Using Radar for Fraud Teams to prevent charges without Liability Shift : Stripe: Help & Support

Using Radar for Fraud Teams to prevent charges without Liability Shift

Charges that succeed on the fallback attempt but have not completed 3DS are not covered by liability shift. One exception is that a fallback charge with an attempt_acknowledged status on payment_method_details.card.three_d_secure.result will fall under liability shift.

If you would like to prevent payments that are not covered by liability shift from succeeding, this can be done if you are using Radar for Fraud Teams. Some good recommendations include:

Request 3DS with all charges through the API and check for a 3D Secure source. 3DS can be requested on a charge by setting request_three_d_secure: any when creating payments through the API. Once this is done, they can use this Radar rule: Block if not :is_3d_secure: and not :is_off_session: This will allow recurring subscription charges (which request exemptions) to still succeed, and check that any on-session charges are authenticated. If the merchant accepts Apple/Google Pay, they’ll need to slightly modify the rule to this: Block if not :is_3d_secure: and not :is_off_session: and :digital_wallet: != 'apple_pay' and not (:digital_wallet: = 'android_pay' and :has_cryptogram:)This is required because we never allow 3DS on Apple Pay cards (Apple pay only supports liability shift in Europe) and for Google Pay cards we do not allow 3DS if we were also sent the cryptogram during tokenization (that's why we check :has_cryptogram:).
Request 3DS with Radar and check for a 3D Secure source.Instead of requesting 3DS when creating payments through the API, you can request 3DS this utilizing Radar. You could pick a custom metadata attribute to set on all charges that requires 3DS (for example, foo: bar). Once that is done, the following Radar rule will check for that metadata and request 3DS: Request 3D Secure if ::foo:: = 'bar' Next, you can add a Radar rule that checks whether 3DS was run for payments that match the same request 3DS condition used earlier. Block if ::foo:: = 'bar' and not :is_3d_secure: Keep in mind, if you process Apple Pay or Google Pay payments, the Radar rule would need to look something like: Block if ::foo:: = 'bar' and not :is_3d_secure: and :digital_wallet: != 'apple_pay' and not (:digital_wallet: = 'android_pay' and :has_cryptogram:)