PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Tracked metadata: Sourced from EMVCo's public document index. PCI Watch records each document's details and its extracted text so changes can be tracked over time; the document PDF itself is hosted by EMVCo.
View on EMVCo.com →

EMV® 3-D Secure White Paper – Use of the EUDI Wallet in EMV® 3-D Secure Payment Authentication

v1.0 Specifications
3-D Secure
Extracted document text

EMVCo's index flattens the document's layout, so this text is best used for searching and comparing versions rather than reading end-to-end.

EMV® 3-D Secure White Paper Use of the EUDI Wallet in EMV® 3-D Secure Payment Authentication Version 1.0 June 2025 EMV® 3-D Secure White Paper Background Page 2 of 18 Legal Notice This document is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper Background Page 3 of 18 Contents Legal Notice ................................................................................................................... 2 Contents......................................................................................................................... 3 1 Background............................................................................................................. 4 1.1 Introduction...................................................................................................................4 1.2 Audience .......................................................................................................................4 1.3 Planned Publication Schedule ....................................................................................5 1.4 Definitions and Conventions .......................................................................................5 2 Overview of the Technologies ............................................................................... 6 2.1 EMV® 3DS ......................................................................................................................6 2.2 EUDI Wallet ...................................................................................................................6 3 Use of the EUDI Wallet in EMV 3DS Authentication Transactions ..................... 7 3.1 Merchant-Captured Authentication ............................................................................7 3.2 Issuer-Captured Authentication ..................................................................................8 4 EMV 3DS Requirements and Functionality That Have an Impact on the EUDI Wallet ........................................................................................................... 11 4.1 Merchant-Captured Authentication ..........................................................................11 4.1.1 Limitations and Use of Data in an EMV 3DS Authentication Request (AReq)........................ 11 4.1.2 Issuer ACS Validation of a Merchant-Captured EUDI Wallet Transaction.............................. 11 4.2 Issuer-Captured Authentication ................................................................................12 4.2.1 Browser-Based Flows.............................................................................................................. 12 4.2.2 Support for App-Based Flows.................................................................................................. 12 4.2.3 App Switching Between EMV 3DS and Authentication Applications ...................................... 13 4.2.4 Further Considerations ............................................................................................................ 13 5 Next Steps ............................................................................................................. 14 Appendix 1 – European Commission Implementing Regulations .......................... 15 Appendix 2 – European Commission Implementing Acts ....................................... 18 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper Background Page 4 of 18 1 Background 1.1 Introduction The EMV® 3-D Secure (EMV 3DS) protocol is a widely adopted security standard designed to enhance the security of online card payment transactions by authenticating cardholders during the payment process. Used in all European Union (EU) Member States, it is supported by most payment card issuers and online merchants and used in the majority of online transactions in the EU. This White Paper explores the requirements of the EMV 3DS protocol when integrating with an authentication method such as the European Digital Identity (EUDI) Wallet. The EUDI Wallet is currently in an advanced stage of regulatory assessment and technological evaluation. With related regulations having been published (see Appendix 1), detailed implementing acts are being drafted (see Appendix 2), and EU Member States are preparing to roll out their EUDI Wallet applications. Large-scale pilot projects conducted by various consortiums across the EU, each focusing on different use case areas, provide crucial findings that will be used to finalise these implementing acts. The EU Digital Identity Wallet Consortium (EWC) is one of these pilot projects and has been used as a reference in the drafting of this White Paper. These pilot projects are co-funded by the EU, with a strong focus on promoting interoperability and adoption of the EUDI Wallet. These