Use of the EUDI Wallet in EMV^® 3-D Secure Payment Authentication

The EMV^® 3-D Secure (EMV 3DS) protocol is widely adopted globally to enhance the security of online card payment transactions by authenticating cardholders during the payment process. Used in all European Union (EU) Member States, EMV 3DS is already supported by payment card issuers and online merchants for online transactions in the EU.

As the EU works towards the rollout of EU Digital Identity (EUDI) Wallets as a means of digital identification for its citizens, what does this mean for existing payment authentication methods in the region?

In this post, Tabitha Odom, Chair of the EMVCo 3DS Working Group, explores the requirements of the EMV 3DS protocol when integrating with the EUDI Wallet to ensure the two technologies work together to deliver safe and seamless payment authentication.

Can you provide a brief overview of the EUDI Wallet?

The European Union (EU) Digital Identity Framework Regulation entered into force in May 2024 and specified the requirement for a commonly defined digital ID wallet. The EUDI Wallets will make it possible for EU citizens, residents and businesses to link their national digital identities with other personal attributes to prove their identity when accessing digital services. For example, users will be able to request, store and share their personal information when opening a bank account, applying for a job or making an online payment.

Each EU Member State will publish its own wallets to its citizens based on common EUDI Wallet specifications. Wallets are expected to be operational by November 2026, with the private sector accepting EUDI Wallet authentications by November 2027.

Can EUDI Wallets be used to fulfil PSD2 Strong Customer Authentication (SCA) requirements in EMV 3DS payment authentication transactions?

Yes. Relying parties will be required to support SCA via EUDI Wallets as per Article 5f(2) of the Electronic Identification, Authentication, and Trust Services 2.0 (eIDAS 2.0) regulation. As EMV 3DS is used in all EU Member States, supported by most payment card issuers and online merchants, and used in the majority of online SCA transactions in the EU, interoperability between EMV 3DS and the EUDI Wallet will be key to fulfilling the eIDAS SCA obligation.

Will EMV 3DS authentication using the EUDI Wallet change the user experience?

EMV 3DS is already widely adopted in the online commerce ecosystem as the de facto way to ensure seamless and secure authentication of cardholders in online commerce transactions.

Changes to the user experience will depend on the EUDI Wallet authentication flow. With issuer-captured authentication, the user experience remains the same for cardholders. After checkout, if the issuer determines that it is necessary to challenge the transaction, the cardholder is directed to the issuer for SCA. In EMV 3DS terminology, this is referred to as out-of-band (OOB) authentication and it resembles today’s user experience with banking applications and authentication applications.  

However, the user experience in the area of merchant-captured authentication is noticeably different. Merchant-captured authentication is a new authentication flow introduced by EUDI Wallets. The merchant integrates with the EUDI Wallet and initiates cardholder authentication already on the merchant’s website. Using the EUDI Wallet, the cardholder authenticates with an authentication credential supported by their card issuer. Using the EMV 3DS protocol, the merchant relays the outcome of the authentication step to the issuer for validation. The issuer acts as a relying party in a merchant-captured authentication.

Does EMVCo need to adapt EMV 3DS to specifically align with EUDI Wallet functionality?

EMV 3DS was designed to be interoperable with various current and future authentication methods, such as Secure Payment Confirmation (SPC) and WebAuthn. From our initial work and understanding, the EUDI Wallet is interoperable with EMV 3DS, but some of the technical requirements of the two technologies may overlap.

EMVCo is engaged and monitoring the numerous large-scale pilot projects underway to test different use cases of the EUDI Wallets in line with other applicable regulations. An example of this is our collaboration with the European Identity Wallet Consortium (EWC) to assess how the EUDI Wallet may facilitate cardholder authentication in EMV 3DS transactions.

The EWC project is set to conclude in July 2025. Learnings and recommendations will be taken to the European Commission, EUDI Wallet Architecture and Reference Framework, and to subsequent large-scale pilots such as the WE BUILD Consortium pilot.

What other areas of EMV Specifications / infrastructure may need to be reviewed to ensure EUDI Wallet alignment?

The four key payments use cases for the EUDI Wallet are in-store payment initiation, in-store payment authentication, online payment initiation and online payment authentication. As such, EMVCo is monitoring if other EMV technologies will need to co-exist with the Wallet. These include EMV Contactless, Click to Pay solutions based on EMV Secure Remote Commerce and, as mentioned, EMV 3DS.

We have identified additional areas related to authentication which are not necessarily defined by the EMV 3DS Specifications and will require further investigation. These areas include, but are not limited to:

• Guidance for 3DS Servers and 3DS Requestors on the integration of EUDI Wallets to a purchase flow in a merchant-captured authentication.
• Details of the data provided by an EUDI Wallet authentication in a merchant-captured transaction.
• Guidance for the ACS on the integration to EUDI Wallets in issuer-captured transactions.
• Clarification for invoking an EUDI Wallet Instance from an iframe using a Universal App Link on the same mobile device.

Work on these areas may not result in changes to the EMV Specifications, but will likely involve clarifications, guidance and collaboration with other actors in the EUDI Wallet space.

How can I learn more about EMVCo’s work in relation to the EUDI Wallet?

We published the Use of the EUDI Wallet in EMV 3-D Secure Payment Authentication white paper this month that gives an overview of EUDI Wallet usage in EMV 3DS transactions. This will be of interest to stakeholders involved in the writing of the requirements and implementations of EUDI Wallets in EU Member States, including payment service providers, financial institutions, online merchants, technology developers, and regulatory bodies.

As the large-scale pilots advance and more details become available, EMVCo plans to work on an updated version of the white paper which will share guidance on purchase flows, integrating payment credential selection and related authentication method selection. Merchant-side authentication, data content and issuer-side validation of the inbound data will also be covered.