This practical guide covers 3D Secure authentication and Strong Customer Authentication exemptions for online card payments. It details how card issuers and payment service providers handle transaction risk analysis, recurring payments, and low-value transactions. The analysis explains the processes that protect payment security and help merchants optimise their customer checkout flows.
Card-not-present transactions carry distinct security challenges that online merchants must address to maintain consumer trust. Effective payment authentication serves as a primary defence against digital fraud, preventing unauthorised transactions before they occur. Strict security checks can also introduce friction at checkout, causing buyers to abandon purchases. Achieving a correct balance between security and a smooth checkout flow is a major operational goal for modern businesses operating in the digital economy.
What is 3D Secure authentication and how does it work?
3D Secure authentication is a payment verification protocol that confirms a cardholder’s identity during online card transactions. It builds a secure communication link between the merchant, acquirer, card scheme, and issuer to verify legitimate usage.
The security protocol serves as a standard method for card payment authentication under the Second Payment Services Directive (PSD2). The regulation dictates that online card payments within Europe must use Strong Customer Authentication. The updated 3D Secure 2 protocol complies with these rules by supporting data-rich communication.
During a transaction, the merchant initiates verification. The payment service provider routes the merchant data to the card scheme, which directs it to the card issuer. The issuer evaluates the risk. If the transaction matches safe spending patterns, it proceeds via a frictionless flow with no customer input. If the risk is high, the issuer demands a challenge flow, prompting the customer to provide two-factor credentials.
| Participant | Role in 3D Secure authentication |
| Cardholder | Initiates the online card payment and provides the necessary credentials. |
| Merchant | Submits transaction details to request customer verification. |
| Issuer | Validates identity credentials and authorises the transaction. |
| Acquirer | Collects payment data and processes verified card transactions. |
| Card scheme | Routes authentication data between the acquirer and issuer. |
Q&A: Does every online card payment require a 3D Secure challenge?
No. Payment service providers perform transaction risk analysis to route low-risk transactions through a frictionless flow. This process bypasses the manual authentication step completely.
Which SCA exemptions can apply to online card payments?
SCA exemptions are regulatory exclusions that allow payment service providers to bypass two-factor authentication for specific transactions. These rules help merchants speed up checkout processes while keeping fraud levels low.
Exemptions under PSD2 let businesses bypass strict verification under controlled scenarios. Low-value transactions below €30 are exempt, provided the cumulative spend does not exceed €100 or five consecutive payments. Transaction risk analysis (TRA) exemptions let providers skip authentication when their overall card fraud rates remain below strict regulatory thresholds.
Other exclusions include trusted beneficiary listings, recurring subscriptions, and merchant-initiated transactions for variable bills. Secure corporate payments using dedicated corporate systems also bypass these checks.
While a merchant or acquirer can submit an exemption request, only the card issuer holds the authority to grant an exemption approval. If the issuer rejects the request, the merchant must handle a step-up challenge.
- Low-value payments: Transactions under €30 or £25 with low cumulative totals.
- Transaction risk analysis: Exclusions based on low provider fraud rates.
- Recurring subscriptions: Standard scheduled payments after the first validation.
- Trusted beneficiaries: Merchants whitelisted by the specific cardholder.
- Secure corporate protocols: Commercial payments are executed via secure business channels.
According to the EBA-ECB payment fraud report, the application of Strong Customer Authentication has successfully held the overall fraud rate to a low level of 0.002% of total transaction value within the European Economic Area.
Q&A: Who bears the liability when an exempted payment is fraudulent?
When an exemption is applied, the merchant or the payment service provider assumes the financial liability for fraud. The cardholder remains protected from any loss.
Why can a 3D Secure exemption still lead to an authentication request?
An exemption request does not guarantee an automated approval. The card issuer maintains sole authority over payment authorisation and can demand full verification if its system flags potential security risks.
When a merchant requests an exemption, the card issuer executes an independent fraud-risk assessment. If the transaction data is incomplete or has low quality, the issuer’s security controls will prompt a step-up challenge.
Unusual customer spending patterns, unfamiliar locations, or high-value amounts will trigger exemption rejections. In these cases, the issuer forces customer authentication requests to prevent payment fraud. This process means merchants and acquirers must prioritise high-quality data transmission to secure frictionless checkouts. If data is lacking, a transaction decline or mandatory challenge flow remains highly likely.
| Scenario | Exemption requested | Possible issuer response |
| Low-value payment | Low-value transaction exemption | The issuer approves frictionless flow or demands validation if limits are breached. |
| Recurring payment | Recurring payment exemption | The issuer bypasses the check after verifying the original transaction history. |
| TRA assessment | Transaction risk analysis exemption | Issuer denies request due to anomalous user location or device. |
In the UK, Financial Conduct Authority data confirms that 75% of consumers remember using Strong Customer Authentication during online purchases, indicating wide familiarity with secure checkouts.
Q&A: Can card issuers bypass SCA rules for high-risk purchases?
No. Regulation forbids card issuers from ignoring authentication mandates when transactions exceed safe risk limits or when fraud risk analysis detects clear signs of abuse.
How can Wallester White-Label support 3D Secure authentication for card programmes?
Wallester White-Label enables businesses to launch proprietary card programmes with comprehensive support for 3D Secure authentication. Its infrastructure provides the necessary controls to manage and secure online card transactions effectively.
Establishing a custom card offering requires compliant systems that align with Visa security rules. The Wallester White-Label solution provides a complete Visa card issuing infrastructure, giving companies complete programme-level payment oversight. Through seamless API integration, organisations can issue physical or virtual cards with custom payment security controls.
The service provides back-office controls that allow companies to monitor cardholder authentication processes easily. This technology manages the secure routing of transaction data to card schemes during remote card payments. While Wallester acts as the technical system provider for card-programme management, the final choice to approve an exemption request rests with the card issuer.


