Maximizing the Potential of Your 3DS Service
Learn how expert support, intelligent risk scoring, and continuous optimization can strengthen security while preserving seamless customer journeys.
The UAE is entering a decisive new phase in digital banking security.Of course, this is not a starting point for the UAE. It is a progression.
The UAE is widely recognized as one of the most advanced digital economies in the world. From AI strategy and smart government initiatives to real-time payments and digital banking innovation, the country has consistently positioned itself at the forefront of financial modernization.
With the Central Bank of the UAE (CBUAE) Notice No. CBUAE/FCMCP/2025/3057, financial institutions are being pushed toward:
Other markets have undergone similar regulatory transitions in recent years. In Europe, the Revised Payment Services Directive (PSD2) introduced Strong Customer Authentication (SCA) requirements across the EU. What followed was a multi-year transformation, both operationally and strategically, as institutions refined how they balanced fraud prevention, compliance, and customer experience.
Europe's journey provides useful context, not as a blueprint, but as a reference point for how authentication models tend to evolve under regulatory change.
The CBUAE directive is not simply about adding another authentication factor. It reflects a deeper shift in philosophy.
Historically, many banks relied heavily on static controls. That implies passwords at login and OTPs at transactions. That model assumes that once a user successfully authenticates, the session is trustworthy. Today’s fraud landscape has made that assumption full of errors.
Account takeover attacks now commonly involve:
In this context, static MFA is necessary, yet still insufficient.
The regulatory emphasis on adaptive and risk-based controls signals that authentication decisions must become contextual. Banks are expected to assess transaction risk dynamically, rather than applying uniform friction across all users and journeys.
This is a shift from “authenticate everyone the same way” to “authenticate according to risk potential.”
That distinction is critical.
When PSD2 introduced SCA, it required two independent authentication factors for digital payments. The directive also required dynamic linking. This means that authentication has to be cryptographically tied to the transaction amount and beneficiary.
On paper, the rule is straightforward.
In practice, it is forcing banks to rethink:
The primary technical vehicle for enforcing SCA in e-commerce was EMV 3D Secure (EMV 3DS), particularly version 2.x, which allowed issuers to exchange richer contextual data and apply risk-based logic.
Although the rules were clear, the majority of institutions were not yet mature enough to apply them effectively in practice.
In the early stages, many European banks adopted a conservative compliance setup. Rather than fully leveraging transaction risk analysis, they triggered step-up authentication for nearly all card-not-present transactions.
From a regulatory perspective, this was safe.
From a business perspective, it was expensive.
Merchants reported measurable increases in cart abandonment. Customer complaints about frequent OTP prompts significantly increased. Some consumers shifted to alternative payment methods with lower perceived friction, such as digital wallets, A2A payments, and BNPL options.
The result? Fraud decreased, but so did conversion rates.
The European experience suggests the following: strong authentication must be intelligent, not one-size-fits-all.
PSD2 allowed exemptions from step-up authentication for low-risk transactions. However, to use those exemptions effectively, banks needed mature fraud scoring engines and accurate risk calibration.
Many institutions discovered that their fraud systems were not sufficiently integrated with their authentication layers.
Fraud teams and identity teams operated in silos. Risk scores were not dynamically driving authentication decisions. As a result, exemptions were underutilized, and friction remained unnecessarily high.
It boils down to this: PSD2 structurally favored institutions that could align fraud intelligence with authentication orchestration, because doing so enabled more frictionless approvals while remaining compliant.
Perhaps the most strategic mistake was framing SCA as a compliance project rather than an opportunity to modernize identity.
Some institutions implemented:
They met regulatory deadlines.
But they did not redesign their broader identity architecture around zero-trust principles or continuous risk assessment.
The banks that invested in adaptive authentication, behavioral monitoring, and integrated risk orchestration are now operating at significantly higher maturity levels. As a result, these institutions were able to reduce account takeover losses while maintaining higher transaction approval rates and lower customer drop-off.
As PSD2 rolled out, a clear evolution in authentication strategy began to take shape across Europe.
Initially, authentication was rule-based and uniform. Step-up mechanisms were triggered broadly to ensure compliance.
As fraud engines matured and data exchange within EMV 3DS improved, issuers began distinguishing between low- and high-risk transactions. Frictionless flows increased. Approval rates stabilized.
Today, leading institutions go further. They deploy behavioral analytics and continuous authentication mechanisms that assess risk not only at login or payment, but throughout the session lifecycle.
Trust is no longer established once at login, but continuously evaluated as risk changes.
Europe’s experience provides a useful reference point, and the UAE can take those insights and apply them from day one.
Rather than layering risk assessment on top of static MFA, banks should embed contextual intelligence directly into authentication flows.
This includes:
By integrating these signals in real time, banks can differentiate between a returning, low-risk customer and a potentially compromised session.
Additional authentication is triggered only when the risk justifies it, rather than being applied to every transaction.
EMV 3DS 2.x supports the exchange of extensive contextual data between merchants, acquirers, and issuers.
Institutions that leverage this data effectively can:
The key is not just turning on 3D Secure, but using risk data properly to decide when to challenge a customer and when to let the payment go through smoothly.
One of the biggest lessons from Europe wasn’t about technology - it was about teamwork.
In many banks, fraud prevention and authentication were handled by different teams. Fraud teams focused on detecting suspicious transactions. Authentication teams focused on login flows, MFA tools, and customer journeys.
But risk-based authentication only works well when those two areas are closely connected.
If the fraud system detects that a transaction looks suspicious, that information should immediately influence how the customer is authenticated. For example:
At the same time, the results of authentication matter for fraud models. If a customer successfully completes biometric verification, that’s useful information for improving future risk decisions.
When fraud and authentication operate separately, banks often end up either:
The most effective institutions made sure fraud, security, and digital teams were working toward the same goals - balancing fraud reduction with smooth customer experience.
Modern fraud does not respect session boundaries.
Once attackers bypass login, they often exploit lateral movement within digital banking environments.
Continuous authentication addresses this by:
This aligns directly with zero-trust principles, where trust is continuously validated rather than assumed.
For the UAE, this represents a chance to implement a forward-looking identity posture from the outset, rather than retrofitting it later.
Regulatory change often starts as a compliance requirement. Though over time, it can become an opportunity. In Europe, the banks that treated SCA as more than just a rule to follow were able to reduce account takeover losses while keeping approval rates strong. By avoiding unnecessary authentication challenges, they also reduced customer frustration and built greater confidence in their digital channels.
The CBUAE directive offers a similar opportunity. It is not just about implementing Strong Customer Authentication, but about doing it in a way that protects customers while keeping their experience smooth and intuitive.
Europe’s experience offers a clearer direction, so UAE banks can start off on the right foot with smarter, risk-based authentication.
Learn how expert support, intelligent risk scoring, and continuous optimization can strengthen security while preserving seamless customer journeys.