pilot projects involve diverse consortiums, each focusing on different use case areas to evaluate the EUDI Wallet’s performance and gather valuable feedback. This feedback is then provided to the European Commission, which uses it to refine and finalise the implementing acts. The goal is to ensure that the EUDI Wallet is robust, secure, and usable across all EU Member States in numerous use cases. It is worth noting that the payment authentication use case described in this document is one of many possible use cases for the EUDI Wallet. By the end of 2027, EU Member States are expected to roll out their EUDI Wallet applications to their citizens. This collaborative approach, involving multiple stakeholders and extensive testing, aims to create a seamless and secure digital identity solution that can be widely adopted across the EU. Relying parties will have to support Strong Customer Authentication (SCA) via the wallet. As per Article 5f(2) of eIDAS 2.0, “Where private relying parties … (financial services) are required by … law to use strong user authentication for online identification … those private relying parties shall … only upon the voluntary request of the user, also accept European Digital Identity Wallets that are provided in accordance with this Regulation”. 1.2 Audience This White Paper is addressed to stakeholders involved in the writing of the requirements and implementations of EUDI Wallets in Member States, including payment service providers, financial institutions, online merchants, technology developers, and regulatory bodies. Their involvement is essential for the seamless integration and adoption of the EMV 3DS protocol with the EUDI Wallet. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper Background Page 5 of 18 This document aims to address the specific needs of these stakeholders, facilitating their understanding of how the EUDI Wallet can be used together with the EMV 3DS protocol. Stakeholders are encouraged to engage in discussions and collaborations to ensure that EUDI Wallet implementations can be used to authenticate cardholders in EMV 3DS transactions, and to prevent potential clashes between the two technologies. 1.3 Planned Publication Schedule At the time of publication of this document (April 2025), the technical details of EUDI Wallet implementations are evolving: the implementing acts are being finalised, EU Member States are still planning their wallet implementations, and private sector development has started only in a few EU Member States. A second round of large-scale pilot projects will begin later in 2025. The learnings from those pilot projects will further define how the EUDI Wallet will be used to authenticate online card payments. The current version of the White Paper provides an overview of the two technologies and explains at a high level how they can be used together. The focus is on providing an overview of the technologies, 3DS data element usage, and describing the EMV 3DS requirements for browser-based and app-based channels. The EWC pilot and its findings have served as a technical reference in the drafting of the first version of this White Paper. However, it is acknowledged that there may be other ways in which the two technologies could work together. An updated version of this White Paper will be published once technical details have matured and certain technical details have been clarified through legislation and large-scale pilot projects. That second version will provide more technical details on data payload and validation, as well as offer tangible examples to support the development of EUDI Wallet authentication flows on EMV 3DS. See Chapter 5 for areas that may require further clarifications of the technologies. 1.4 Definitions and Conventions This document uses certain EMV 3DS-specific technical terms (such as Browser, iframe and Universal App Link). For the full definition of those terms, please refer to Table 1.3 in the EMV 3-D Secure Protocol and Core Functions specification available on the EMVCo website. Grey-shaded text is used to provide additional information or clarification on areas that pertain to EMV 3DS but are outside the scope of the EMV 3DS specification. Example: The issuer uses the data in 3DS Requestor Authentication Information, together with the related card record on the Access Control Server (ACS), to determine that the transaction payload originates from the cardholder’s EUDI Wallet. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper Overview of the Technologies Page 6 of 18 2 Overview of the Technologies 2.1 EMV® 3DS The EMV 3DS protocol is designed to authenticate cardholders during online card payment transactions, enhancing security and reducing fraud. It involves various flows, including browser-based and app-based, to ensure a seamless and secure user authentication. EMV 3DS is widely adopted in the online commerce ecosystem as the de facto way to authenticate cardholders in online commerce transactions. In essence, the EMV 3DS technology connects the three domains in a card payment ecosystem: the issuer, acquirer, and interoperability domains. The technology has been developed in the past 10 years by EMVCo, in close collaboration with its members and associates. Interoperability between EMV 3DS and the EUDI Wallet is a prerequisite for deploying this existing authentication method to fulfil the eIDAS SCA obligation. EMV 3DS is comprehensively defined in the EMV 3DS specifications, which can be found on the EMVCo website. 