Subscribe to the Non-Human & AI Identity Journal
Governance, Ownership & Risk

3DS2

← Back to Glossary
By NHI Mgmt Group Updated July 12, 2026 Domain: Governance, Ownership & Risk

A payment authentication protocol that provides richer transaction data and supports in-app challenge flows. It helps issuers make more informed approve-or-challenge decisions, which is why it matters when organisations need both compliance and lower customer friction.

Expanded Definition

3DS2, short for 3-D Secure 2, is a payment authentication protocol used to add context to card-not-present transactions before an issuer decides whether to approve, step up, or reject. It is designed to carry richer transaction signals than earlier 3DS versions, including device, merchant, and purchase context, so risk decisions can be more informed while reducing unnecessary friction for legitimate users.

In practice, 3DS2 sits at the intersection of payments security, fraud reduction, and customer experience. Its purpose is not to replace authentication entirely, but to give issuers and access-control systems better evidence for risk-based decisions. That makes it especially relevant where payment flows include mobile apps, embedded checkouts, or delegated authentication journeys. The standards and implementation guidance continue to evolve across networks and vendors, so usage in the industry is still evolving rather than perfectly uniform. For that reason, teams should anchor their design in current payment-network guidance and map the flow to controls in the NIST Cybersecurity Framework 2.0 where identity assurance and transaction integrity overlap.

The most common misapplication is treating 3DS2 as a blanket fraud fix, which occurs when organisations enable the protocol without tuning exemptions, challenge thresholds, or issuer-side risk signals.

Examples and Use Cases

Implementing 3DS2 rigorously often introduces an additional decision layer in the checkout flow, requiring organisations to weigh stronger fraud controls against the risk of conversion drop-off and support complexity.

  • An ecommerce site sends device and transaction context through 3DS2 so the issuer can approve low-risk purchases without forcing a challenge.
  • A mobile banking app uses an in-app challenge flow to verify a cardholder during a high-value card-not-present purchase.
  • A subscription platform applies 3DS2 to first-time card enrollment, then uses risk-based exemptions for low-risk recurring transactions.
  • A payment security team reviews authentication outcomes alongside the Ultimate Guide to NHIs to understand how payment-side assurance depends on trusted backend identities and API access.
  • An issuer aligns challenge policy with guidance in NIST Cybersecurity Framework 2.0 to keep authentication decisions tied to risk management rather than static rules.

Why It Matters in NHI Security

3DS2 matters in NHI security because payment authentication depends on machine-to-machine trust chains: APIs, fraud engines, merchant gateways, and issuer decision services all rely on non-human identities to exchange transaction data safely. If those service accounts, tokens, or certificates are weakly governed, the authenticity of the 3DS2 request itself can be undermined even when the consumer experience looks normal.

This is where NHI governance becomes operationally important. NHI Mgmt Group notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 97% of NHIs carry excessive privileges, widening the attack surface. Those conditions are especially dangerous in payment flows because a compromised backend identity can alter risk signals, suppress step-up checks, or expose sensitive cardholder data. The broader implications are covered in the Ultimate Guide to NHIs, particularly where visibility, rotation, and least privilege are discussed alongside the payment stack.

Organisations typically encounter 3DS2 governance failures only after an account takeover, fraud spike, or disputed transaction review, at which point the protocol becomes operationally unavoidable to investigate.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Covers autonomous flows where tool access and decision signals need strong trust boundaries.
NIST CSF 2.0PR.ACIdentity and access control govern the systems that generate and consume 3DS2 signals.
NIST Zero Trust (SP 800-207)3DS2 depends on continuously evaluated trust across service-to-service interactions.
OWASP Non-Human Identity Top 10NHI-01Service accounts and API keys underpin the integrity of 3DS2 authentication requests.
NIST AI RMFRisk-based decisioning in 3DS2 aligns with AI and automated trust evaluation governance.

Limit backend payment agents and APIs to narrowly scoped, authenticated actions with continuous monitoring.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org