Frictionless Flow
What Is Frictionless Flow in Payments? Definition and How It Works
Definition
Frictionless flow in 3D Secure authentication is the outcome in which the issuer's access control server authenticates the transaction using background data analysis without presenting any challenge to the cardholder, completing authentication invisibly without interrupting the checkout experience.
How it works
In 3DS 2.x, every transaction subject to SCA goes through an authentication request. The merchant's payment system sends a structured data payload to the card network's directory server, which routes it to the issuer's access control server (ACS). The ACS runs its risk assessment on the data provided and returns one of two outcomes: frictionless authentication or a challenge request.
Frictionless authentication means the ACS determined sufficient evidence exists in the transaction data to confirm the cardholder's identity without additional interaction. The authentication completes in the background and the merchant receives a frictionless authentication result before the transaction proceeds to authorisation. The cardholder sees nothing.
The challenge flow is the alternative: the ACS determines the risk is too high to authenticate frictionlessly and returns a challenge instruction. The payment system presents the cardholder with an authentication step, a one-time code, a biometric prompt, or a notification in their banking app. Only after successful challenge completion does authentication proceed.
The proportion of transactions that complete via the frictionless path is called the frictionless rate. Frictionless rate is directly influenced by the richness of the data the merchant sends to the issuer: more data elements give the ACS more signals for its risk assessment, enabling it to authenticate more transactions without challenge. Merchants who send minimal data have lower frictionless rates.
Why it matters
Frictionless rate is the conversion-relevant metric in 3DS: challenges interrupt checkout and cause abandonment. A merchant with a 95% frictionless rate loses very few transactions to 3DS friction; a merchant with a 60% frictionless rate loses meaningful conversion to challenge flows.
Data quality is the merchant's lever on frictionless rate: the 3DS 2.x protocol supports over 100 data elements. Merchants who populate more elements, device fingerprint, transaction history, account age, prior 3DS authentication history, give issuers more signal and achieve higher frictionless rates.
Frictionless does not mean exempt from authentication: a frictionless outcome is still an authenticated transaction. Liability shifts to the issuer on frictionless-authenticated transactions that are subsequently disputed as fraud. This is distinct from a transaction processed with an SCA exemption, where liability may not shift.
Frictionless rate varies by issuer: some issuers have more sophisticated ACS systems that approve more transactions frictionlessly. Others default to challenge for a higher proportion of transactions regardless of data quality. Merchants cannot control issuer behaviour, but can optimise their data submission to maximise frictionless rate across the issuer population.
With PXP
PXP's 3DS integration sends the full available data element set on all authentication requests, maximising frictionless rate across acquirer connections. Frictionless rate is reported per issuer and card type in PXP's analytics dashboard. PXP supports dynamic data enrichment for 3DS requests to improve frictionless outcomes.
Frequently asked questions
What is the EMV liability shift?
The EMV liability shift is a card scheme rule that changed who bears financial responsibility for counterfeit card fraud at point of sale. Before the shift, fraud losses were allocated between issuers and merchants based on existing rules. After the shift, when a counterfeit card is used at a terminal: if the terminal is chip-capable and the card has a chip, and the chip was used, the issuer bears fraud liability. If the terminal is not chip-capable for a chip card, the merchant bears the fraud liability.
Does EMV apply to online transactions?
Standard EMV chip authentication does not apply to online card-not-present transactions because the physical chip is not present. The online equivalent is EMV 3DS (3DS 2.x), which uses a similar data-rich authentication exchange between the merchant, card network, and issuer to provide cryptographic authentication confidence for e-commerce. Merchants implementing 3DS 2.x for online transactions achieve the functional equivalent of EMV-level authentication with associated liability shift benefits.
What is the difference between EMV contact and EMV contactless?
EMV contact requires the cardholder to insert the chip card into a card reader, where the terminal makes direct electrical contact with the chip for authentication. EMV contactless uses NFC to transmit the authentication data wirelessly, with the card or device tapped near the reader. Both use the same underlying chip cryptography and provide equivalent fraud protection; contactless is a faster user experience that applies the same EMV authentication wirelessly.
Why did card-not-present fraud increase after EMV adoption?
EMV adoption effectively eliminated counterfeit card fraud at physical POS by making copied card data unusable without the chip's cryptographic function. Fraudsters who previously profited from physical counterfeit cards shifted their operations to card-not-present channels (online) where EMV chip authentication does not apply. This displacement effect is well-documented and is one of the drivers behind the emphasis on 3DS adoption for online merchants.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started