2.2 EUDI Wallet The EUDI Wallet is a digital wallet solution based on the Electronic Identification and Trust Services (eIDAS) Regulation that allows users to securely store and manage their digital identities and credentials. There are various EUDI Wallet use cases, including payment authentication in EMV 3DS transactions. The EUDI Wallet implementations are based on the European Commission implementing acts, which provide the regulatory framework and guidelines for its development and deployment. Currently, several large-scale pilot projects are ongoing in the EU. These pilots are essential for testing the various implementations of the EUDI Wallet, ensuring that they meet the required standards and function effectively in real-world scenarios. EUDI Wallet implementations rely on numerous widely used technical standards to ensure interoperability between different components. For authentication data, the EUDI Wallets rely on the following technologies: • ISO/IEC 18013-5:2021: for the format of person identification data • ISO/IEC 18013-7:2024: for the presentation of person identification data • W3C Verifiable Credentials Data Model 1.1: for the format of person identification data • Selective Disclosure for JWTs (JSON Web Tokens; SD-JWT). Further information about the EUDI Wallet can be found on the European Commission website. The eIDAS Expert Group maintains the EUDI Wallet Architecture and Reference Framework, an open-source toolbox for the purpose of harmonising the technical standards, guidelines and best practices related to the EUDI Wallet. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper Use of the EUDI Wallet in EMV 3DS Authentication Transactions Page 7 of 18 These steps take place before the EMV 3DS transaction, and are out of scope of the EMV 3DS specifications 3 Use of the EUDI Wallet in EMV 3DS Authentication Transactions The two authentication flows have been implemented in a large-scale EWC pilot. These use cases may be implemented by EUDI Wallet providers and relying parties: • Merchant-captured authentication • Issuer-captured authentication A prerequisite for both authentication flows is that the user has registered the EUDI Wallet with their card issuer. This enables the cardholder to use the EUDI Wallet Instance to authenticate online purchase transactions with that card issuer. 3.1 Merchant-Captured Authentication In a merchant-captured authentication, the merchant initiates the authentication process by interacting with the EUDI Wallet. This approach ensures that the authentication is seamless and integrated within the merchant’s application. While the merchant orchestrates the authentication, the card issuer is the relying party. An EMV 3DS transaction is used to carry the authentication to the correct card issuer for validation. At a high level, the transaction follows these steps: • The merchant initiates the authentication using the EUDI Wallet. The EUDI Wallet Instance is invoked through a Universal App Link, or if the purchase happens on a different device – through a QR code presented to the cardholder to scan. • The cardholder is presented the transaction details and asked to approve the transaction. • After successful completion of the authentication step, the EUDI Wallet Instance provides authentication data (payment wallet attestation, wallet unit attestation, and cryptographic proof of dynamic linking) to the merchant. AUTHENTICATION DATA DETAILS AS DEFINED BY THE EUDI WALLET • The merchant (3DS Requestor for EMV 3DS purposes) passes the needed transaction data to the 3DS Server, along with the authentication data received from the EUDI Wallet. • In an authentication request (AReq), the 3DS Server uses data elements in the 3DS Requestor Authentication Information structure to pass the needed information: o 3DS Requestor Authentication Data to carry the authentication data  Note that this data element has a size limit of 20 000 characters in EMV 3DS v2.2.0 and 50 000 characters in EMV 3DS v2.3.1.1 o 3DS Requestor Authentication Method to carry the information about the authentication method. The value for this data element is selected based on the authentication credential that the cardholder uses to authenticate. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper Use of the EUDI Wallet in EMV 3DS Authentication Transactions Page 8 of 18  EMV 3DS v2.2.0: 04 = Login to the cardholder account at the 3DS Requestor system using issuer credentials.  EMV 3DS v2.3.1.1: 10 = Electronic ID Authentication Data. This value has been added to EMV 3DS v2.3.1.1 and may be used when a national ID is used to authenticate. The issuer uses the data in 3DS Requestor Authentication Information, together with the related card record on the Access Control Server (ACS), to determine that the transaction payload originates from the cardholder’s EUDI Wallet. • The issuer validates the transaction details and the authentication data received. • The ACS responds with an ARes message, content and transaction status depending on the validation of the transaction data. From the EMV 3DS specification and transaction viewpoint, a successfully completed merchantcaptured EUDI Wallet transaction is a frictionless transaction, as no additional challenge is needed. However, the issuer may choose to challenge the transaction, depending on transaction and issuer needs, leading to a Challenge transaction as defined in the EMV 3DS specification. 