The version number of the 3DS protocol you are running matters more thanit might appear. Migrating to 3DS version 2.2 is not just a compliance exercise. It directly affects your frictionless rate, your fraud protection coverage, your SCA exemption capability, and your support for recurring and subscription use cases. This article traces the changes across each major version and explains what they mean in operational terms.

If you need a broader foundation first, our complete guide to 3D Secure authentication covers how the protocol works end to end.

3DS 1.0: the original protocol (deprecated 2022)

3DS 1.0 launched in 2001. The core mechanism was simple: a cardholder registered a static password with their issuer, and online purchases triggered a redirect to the issuer's authentication page where that password was entered. Authentication was binary, it either worked or it didn't, and the data exchange between merchant and issuer was minimal.

The limitations were significant. The redirect experience was disruptive, particularly on mobile browsers. Static passwords were frequently forgotten, leading to high abandonment. The protocol had no native mobile SDK support. And the limited data exchange meant issuers had little to work with for risk-based decisions, most transactions either required a challenge or bypassed authentication entirely.

Visa and Mastercard deprecated 3DS 1.0 in October 2022. American Express and other schemes followed. Any transaction still running on 3DS 1 no longer benefits from liability shift on Visa and Mastercard.

3DS 2.0 and 2.1: the shift to risk-based authentication

EMVCo published the 3DS 2.0 specification in 2016. The fundamental change was the introduction of risk-based authentication (RBA), the ability for issuers to make intelligent, data-driven decisions rather than applying a blanket challenge policy. For a full breakdown of how issuers make these decisions, see our complete guide to 3DS.

3DS 2.1, published in 2017, extended the initial specification with an increased data element set, up to 100 fields that merchants could pass to issuers. This improved the quality of issuer risk decisions. Version 2.1 also introduced support for merchant-initiated transactions, enabling the first integration between 3DS and recurring payment workflows.

Key improvements over 3DS 1:

• Native mobile SDK support, eliminating the disruptive redirect for in-app purchases.
• Inline challenge UI within the merchant's checkout flow.
• Risk-based authentication enabling frictionless approval for low-risk transactions.
• Biometric authentication support.
• Structured data exchange, issuers could receive account history, device fingerprint, and behavioural signals.

Both Visa and Mastercard deprecated 3DS 2.1 in 2024 (Mastercard in July, Visa in September). Merchants still on 2.1 integrations should treat this as urgent.

3DS 2.2: the current required minimum

3DS 2.2, published in December 2018, added capabilities that are now central to payment operations for any merchant with a complex payment mix. The three most important additions:

Decoupled authentication

Standard 3DS authentication requires the cardholder to be present and actively participating in the transaction flow. Decoupled authentication breaks this dependency, it allows authentication to occur asynchronously, outside the main transaction session. The cardholder might receive a push notification to their banking app and confirm the transaction independently, within a defined time window. This is essential for recurring billing setup, call-centre payments, and scenarios where the customer is not actively present at checkout.

Delegated authentication

Under 3DS 2.2, issuers can authorise a trusted third party, typically the merchant's own identity or authentication platform, to perform authentication on their behalf. If the issuer trusts the merchant's authentication mechanism, the transaction can proceed without routing through the issuer's ACS at all. This reduces latency and can improve frictionless rates for merchants with strong existing identity frameworks.

3DS Requestor Initiated(3RI)

3RI enables authentication without the cardholder present, for use cases including installment payment reminders, account verification, and BNPL transaction sequences. The merchant or payment provider initiates the authentication request independently, with the cardholder's prior consent, rather than in response to a live transaction.

SCA exemption signalling

3DS 2.2 allows merchants to explicitly flag SCA exemption requests within the protocol message, giving issuers the data context they need to make informed accept/decline decisions on exemptions. This was not possible in 2.1.

3DS 2.3: what is ahead

EMVCo published 3DS 2.3 in October 2022. Scheme adoption is progressing. Key additions include enhanced UI customisation options for challenge screens, automated out-of-band (OOB) authentication transitions, and improved data elements to support better issuer risk decisioning. Merchants should confirm 2.3 readiness with their 3DS Server provider and acquirer as adoption timelines vary by region and scheme.

Version comparison at a glance