3DS: to challenge or not to challenge, that is the question

Javier Gutierrez Rueda, Director Corporate Development and Head of Payments and Fraud Prevention at Avianca Airlines, discusses ways to overcome SCA challenges. 

The global cost of cybercrime is projected to reach USD 10.5 trillion annually by 2025 [1] – a figure so staggering that, if cybercrime were a country, it would rank as the world's third-largest economy, trailing only the United States and China. Within this broader cybercrime landscape, online payment fraud represents one of the most persistent and costly challenges, with cumulative losses from online payment fraud alone projected to exceed USD 363 billion between 2023 and 2028 [2]. The travel and leisure industries are among the top three targets of fraudsters, with travel merchants facing 36% of the global suspected fraud attempts [3]. 

Both merchants and card issuers face the challenge of maximising customer experience and conversion while minimising fraud exposure, a classic adverse selection dilemma first described by Nobel laureate George Akerlof, where information asymmetries between parties create suboptimal outcomes for all stakeholders. In an environment where credit and debit cards continue to triumph as the preferred payment method – even among Gen Zers and Millennials – Strong Customer Authentication (SCA) emerges as the best-in-class technology to address a fundamental market problem. While progress has been made to increase technology penetration, the authentication decision-making process still has room for improvement to enhance performance and customer experience. 

At the heart of effective SCA implementation lies Three-Domain Secure (3DS), a protocol originally conceived with a simple yet powerful philosophy: bring together the three critical stakeholders – the merchant, the card issuer, and the cardholder – into a unified verification process whenever transaction legitimacy comes into question. This triangulated approach to authentication recognises that fraud prevention cannot be solved in isolation by any single party, but requires coordinated effort across the entire payment ecosystem. The evolution from 3DS 1.0 to the current 2.2 standard has brought increased reliance on transaction data points in making authentication decisions, thereby decreasing the number of transactions processed through a challenge pathway. The choice of whether to challenge a customer or not rests with the card issuer, who faces a fundamental dilemma: 1) minimise risk exposure arising from the liability shift of authenticated transactions and 2) comply with scheme owner guidance to maximise the frictionless pathway. Under such circumstances, the customer tends to be excluded from the equation, which defeats the original purpose of 3DS. 

This issuer-centric decision-making process marginalises the cardholder, arguably the weakest yet best-informed party in the transaction, leading to suboptimal equilibrium for all the stakeholders in the payment ecosystem. I want to focus on two ways in which we reach a suboptimal equilibrium: 1) performance is not maximised and 2) the process impacts the customer’s experience negatively. 

In terms of performance, transactions that are challenged demonstrate significantly higher success rates than those processed through the frictionless pathway. In my experience, there is a 12 to 15 percentage point (pp) gap in successful authentication rates, while Batra and Phillips (2024) [4] find a 5 pp gap in the US market. These striking statistics mean that between 5 to 15 legitimate customers out of every 100 are inadvertently prevented from completing their transactions when card issuers decide to rely on a set of rules for decision-making rather than bringing their customers into the loop to resolve this adverse selection scenario. 

Overall performance is further affected by improper coordination between the authentication and authorisation processes. It is not uncommon to find that authenticated transactions are rejected due to suspected fraud while authorising the transaction – a practice that is fundamentally inconsistent with the issuer having already authenticated the transaction in the first place. This disconnect reveals a systemic flaw where different teams and risk engines within the same institution apply contradictory logic to identical transactions.

Turning to user experience, the push for increased frictionless processing leads to negative moments of truth for legitimate customers at critical touchpoints, such as hitting the pay button or reviewing bank statements. For customers actually making a purchase, an unsuccessful frictionless authentication leaves them clueless and, worse yet, unable to finalise their purchase. Many have experienced the endless blame cycle between bank and merchant, with both parties unable to resolve the issue, leaving the cardholder with no clear resolution path. Even more frustrating are customers who discover unauthorised authenticated transactions on their bank statements, facing the costs in terms of time and peace of mind of undergoing a bank claim process and waiting up to 120 days for resolution.

So, how do we move closer to the optimal frontier? I propose three alternatives to improve conversion and increase the number of satisfied customers: 1) always challenge when in doubt, 2) increase coordination both between system participants and within banks, and 3) enforce customers’ accountability. 

When in doubt, ask! This piece of common folk wisdom perfectly applies to the 3DS challenge process. When the set of rules of the frictionless pathway yields a reject result, simply challenge. Why? Because it is efficient for the issuer, both in terms of cost and customer experience. Challenging the client is relatively costless to the issuer and customer, and, if the transaction is completed, the interchange rate more than compensates for any costs associated with challenging. The issuer can verify at least two of the following: i) something they know (i.e. password), ii) something they possess (i.e. device) or something they are (i.e. fingerprint), which completely resolves the adverse selection problem. From the user experience perspective, the issuer can prevent the cognitive bias of loss aversion, explained by the Prospect Theory [6]. The loss perception that a customer experiences from not finishing a transaction and being unable to fulfil their desires or needs is far larger than the cost that that same customer undergoes from fulfilling a challenge and receiving what he wants.  