3.2 Issuer-Captured Authentication In an issuer-captured authentication, also known as out-of-band (OOB) authentication for EMV 3DS purposes, the issuer initiates the challenge process based on the authentication request. The EUDI Wallet interacts with the issuer’s ACS to verify the cardholder’s identity, ensuring a secure transaction. From an EMV 3DS viewpoint, the issuer-captured authentication flow is similar to the OOB Challenge Flow. The Issuer’s ACS connects to the OOB authentication service, which handles the actual authentication process. At a high level, the transaction follows these steps: • The consumer purchases goods on an e-commerce website and completes checkout. • The merchant (3DS Requestor for EMV 3DS purposes) passes the needed transaction data to the 3DS Server, which formats an authentication request message (AReq) delivered via the payment network’s Directory Server (DS), to the correct issuer ACS. • Depending on the transaction data, issuer preferences and local regulations, the issuer may choose to challenge the transaction. In the challenge phase, the issuer prompts the cardholder to be authenticated with the authentication method that the issuer has previously connected with the cardholder. • The issuer responds to the authentication request, indicating that the merchant should direct the cardholder to the issuer ACS for cardholder authentication. In a browser-based transaction, this occurs in an iframe on the merchant site. The card issuer has access only to the iframe that the merchant has opened. It is worth noting an issue that may arise when the EUDI Wallet Instance is called through a Universal App Link on the same mobile device. The EMV 3DS specification © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper Use of the EUDI Wallet in EMV 3DS Authentication Transactions Page 9 of 18 defines sandbox attributes that are required / not allowed when an iframe is opened. Calling a Universal App Link from an iframe may cause a call to a Universal App Link to be blocked because of the “allow-popups” attribute. Hence, an EUDI Wallet Instance may not be invoked. In an app-based transaction, the merchant application has an embedded 3DS SDK, which handles the communication between the cardholder and the issuer’s ACS. • The cardholder is prompted to authenticate using the EUDI Wallet, which they have registered with the issuer. Note that in the EUDI Wallet ecosystem, there is no backend component that the ACS can call to invoke the authentication on the cardholder’s EUDI Wallet Instance. Compared to other OOB authentication methods, this may have an impact on how the ACS maintains the state of authentication or expects results of the authentication step. Based on the EUDI Wallet Architecture and Reference Framework, a wallet instance is invoked by a Universal App Link when on the same device, or the user capturing a QR code when on different devices. In a browser-based transaction, the ACS uses a QR code (when the EUDI Wallet is on a different device) or a Universal App Link (when the EUDI Wallet is on the same device) to initiate the EUDI Wallet Instance. The cardholder scans the QR code or clicks the button displayed, which invokes the EUDI Wallet on their device. Through the information embedded in the QR code/Universal App Link, the EUDI Wallet Instance is able to present the correct transaction details which the cardholder is approving and authenticating to. In an app-based transaction, the merchant application has an embedded 3DS SDK, which handles the communication between the cardholder and the issuer’s ACS. To invoke the EUDI Wallet Instance on the same device, the 3DS SDK displays a button that calls a Universal App Link of the EUDI Wallet Instance. The Universal App Link has needed information embedded in it for the EUDI Wallet Instance to present the correct transaction details which the cardholder is approving and authenticating to. For this, EMV 3DS data elements OOB App URL and OOB App Label are used. • After a completed authentication on the EUDI Wallet Instance, the EUDI Wallet Instance communicates the outcome of the transaction to the ACS. Note that in the EUDI Wallet ecosystem, there is no backend component that calls the ACS after a completed authentication to fetch the outcome of the authentication. Instead, it is the EUDI Wallet Instance that calls the ACS with authentication data. • The cardholder returns to the merchant after a completed authentication. From an EMV 3DS viewpoint, the outcome of the challenge (Transaction Status, Electronic Commerce Indicator, Authentication Value, etc.) has been communicated through the DS to the 3DS Server in a Results Request (RReq) message. In a browser-based transaction, this occurs automatically, as the ACS directs the iframe back to the merchant’s Notification URL. The merchant processes the transaction based on the Transaction Status. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper Use of the EUDI Wallet in EMV 3DS Authentication Transactions Page 10 of 18 In an app-based transaction, the EUDI Wallet calls the 3DS Requestor App URL to switch the transaction back to the merchant application. The 3DS SDK and the merchant application process the transaction based on the Transaction Status. