**Background.** 3-D Secure 2.0 (3DS 2.0) is an identity federation protocol authenticating the payment initiator for credit card transactions on the Web.
**Aim.** We aim to quantify the impact of factors used by 3DS 2.0 in its fraud-detection decision making process.
**Method.** We ran credit card transactions with two Web sites systematically manipulating the nominal IVs **machine_data**, **value**, **region**, and **website**.
We measured whether the user was **challenged** with an authentication, whether the transaction was **declined**, and whether the card was **blocked** as nominal DVs.
**Results.** While **website** and **card** largely did not show a significant impact on any outcome, **machine_data**, **value** and **region** did.
A change in **machine_data**, **region** or **value** made it
5-7 times as likely to be challenged with password authentication. However, even in a foreign region with another factor being changed, the overall likelihood of being challenged only reached 60%.
When in the card's home region, a transaction will be rarely declined (< 5% in control, 40% with one factor changed).
However, in a region foreign to the card the system will more likely decline transactions anyway (about 60%) and any change in **machine_data** or **value** will lead to a near-certain declined transaction.
The **region** was the only significant predictor for a card being blocked (OR=3).
**Conclusions.** We found that the decisions to challenge the user with a password authentication, to decline a transaction and to block a card are governed by different
weightings. 3DS 2.0 is most likely to decline transactions, especially in a foreign region. It is less likely to challenge users with password authentication, even if **machine_data** or **value** are changed.
**Acknowledgement.**
This work was supported by the ERC Starting Grant Confidentiality-Preserving Security Assurance (CASCAde, GA no 716980).
