By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: SiftPublished September 16, 2025

TL;DR: UK remote-purchase fraud cost businesses over £722 million in 2024, and 3D Secure remains the main mechanism for Strong Customer Authentication in online card payments, according to Sift. The real test is not whether 3DS exists, but whether merchants can tune exemptions, challenge flows, and telemetry without adding avoidable checkout friction.


At a glance

What this is: This is an analysis of 3D Secure as the payment authentication layer for online card transactions, with the key finding that its value now depends on how well merchants handle exemptions, risk signals, and fallback flows.

Why it matters: It matters to IAM, fraud, and identity practitioners because payment authentication increasingly behaves like a governed identity decision, where step-up, assurance, and liability shift affect both user experience and control design.

By the numbers:

👉 Read Sift's analysis of 3D Secure and card-not-present fraud


Context

Card-not-present fraud is the core governance problem here. When a transaction happens without a physical card present, the merchant must rely on digital evidence, issuer risk scoring, and step-up authentication to decide whether the payment is genuine. That makes 3D Secure a payment identity control, not just a checkout feature.

For IAM and identity verification teams, the relevant lesson is that assurance is being applied at transaction time, using contextual signals and challenge flows rather than static trust. That intersects with customer identity, fraud operations, and access governance because the business is effectively deciding whether a user can complete a high-risk action under SCA rules.


Key questions

Q: What breaks when 3D Secure exemptions are not governed tightly?

A: Exemptions can become a standing trust path if they are not reviewed against fraud outcomes and transaction context. That creates the false impression of low risk while attackers exploit low-value, recurring, or whitelisted flows. Strong governance requires evidence that exemption logic still matches actual payment behaviour and does not silently expand the attack surface.

Q: Why do card-not-present payments need stronger identity assurance than in-store payments?

A: Card-not-present payments lack the physical and behavioural signals available in a card-present transaction, so the issuer has less certainty about the real cardholder. 3D Secure compensates by using contextual data and step-up authentication, which makes payment approval a risk decision rather than a simple card check.

Q: How do security teams know whether 3D Secure is working as intended?

A: Look at challenge rate, approval rate, fraud losses, chargeback outcomes, and the false-decline rate together. A healthy control reduces fraud without creating unnecessary checkout friction or excessive declines. If exemptions are rising but fraud is also rising, the control is drifting away from its intended boundary.

Q: Who is accountable when delegated payment authentication fails?

A: Accountability depends on where the authentication decision was made, who owned the exemption or delegation policy, and whether the evidence trail is complete. If a merchant, wallet, or issuer participates in the assurance chain, each party needs clear ownership for logging, review, and dispute handling under SCA governance.


Technical breakdown

How 3D Secure evaluates payment identity risk

3D Secure works by involving the issuer, acquirer, and card scheme directory in a shared authentication exchange. The issuer can approve a transaction frictionlessly when the risk score looks acceptable, or trigger a challenge when more assurance is needed. Modern 3DS versions rely on richer device, behavioural, and contextual signals rather than static passwords. That shifts the decision from simple credential checking to transaction risk evaluation, which is why the protocol now sits at the intersection of fraud control and identity assurance.

Practical implication: merchants should validate that their PSP sends enough contextual data for risk-based decisions to work consistently.

Challenge flows, exemptions, and liability shift

The operational purpose of 3DS is not just to stop fraud, but to separate low-risk payments from higher-risk ones without creating unnecessary friction. Exemptions such as low-value payments, recurring transactions, and whitelisted customers can improve conversion, but they also increase the importance of auditability and fraud-rate monitoring. When authentication succeeds, liability can shift away from the merchant, but only if the flow is implemented correctly and the exemption logic is defensible.

Practical implication: teams need policy controls and reporting that explain why a transaction was exempted or challenged.

Passkeys and delegated authentication are changing the trust model

Newer 3DS capabilities are moving payment authentication away from one-time codes and toward device-bound methods such as passkeys and app-based confirmation. Delegated authentication also changes who performs the assurance step, allowing merchants or wallets to authenticate returning users in some cases. That reduces user friction, but it also means the trust boundary is no longer limited to the bank's challenge screen. The control model becomes more distributed, which increases the need for consistent assurance evidence.

Practical implication: merchants and payment teams should map who performs authentication, where evidence is stored, and how exceptions are governed.


NHI Mgmt Group analysis

3D Secure is a payment identity control disguised as a checkout safeguard. The protocol's real value is that it turns a card-not-present transaction into a governed identity decision, using contextual evidence rather than trust alone. That matters because fraud teams often treat 3DS as a payment feature, while IAM practitioners should see it as an assurance workflow with business impact. Practitioners should govern it as a transaction identity layer, not a checkbox.

Exemption handling is where many organisations accumulate hidden risk. Low-value, recurring, and whitelisted flows can improve conversion, but they also create a policy boundary that fraud teams must defend with data. If exemption logic is poorly monitored, the organisation can quietly create a standing trust path for attackers. Practitioners should treat exemption review as part of control validation, not just operational tuning.