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper EMV 3DS Requirements and Functionality That Have an Impact on the EUDI Wallet Page 11 of 18 4 EMV 3DS Requirements and Functionality That Have an Impact on the EUDI Wallet This chapter describes the requirements and possible limitations of the EMV 3DS specification, which may have an impact on how EUDI Wallet systems are designed or how the EUDI Wallet is used as an SCA method in an EMV 3DS transaction. Different requirements of the EMV 3DS specification may need to be considered depending on the transaction step in which the EUDI Wallet is used for authentication. The EUDI Wallet as such complies with EMV 3DS, but some of the technical requirements of the two technologies may overlap. 4.1 Merchant-Captured Authentication In the merchant-captured authentication flow, the key aspect from an EMV 3DS specification perspective is the authentication data transmitted from the merchant through the EMV 3DS AReq message to the issuer for validation. From an EMV 3DS specification standpoint, in a merchant-captured authentication flow, the focus is on data element usage in an AReq. The authentication step itself takes place before the EMV 3DS transaction and is out of scope for EMV 3DS. 4.1.1 • • Limitations and Use of Data in an EMV 3DS Authentication Request (AReq) Authentication data is passed in the 3DS Requestor Authentication Data data element to carry the authentication data: o Size limit of 20 000 characters in EMV 3DS v2.2.0 o Size limit of 50 000 characters in EMV 3DS v2.3.1.1 The content and format of the authentication data are defined by the EUDI Wallet. The EMV 3DS specification defines the 3DS Requestor Authentication Data data element that carries the authentication data payload. The authentication method is indicated in the 3DS Requestor Authentication Method data element: o EMV 3DS v2.2.0: 04 = Login to the cardholder account at the 3DS Requestor system using issuer credentials o EMV 3DS v2.3.1.1: 10 = Electronic ID Authentication Data should be used 4.1.2 Issuer ACS Validation of a Merchant-Captured EUDI Wallet Transaction The issuer ACS receives the AReq message and processes that as defined in the EMV 3DS specification (Step 7 for app-based transactions, Step 8 for browser-based transactions) and, as part of performing that step, evaluates the Authentication Data received in the AReq message. Depending on the verification of the Authentication Data and the consistency of the Authentication Data with the data from the AReq message, the ACS determines the disposition © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper EMV 3DS Requirements and Functionality That Have an Impact on the EUDI Wallet Page 12 of 18 of the transaction, as defined in Req 107, for example, authenticated [Transaction Status = Y], or to be further challenged [Transaction Status = C]. 4.2 Issuer-Captured Authentication In an issuer-captured authentication, the key aspect from an EMV 3DS specification perspective is the interaction between the issuer ACS, the merchant website/merchant application, the 3DS SDK, and the EUDI Wallet. From an EMV 3DS specification standpoint, the issuer-captured authentication flow follows the EMV 3DS OOB authentication flow. The same requirements apply to all OOB authentication systems. 4.2.1 Browser-Based Flows Browser-based flows involve the cardholder challenge occurring within an iframe on the merchant’s website. This method ensures that the user remains on the merchant’s site throughout the transaction. Challenge window sizes in EMV 3DS • 01 = 250 x 400 For EUDI Wallet implementations, any challenge dialogue page presented to the cardholder must fit in the specified challenge window size. Furthermore, the merchant (3DS Requestor) opens the challenge • 02 = 390 x 400 • 03 = 500 x 600 • 04 = 600 x 400 • 05 = Full screen window iframe without knowing what authentication method the cardholder will be using. Thus, the authentication dialogue page displayed by the ACS should be designed to fit all the specified challenge window sizes with a good user experience. It is worth noting an issue that may arise when calling an EUDI Wallet through a Universal App Link on the same device. The sandbox parameters on the challenge iframe limit the functionality and content to which the iframe has access. A Universal App Link called from an iframe to invoke the EUDI Wallet Instance on the same device may be blocked. This depends on the sandbox attributes that the 3DS Requestor has applied on the iframe. Specifically, the “allowpopups” attribute blocks calls to applications or websites outside the iframe. This attribute is defined as “Not allowed” in the EMV 3DS v2.3.1.1 specification. 4.2.2 Support for App-Based Flows App-based flows involve the authentication process occurring within a specific EMV 3DS SDK component on mobile devices, gaming consoles, and similar platforms. For app-based flows, no browser-dependent technologies can be used in the authentication step. This includes browser redirects, complex HTML pages, scripts and images (save for issuer and payment system logos). Any authentication method backend component used in EMV 3DS app-based transactions needs to be called directly by the ACS or by the OOB authentication application (in this case, the EUDI Wallet). © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper EMV 3DS Requirements and Functionality That Have an Impact on the EUDI Wallet Page 13 of 18 The requirements for EMV 3DS app-based transactions can be found in Chapter 3.1 of the EMV 3DS specification. 