Conversion could get a significant boost just by getting the folks responsible for authentication and authorisation processes together at the same table. I am going to share a true story that happened to us with one of the top issuers. We received an email from the Authentication team of the bank asking us why we, the merchant, had rejected a set of authenticated transactions. We went over the list and found that we had not rejected them, and in turn contacted the bank’s authorisation team to ask what had happened. Well, it turned out that that team was the one that had rejected the transactions. Then, we kindly asked the Authentication team to get together with the Authorisation team to resolve the issue. This happened more than once with different issuers. Coordination across stakeholders is key to making any process work and to delivering on the value proposition of both banks and merchants. Collaboration within banks and across the system’s stakeholders contributes to reducing information asymmetries and increasing business knowledge among business partners. 

Last but not least, issuers must work with their customers to create awareness and best practices as well as to enforce their customers’ accountability to prevent moral hazard. With increased incidences of phishing, spoofing, and smishing, it is not uncommon for customers to surrender their credentials to fraudsters. Issuers need to strengthen their customers’ awareness by clearly informing them what they should and should not expect to be asked for in their interactions. Adding timely messages not to share their credentials with anybody at any time while receiving OTPs or logging into banks’ apps contributes to reducing the likelihood of cybercrime success. With this in place, holding customers accountable for the costs of voluntarily surrendering credentials is key to preventing spillovers into the ecosystem – in the form of reduced authentication – and preventing future breaches. 

The evolution of 3DS over the past years has brought changes in terms of how market participants use the technology to mitigate fraud. While progress has been made in terms of its potential, reach, and usability, there is low-hanging fruit in terms of processes, coordination, and education that can be implemented at relatively low cost. Specific actionable steps include: merchants should request enforcement of challenge override capabilities – a feature available in some 3DS MPIs – while card issuers should revise their frictionless rules to challenge transactions whenever their frictionless pathway encounters incomplete, insufficient, or contradictory information to successfully authenticate a transaction, and conduct comprehensive audits of their authentication/authorisation coordination processes.

References

[1] PYMNTS, "Visa Teams With Expel to Tackle $10.5 Trillion Cybercrime Threat," 2 October 2023. [Online]. Available: https://www.pymnts.com/news/security-and-risk/2023/visa-teams-with-expel-to-tackle-10-5-trillion-cybercrime-threat/.

[2] C. Malone, "Combatting Online Payment Fraud," Juniper Research, 2023.

[3] L. Pfalz, "Travel Industry Is Second-Highest Industry for Suspected Fraud Attempts Globally," 21 March 2024. [Online]. Available: https://www.travelpulse.com/news/impacting-travel/travel-industry-is-second-highest-industry-for-suspected-fraud-attempts-globally.

[4] A. Batra and S. Phillips, "Surprising findings from our analysis of 3DS transactions in the US," 5 August 2024. [Online]. Available: https://stripe.com/blog/surprising-findings-from-our-analysis-of-3ds-transactions-in-the-us.

[5] IMARC Group, "3D Secure Pay Authentication Market Report by Type (Access Control Server, Merchant Plug-In, and Others), Application (Merchant and Payment Processors, Banks), and Region 2025-2033," IMARC Group, 2024.

[6] D. Kahneman, Thinking Fast and Slow, New York: Farrar, Straus and Giroux Books, 2011.

[7] P. Bruno, U. Jeenah, A. Gandhi and I. Gancho, "Global payments in 2024: Simpler interfaces, complex reality," McKinsey & Company, 2024.

[8]Wordline, "3-D Secure and SCA," [Online]. Available: https://docs.direct.worldline-solutions.com/en/security-and-risk-management/3d-secure/index. [Accessed 07 08 2025].

This article is part of The Paypers’ Travel Series, which includes contributions on topics spanning emerging trends in travel payments, fraud and security challenges, regulatory and tax impacts, risk management and forex, as well as sustainability in the travel industry. For a complete overview of all the contributions featured, click here. 

About the author

Javier Gutierrez is Head of Payments and Fraud Prevention and Director of Corporate  Development at Avianca. A graduate in Economics and Management, he brings extensive experience in strategy, finance, decision theory, and process management. As Head of Payments and Fraud Prevention, Javier leads Avianca Group's payment ecosystem strategy and operations while creating comprehensive, transparent, and user-friendly experiences aimed at enhancing customer satisfaction and driving conversion. He also oversees the design and implementation of the company's strategic projects in his corporate development role. Recently, his focus has been on improving coordination among payment ecosystem stakeholders to reduce customer friction, align incentives,  and enhance accountability. You can reach Javier via email at javier.gutierrez@avianca.com or on LinkedIn.

About Avianca Airlines 

Avianca, part of Abra Group, encompasses Avianca — a Star Alliance member — LifeMiles, Avianca Cargo, and Wamos Air. In passenger transportation, Avianca, with over 105 years of operation since its founding in 1919, is the leading airline in Colombia, Ecuador, and Central America. It operates one of the largest air networks in Latin America, offering 172 routes, more than 700 daily flights, and a fleet of 162 Airbus A320 and Boeing 787 Dreamliner aircraft, connecting over 81 destinations across 28 countries in the Americas and Europe. In 2024, Avianca transported nearly 38 million customers and operated more than 258,000 flights. Its loyalty program, LifeMiles, is one of the largest in Latin America, with over 14 million members and more than 350 partner merchants. In cargo transportation, Avianca Cargo is the leading operator in various markets across the Americas, connecting over 60 destinations through its 190 weekly cargo flights, passenger flight network, and interline agreements. Additionally, Wamos Air, a world leader in air charter and wet lease services based in Spain, strengthens the Group’s global reach by providing flexible, high-quality aviation solutions. For more information, visit www.avianca.com.