3D Secure

Cardholder authentication using 3D Secure

Learn about 3D Secure, an additional layer of authentication used to ensure a purchase is from a legitimate cardholder.

A growing number of online merchants worldwide use 3DS at checkout to match the identity of the shopper with the cardholder.

The additional 3D Secure step at checkout typically involves showing the cardholder an authentication page on their bank’s website, where they’re prompted to enter a verification code sent to their phone or email. This process is familiar to cardholders through the card networks’ brand names, such as Visa Secure and Mastercard Identity Check.

Example of a 3D Secure flow

A checkout page powered by Stripe. The item for purchase is a blue T-shirt for 2 euro. The payment information is all filled out. There is a blue checkout button saying Pay 2 euro.

Step 1: The customer enters their card details.

A white dialog pops up on the screen, displaying a loading animation. This happens after clicking on the blue checkout button, which now says Processing.

Step 2: The customer’s bank assesses the request and can complete 3D Secure at this step.

The dialog now has information. The header shows the Stripe logo, and Verified by Visa logo. There is a timer with 4 minutes 31 seconds remaining. Below that is text stating, Open your Stripe app to verify your payment. Your payment of 2 euro to ShirtShop. Last, there is clickable text to Cancel Payment. The footer shows: 3D-Secure (3DS) helps prevent fraud when using payment cards online. Learn more.

Step 3: If required by their bank, the customer completes an additional authentication step.

When is 3D Secure applied

Stripe (with whom your platform partners for secure payments) triggers 3DS automatically if required by a regulatory mandate such as Strong Customer Authentication.

The Strong Customer Authentication regulation in Europe requires the use of 3D Secure for card payments. 3D Secure is optional in other regions but can still be used as a tool to reduce fraud.

If you're unsure if 3DS if enabled for your account, please reach out to your platform.

Disputed payments and Liability shift

Payments that have been successfully authenticated using 3D Secure are covered by a liability shift. Should a 3D Secure payment be disputed as fraudulent by the cardholder, the liability shifts from you to the card issuer. These types of disputes are handled internally, don’t appear for you, and don’t result in funds being withdrawn from your account.

Note: If a customer disputes a payment for any other reason (for example, product not received), then the standard dispute process applies. As such, you should make the appropriate decisions regarding your business and how you manage disputes if they occur, and how to avoid them completely.

Liability shift might also occur when the card network requires 3DS, but it isn’t available for the card or issuer. This can happen if the issuer’s 3DS server is down or if the issuer doesn’t support it, despite the card network requiring support. During the payment process, the cardholder isn’t prompted to complete 3DS authentication, because the card isn’t enrolled. Although the cardholder didn’t complete 3DS authentication, liability still shifts to the issuer.

Sometimes payments that are successfully authenticated using 3DS don’t experience a liability shift. This is rare and can happen, for example, if you have an excessive level of fraud on your account and are enrolled in a fraud monitoring program. There are also some industries that certain networks have exempted from liability shift—for example Visa doesn’t support liability shift with businesses engaging in wire transfer or money orders, non-financial institutions offering foreign or non-fiat currency, or stored-value card purchase or load.

Although cardholders can’t dispute payments that have been successfully authenticated using 3DS as fraudulent with an upfront financial chargeback, issuers might initiate a dispute inquiry. This type of dispute is non-financial, and is basically a request for information.Responding to inquiries is important for any charge, but is vital when it involves a 3D-Secure-authenticated charge. Although the cardholder’s bank isn’t allowed to file an upfront financial chargeback for fraud, they can initiate a financial chargeback if the merchant doesn’t respond to the inquiry, known as a no-reply chargeback. To prevent no-reply chargebacks on 3DS charges, be sure to submit sufficient information about the charge. Include information about what was ordered, how it was delivered, and whom it was delivered to (whether it was physical or electronic goods, or services).