4.2.3 App Switching Between EMV 3DS and Authentication Applications In app-based EMV 3DS transactions, app switching allows for seamless transitions between the merchant application and the issuer’s OOB authentication application. This feature enhances the user experience by automating the switch between applications during the authentication process. Further information about EMV 3DS app-based transactions can be found in the EMV 3DS specifications and in the EMV 3DS White Paper. The EMV 3DS SDK supports a mechanism to call an OOB authentication application (in this case, the EUDI Wallet) from the authentication dialogue page. Furthermore, after a completed authentication step, the OOB application (EUDI Wallet) may call the merchant application, if supported. 4.2.4 Further Considerations The EUDI Wallet does not have a specified backend component that the ACS could call to initiate authentication, or to fetch the authentication result after the authentication. Instead, the ACS uses a QR code (when the EUDI Wallet is on a different device) or a Universal App Link (when on the same device) to initiate the EUDI Wallet Instance. After a completed authentication, the EUDI Wallet Instance calls the relying party (in this case, the ACS) with authentication data. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper Next Steps Page 14 of 18 5 Next Steps This document is the first version of the EUDI Wallet White Paper. An updated version will be published in late 2025 or in 2026, as additional technical details become available. The following areas have been identified as requiring further investigation. These areas are not necessarily defined by the EMV 3DS specification, and many of them need to be clarified jointly between the two technologies. • Guidance for 3DS Servers and 3DS Requestors on the integration of EUDI Wallets to a purchase flow in a merchant-captured authentication o The selected authentication credentials should be recognised and usable by the card issuer associated with the payment method. Merchants might not have this information when selecting the payment method. o This is outside the scope of EMV 3DS, but may have an impact on the user experience. • Details of the data provided by an EUDI Wallet authentication in a merchant-captured transaction o The data is carried to the ACS in the AReq data element 3DS Requestor Authentication Data. The data must indicate to the ACS that it originates from an EUDI Wallet. o While the 3DS Requestor Authentication Indicator data element does have the value 04 for Issuer credentials, and (in v2.3.1.1) the value 10 for National ID, more precise data might be useful for the ACS. • Guidance for the ACS on the integration to EUDI Wallets in issuer-captured transactions o Issuer-captured authentication follows the OOB transactions defined in the EMV 3DS specification. However, some details of the integration and authentication flow may differ depending on EUDI Wallet requirements and implementations. • Clarification for invoking an EUDI Wallet Instance from an iframe using a Universal App Link on the same mobile device. o The iframe sandbox attributes prevent calling a Universal App Link from inside the iframe. o The iframe sandbox attributes are defined in the EMV 3-D Secure v2.3.1.1 specification, and in the EMV 3-D Secure Browser Flow Best Practices document. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL Appendix 1 – European Commission Implementing Regulations The European Commission has published several implementing regulations to define the EUDI Wallet. 1. 2024/2977 – Person identification data and electronic attestations of attributes issued to European Digital Identity Wallets https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402977 • Purpose: Establishes rules for the application of Regulation (EU) No 910/2014 regarding person identification data and electronic attestations of attributes for European Digital Identity Wallets. • Key features o Person identification data: Specifies mandatory and optional data attributes for natural and legal persons. o Electronic attestations: Sets standards for issuing and validating electronic attestations of attributes. o Privacy and security: Emphasises data protection by design and default, ensuring privacy-enhancing features. o Interoperability: Ensures common functionalities and technical specifications for all wallet solutions across Member States. • Implementation: Member States must ensure compliance with these rules and regularly update the regulation to align with technological advancements. 2. 