3DS1 carries full chargeback liability with no authentication benefit. This is not a roadmap item. It is an open liability.
If you are working through the decision of which authentication approach fits your volume and vertical, our 3D Secure authentication overview covers how to scope the integration for different merchant profiles.
The Bottom Line on 3DS1 vs 3DS2
3DS1 was built for a world of desktop browsers and static fraud models. It interrupted every buyer equally, regardless of risk, and it paid for that bluntness with cart abandonment rates that are now well-documented. Card schemes withdrew liability protection for it in 2022 because even they stopped believing it was an adequate authentication mechanism.
3DS2 works because it aligns the authentication burden with actual risk. Low-risk transactions pass silently. Higher-risk transactions get challenged. The issuer gets enough signal to make that distinction accurately, which is why approval rates go up and fraud rates go down at the same time.
For US merchants, the absence of a legal mandate does not change the math. Fewer chargebacks, better authorization rates, and liability protection through Visa Secure and Mastercard Identity Check are available right now. The merchants capturing those gains have properly implemented EMV 3DS 2.2 or later, are sending complete data on every authentication request, and are monitoring frictionless rates and soft declines as operational metrics.
If your current setup is not performing at those benchmarks, the gap is measurable and the fixes are specific. Start by auditing whether your false decline rate is being inflated by authentication gaps, and whether your issuer declines are coming from BINs where your data package is incomplete.
Our team works with merchants on payment authentication strategy, approval rate optimization, and chargeback reduction. If you want a diagnostic review of your current 3DS setup and what it is costing you in approvals, reach out directly.
FAQ: 3DS1 vs 3DS2
What is 3DS2?
3DS2, also called EMV 3DS or 3DS 2.0, is the current-generation card authentication protocol. 3DS2 uses over 100 transaction data elements to assess risk in real time and approve most purchases without presenting any visible challenge to the buyer.
What is the main difference between 3DS1 and 3DS2?
3DS1 uses a static password and a full-page browser redirect to challenge every transaction. 3DS2 evaluates 100-plus data signals in the background and approves low-risk transactions silently, with an inline challenge presented only when the issuer flags elevated risk.
What is the 3DS2 liability shift?
The 3DS2 liability shift transfers chargeback responsibility from the merchant to the card issuer on transactions that are successfully authenticated through EMV 3DS. If fraud occurs on an authenticated transaction, the issuing bank absorbs the loss rather than the merchant. This applies in the US through Visa Secure and Mastercard Identity Check even without a legal SCA mandate.
Does 3DS2 improve approval rates?
Yes. Visa data shows a 9% lift in approval rates on 3DS2-authenticated transactions compared to unauthenticated CNP. Benchmarks from EMVCo and scheme data show 3DS2 approval rates of 85 to 95% versus 60 to 70% under 3DS1.
What is a soft decline in 3DS2?
A soft decline is an issuer response code indicating that a transaction cannot be approved without additional authentication. Supported from EMV 3DS 2.2, soft declines allow merchants to retry the transaction with a challenge flow and recover the sale rather than losing it to a hard decline.
Does 3DS2 hurt conversion?
No. When integrated correctly, 3DS2 reduces conversion friction by removing unnecessary challenges. Up to 90% of transactions pass frictionlessly under 3DS2, with no visible interruption to the buyer. The 3DS1 era was the conversion problem.
Is 3DS2 required in the United States?
3DS2 is not legally required in the US. However, Visa Secure and Mastercard Identity Check, the US scheme programs built on EMV 3DS, provide chargeback liability shift and approval rate benefits that make voluntary adoption strategically important even without a regulatory mandate.
What is the difference between 3DS 1.0 and 2.0?
3DS 1.0 (3DS1) sends 8 data elements to the issuer and challenges every transaction with a browser redirect. 3DS 2.0 (EMV 3DS) sends over 100 data elements, runs risk assessment in the background, and approves most transactions frictionlessly, with inline challenges reserved for flagged transactions.