When authenticating a card payment with 3D Secure 2 (3DS2), Stripe collects certain information about the customer’s device via Stripe.js and the iOS and Android SDKs. This information is shared with the card network and issuing bank — as required by the 3DS2 protocol — to help them recognize repeat payments from the same device and assess the transaction’s overall risk.
While the 3DS2 protocol requests over 150 data elements, Stripe protects user privacy by only collecting a handful of elements: core IDs and environment information that we believe are sufficient for the issuing bank’s risk analysis.
On the web, Stripe.js collects the following information from the browser:
System time zone
Screen dimensions and color depth
As part of a fingerprinting step introduced in 3DS2, Stripe.js may open a hidden iframe to the issuing bank, allowing the bank to run their own proprietary fingerprinting scripts. (We’re aware this approach to fingerprinting will become ineffective as browsers implement double-keyed storage; we’re working with the W3C and the card networks to develop a privacy-preserving alternative.)
For in-app payments, the iOS and Android SDKs collect the following information:
System language, country and time zone
In addition, the 3D Secure 2 specification references a number of data elements which the iOS and Android SDKs do not collect.
To ensure your app complies with App Store and Play Store policies, the iOS and Android SDKs do not collect the Advertising ID.
The iOS and Android SDKs do not collect location data.
The iOS and Android SDKs do not collect hardware identifiers (IMEI, MAC address) or user preferences (vibrate mode setting, list of installed apps) except as described above. Access to these categories of information is being phased out by platform providers, and we don’t believe the data significantly improve risk decisioning.
The iOS and Android SDKs encrypt device information using a key held by the card network. Stripe’s servers do not have access to these data.
Note: the iOS and Android SDKs perform basic checks to detect rooted devices, per PCI 3DS requirements. Only a boolean value representing whether the check succeeded or failed is transmitted to the server. Also per PCI 3DS requirements, the components of the Android SDK involved in 3DS2 are obfuscated with ProGuard.
3D Secure device information is collected after confirming the PaymentIntent or SetupIntent (i.e. when you call confirmCardPayment or equivalent). This typically occurs once the customer clicks the “Pay” button on the payment page.
Collecting device information is a required part of the 3D Secure 2 protocol and is only triggered during the payment process. It is not affected by the advancedFraudSignals parameter.
If you have feedback on the device information collected by Stripe.js and the iOS and Android SDKs, please reach out to Stripe Support.