2024/2979 – Integrity and core functionalities of European Digital Identity Wallets https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402979 • Purpose: Establishes rules for the integrity and core functionalities of European Digital Identity Wallets. • Key features o Integrity and security: Wallet units must authenticate users before performing any functions and ensure secure cryptographic operations. o Privacy: Emphasises data protection by design and default, including privacyenhancing techniques. o Interoperability: Ensures wallets support cross-border use and common data formats. EMV® 3-D Secure White Paper Next Steps Page 16 of 18 o User control: Users can revoke wallet unit attestations and export personal data securely. o Electronic signatures: Wallets must support qualified electronic signatures and seals. 3. 2024/2980 – Notifications to the Commission concerning the European Digital Identity Wallet ecosystem https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402980 • Purpose: Establishes rules for Member States to notify the Commission about trusted entities within the European Digital Identity Wallet ecosystem. • Key features o Notification system: A secure electronic system for Member States to submit information about wallet providers, person identification data providers, and walletrelying parties. o Data requirements: Specifies the information that must be provided, including names, contact details, URLs, and certificates for verification. o Publication: The Commission will publish lists of notified entities and ensure they are accessible and secure. o Definitions: Clarifies terms such as wallet provider, wallet-relying party, and person identification data provider. • Implementation: Member States must use the notification system and provide information in English. 4. 2024/2981 – Certification of European Digital Identity Wallets https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402981 • Purpose: Establishes rules for the certification of European Digital Identity Wallets to ensure high security and trust. • Key features o Certification requirements: Harmonises functional, cybersecurity, and data protection requirements across Member States. o Cybersecurity standards: Refers to European cybersecurity certification schemes and national schemes where applicable. o Evaluation activities: Specifies methods for evaluating wallet solutions, including vulnerability assessments and functional testing. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper Next Steps Page 17 of 18 o Risk management: Includes a risk register to identify and address security and privacy risks. o Maintenance and certification: Sets out requirements for ongoing evaluation and maintenance of certification schemes. 5. 2024/2982 – Protocols and interfaces to be supported by the European Digital Identity Framework https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402982 • Purpose: Establishes rules for protocols and interfaces to support the European Digital Identity Wallets. • Key features o Authentication and validation: Wallet units must authenticate and validate walletrelying party access certificates and wallet unit attestations. o Data protection: Emphasises privacy-preserving techniques and data protection by design and default. o Interoperability: Ensures common technical specifications for wallet solutions across Member States. o User control: Allows users to request data erasure and report wallet-relying parties to supervisory authorities. o Standards compliance: Wallet solutions must comply with specific standards for issuance and presentation of person identification data and electronic attestations of attributes. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL EMV® 3-D Secure White Paper Next Steps Page 18 of 18 Appendix 2 – European Commission Implementing Acts The European Commission released several implementing acts for public comment that further define the EUDI Wallet. The comment period ended on 2 January 2025. 1. Security breaches: Defines how security breaches must be handled, and when and how breached wallets should be suspended. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14401-EuropeanDigital-Identity-Wallets-security-breaches_en 2. Electronic attestations of attributes: Provides the specifications needed to issue Qualified Electronic Attestations of Attributes (QEAA) and Electronic Attestations of Attributes (EAA), including how to achieve interoperability and details of revocation mechanisms. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14402-Europeandigital-identity-framework-verification-of-electronic-attestation-of-attributes_en 3. Wallet lists: Sets out rules for Member States to submit information on certified wallet solutions for the machine-readable list of certified wallets to be published and maintained by the European Union. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14403-EuropeanDigital-Identity-Wallets-list-of-certified-wallets_en 4. Identity matching – cross-border identity matching of natural persons by public sector bodies: Sets out necessary provisions for Member States to ensure correct identity matching in cross-border authentications. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14400-EuropeanDigital-Identity-Framework-cross-border-identity-matching_en 5. Relying parties – The registration of relying parties and the common mechanism for allowing the identification and authentication of relying parties: Sets out rules for the registration of wallet-relying parties via national registers. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14399-EuropeanDigital-Identity-Wallets-registration-of-relying-parties_en © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. CONFIDENTIAL