3D Secure 2 device information

When authenticating a card payment with 3D Secure 2 (3DS2), Stripe collects certain information about the customer’s device via Stripe.js and the iOS and Android SDKs. This information is shared with the card network and issuing bank — as required by the 3DS2 protocol — to help them recognize repeat payments from the same device and assess the transaction’s overall risk.

While the 3DS2 protocol requests over 150 data elements, Stripe protects user privacy by only collecting a handful of elements: core IDs and environment information that we believe are sufficient for the issuing bank’s risk analysis.

What information is collected?

On the web, Stripe.js collects the following information from the browser:

As part of a fingerprinting step introduced in 3DS2, Stripe.js may open a hidden iframe to the issuing bank, allowing the bank to run their own proprietary fingerprinting scripts. (We’re aware this approach to fingerprinting will become ineffective as browsers implement double-keyed storage; we’re working with the W3C and the card networks to develop a privacy-preserving alternative.)

For in-app payments, the iOS and Android SDKs collect the following information:

In addition, the 3D Secure 2 specification references a number of data elements which the iOS and Android SDKs do not collect.

The iOS and Android SDKs encrypt device information using a key held by the card network. Stripe’s servers do not have access to these data.

Note: the iOS and Android SDKs perform basic checks to detect rooted devices, per PCI 3DS requirements. Only a boolean value representing whether the check succeeded or failed is transmitted to the server. Also per PCI 3DS requirements, the components of the Android SDK involved in 3DS2 are obfuscated with ProGuard.

When is 3D Secure device information collected?

3D Secure device information is collected after confirming the PaymentIntent or SetupIntent (i.e. when you call confirmCardPayment or equivalent). This typically occurs once the customer clicks the “Pay” button on the payment page.

Collecting device information is a required part of the 3D Secure 2 protocol and is only triggered during the payment process. It is not affected by the advancedFraudSignals parameter.

If you have feedback on the device information collected by Stripe.js and the iOS and Android SDKs, reach out to support@stripe.com.