Frictionless vs Challenge

  • Challenge: The challenge 3DSecure flow sends a prompt to the customer to approve their transaction, either in their banking app or via the use of an OTP. The transaction will not be successful if the customer does not successfully complete this process. 

  • Frictionless: The frictionless 3DSecure flow allows for the customer to not be hindered by having to approve the transaction manually, however, it is important to note that the frictionless flow is every bit as secure as the challenge flow.

While the challenge flow adds one step, to require the customer to enter a confirmation (OTP, USSD prompt, etc), the frictionless flow does not require this step. Both are, however, still going through 3DSecure and are confirmation of the customer’s approval.

More information on how frictionless works

This works through risk-based authentication. This is the process of determining the risk attached to a transaction and based on the risk level the issuing banks determine whether the user should be challenged with the additional authentication step. 

Transactions are screened for elements that would put it in different risk categories.

These risk-based elements include:

  • The value of the transaction

  • New or existing customer

  • Transactional history

  • Behavioural history

  • Device information

  • The amount of data included in the request

How to increase the likelihood of a transaction going through frictionless

To increase the chances of a transaction going through frictionless, a merchant can pass through as much customer data as possible in addition to the mandatory parameters to complete a payment. 

Additional parameters that can be added to increase the chances of frictionless include:

For Copy and Pay:



  • billing.street1    

  • billing.postcode    


  • card.holder    

Additionally, for Server to Server:

  • customer.browser.acceptHeader

  • customer.browser.language

  • customer.browser.screenHeight    

  • customer.browser.screenWidth    

  • customer.browser.timezone    

  • customer.browser.userAgent    

  • customer.ip    

  • customer.browser.javaEnabled    

  • customer.browser.javascriptEnabled    

  • customer.browser.screenColorDepth    

  • customer.browser.challengeWindow    

See the following documentation page for guidelines on the format of the data for each of these parameters.


It is important to note that, while these parameters can be added to increase the chances of a transaction going through frictionless this does not guarantee that it will happen. 

The risk engine that determines the risk level of a transaction is controlled by EMVCo and is thus not in the public domain, meaning we cannot change the outcome of this and can only give as much information as possible. 

Lastly, the final decision on whether the transaction will go through the challenge or frictionless flow lies with the customer’s issuing bank. 

Other related articles -