What Is Challenge Flow? Definition, Payment Flow, and Examples
Challenge Flow is a 3DS path requiring the cardholder to provide additional proof through a banking app, biometrics, or a code. This guide focuses on Challenge Flow's real role, boundaries, and common points of confusion.
Key points
- Definition: Challenge Flow is a 3DS path requiring the cardholder to provide additional proof through a banking app, biometrics, or a code.
- Flow position: 3-D Secure is a cardholder-authentication framework for e-commerce, and EMV 3DS is the current specification family maintained by EMVCo.
- Do not confuse: Challenge Flow / Frictionless Flow
How it fits into the payment flow
For Challenge Flow, the relevant process is as follows: 3-D Secure is a cardholder-authentication framework for e-commerce, and EMV 3DS is the current specification family maintained by EMVCo. Risk data can support a frictionless flow or lead the issuer side to require a challenge before or alongside authorization.
A practical review of Challenge Flow should account for this: frictionless does not mean no authentication processing; it means the user commonly has no extra interaction. A challenge can use app confirmation, a one-time code, or another supported method. Issuer and program implementations vary.
Practical example
When the issuer needs more evidence, it starts a challenge and the customer confirms in a trusted banking app. Completion still leaves the issuer to make a separate payment-authorization decision.
How it differs from related terms
| Term | Definition |
|---|---|
| Challenge Flow | is a 3DS path requiring the cardholder to provide additional proof through a banking app, biometrics, or a code |
| Frictionless Flow | is a 3DS path that completes authentication without extra cardholder interaction when data and risk assessment allow |
| One-time Password | is a code valid for one action or a short period and can be an authentication factor without automatically constituting complete SCA |
Challenge Flow focuses on the fact that it is a 3DS path requiring the cardholder to provide additional proof through a banking app, biometrics, or a code. Frictionless Flow, by contrast, is a 3DS path that completes authentication without extra cardholder interaction when data and risk assessment allow. They can appear in one transaction while answering different questions.
Use cases and limits
A key limit of Challenge Flow is the following: successful authentication does not guarantee authorization. A failed challenge should not be answered by repeatedly entering codes on an unfamiliar page. Merchants must also protect redirects and callbacks.
Frequently asked questions
These answers address two common search questions about Challenge Flow.
Is it the same as Frictionless Flow?
No. Challenge Flow is a 3DS path requiring the cardholder to provide additional proof through a banking app, biometrics, or a code. Frictionless Flow is a 3DS path that completes authentication without extra cardholder interaction when data and risk assessment allow. Compare the object, processing stage, and responsible party.
Does a frictionless flow mean that 3DS was not used?
For Challenge Flow, no. It generally means the 3DS risk assessment did not require additional cardholder interaction; authentication data can still be exchanged in the background.
These primary sources support the definition and process for Challenge Flow. Current product, network, and local rules still control a real transaction.