Passkey-based and delegated authentication widen the identity perimeter. As authentication moves to device-bound and merchant-mediated flows, the assurance signal is no longer owned by a single boundary. That makes the control plane more distributed and increases the need for traceable evidence, clear ownership, and step-up governance. Practitioners should align payment authentication oversight with broader identity assurance policy.

3D Secure and Strong Customer Authentication are converging with identity governance concerns. The article shows that regulatory compliance, customer trust, and fraud reduction now depend on the same underlying decision model. That creates a named governance concept worth tracking: transaction assurance drift, where authentication policies, exemption logic, and risk signals gradually diverge from the intended control posture. Practitioners should continuously test whether assurance still matches risk.

UK merchants face a measurement problem, not just a compliance problem. Challenge rate, approval rate, exemption performance, and chargeback outcomes together reveal whether the control is operating as intended. A control that looks compliant but drives excessive false declines is not well governed. Practitioners should manage 3DS as an adaptive control with operational telemetry, not a static requirement.

What this signals

Transaction assurance drift: once merchants lean heavily on exemptions, delegated flows, and fallback logic, the control can drift away from the risk model it was meant to enforce. That is a governance problem, not just a fraud problem, because the organisation may still be compliant on paper while the real decision boundary has softened.

For practitioners, the immediate signal is that payment authentication must be measured as a living control. Metrics from the approval path, exemption path, and challenge path need to be reviewed together, and teams should align those reviews with broader identity assurance guidance such as the NIST Cybersecurity Framework 2.0 and identity governance practices.

The identity angle also matters because modern checkout flows increasingly rely on device-bound or delegated proof, which behaves like a governed identity assertion. That means payment, fraud, and IAM teams need shared ownership of evidence, escalation, and exception policy, rather than assuming the issuer alone owns assurance.


For practitioners

  • Map 3DS decisions to payment identity policy Document which transactions are frictionless, challenged, exempted, or delegated, and assign an owner for each policy path so the decision model is reviewable.
  • Audit exemption logic for standing trust paths Review low-value, recurring, and whitelisted flows for abuse patterns, and require periodic validation that the exemption still matches actual fraud risk.
  • Verify contextual data quality at checkout Confirm that device signals, account history, and transaction metadata are consistently passed to the issuer so the bank can make a meaningful risk decision.
  • Track operational metrics beyond approval rate Monitor challenge rate, exemption outcomes, fraud losses, and false declines together to see whether the control is reducing risk without breaking conversion.

Key takeaways

  • 3D Secure is best understood as a transaction identity control, because it turns card-not-present payments into risk-based assurance decisions.
  • The main operational risk is exemption drift, where convenience-focused policy paths quietly expand the space attackers can abuse.
  • Practitioners should govern 3DS with evidence, telemetry, and clear ownership, not just with compliance checklists.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63B3DS challenge flows are a form of authenticator assurance and step-up verification.
NIST CSF 2.0PR.AC-1Payment authentication and access decisioning fit CSF access control outcomes.
GDPRArt.32Behavioural and device data used in 3DS can involve personal data processing.

Map checkout assurance paths to PR.AC-1 and document how identity is verified before authorisation.


Key terms

  • 3D Secure: 3D Secure is an online card authentication protocol that adds an extra assurance step before payment approval. It involves the cardholder, merchant, and issuer in a risk-based exchange that can either complete frictionlessly or trigger a challenge when the transaction looks higher risk.
  • Strong Customer Authentication: Strong Customer Authentication is a regulatory requirement for online payment flows that asks for stronger proof of identity than a card number alone. In practice, it usually combines at least two factors and is often satisfied through 3D Secure in UK and European payment environments.
  • Card-Not-Present Fraud: Card-not-present fraud occurs when stolen or misused payment details are used in a transaction where the physical card is absent. It is harder to stop than in-store fraud because the merchant must rely on issuer decisioning, contextual signals, and authentication rather than direct card inspection.
  • Transaction Risk Analysis: Transaction Risk Analysis is a fraud decisioning method that allows certain payment flows to bypass challenge when the merchant can justify low risk. It depends on strong evidence, reliable monitoring, and careful exemption governance, because poor tuning can turn convenience into systematic exposure.

What's in the full article

Sift's full article covers the operational detail this post intentionally leaves for the source:

  • Version-by-version guidance on 3DS 2.2 and 3DS 2.3.1 implementation details
  • Practical fallback handling for older cards, non-supporting issuers, and edge-case checkout flows
  • Specific messaging examples and UX guidance for challenge prompts and customer reassurance
  • Monitoring ideas for challenge rate, approval rate, and fraud outcomes after deployment

👉 Sift's full article covers implementation details, fallback handling, and checkout monitoring guidance

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle control. It is designed for practitioners who need a stronger operating model for identity assurance across modern security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org