GuidelineCard Security & Compliance

3-D Secure Authentication Guidelines

How RPC applies 3-D Secure 2.x authentication flows, exemptions and liability-shift rules for card-not-present transactions.

v2.1effective 2025-05-12

Purpose

These guidelines describe how RPC applies 3-D Secure 2.x (3DS2) to card-not-present transactions to meet Strong Customer Authentication (SCA) requirements while minimizing checkout friction.

Frictionless flow

For transactions that pass real-time risk scoring, the issuer authenticates the cardholder silently using device, behavioral and transaction-history signals, without prompting for a one-time passcode. Frictionless approval rates are monitored weekly and must stay above 85% to avoid unnecessary drop-off.

Challenge flow

Transactions that fail risk scoring, or that a merchant explicitly requests to be challenged, prompt the cardholder for an out-of-band one-time passcode delivered via the mobile app or SMS. The cardholder has three attempts before the transaction is declined and the card is temporarily flagged for review.

Exemptions

RPC applies the low-value exemption for transactions under €30 (cumulative to €100 or five consecutive transactions before authentication is forced), and the Transaction Risk Analysis (TRA) exemption for acquirers with a fraud rate low enough to qualify under network thresholds.

Liability shift

When a transaction is successfully authenticated through 3DS2, liability for fraud disputes shifts to the card issuer. Transactions completed under an exemption, or where the merchant chose not to invoke 3DS2, leave liability with the merchant's acquirer.