Skip to content
Sign in
An image of the Stripe logo
/
Create account
Sign in

Cardholder authentication using 3D Secure

Learn about 3D Secure, an additional layer of authentication used by merchants to ensure a purchase is from a legitimate cardholder.

A growing number of online merchants worldwide use 3DS at checkout to match the identity of the shopper with the cardholder.

The additional 3D Secure step at checkout typically involves showing the cardholder an authentication page on their bank’s website, where they’re prompted to enter a verification code sent to their phone or email. This process is familiar to cardholders through the card networks’ brand names, such as Visa Secure and Mastercard Identity Check.

Note

If you are a US user, cards created will not automatically be enrolled in 3DS. Please reach out to support to enroll in 3DS.

Example of a 3D Secure flow

A checkout page powered by Stripe. The item for purchase is a blue T-shirt for 2 euro. The payment information is all filled out. There is a blue checkout button saying Pay 2 euro.

Step 1: The customer enters their card details.

A white dialog pops up on the screen, displaying a loading animation. This happens after clicking on the blue checkout button, which now says Processing.

Step 2: The customer’s bank assesses the request and can complete 3D Secure at this step.

The dialog now has information. The header shows the Stripe logo, and Verified by Visa logo. There is a timer with 4 minutes 31 seconds remaining. Below that is text stating, Open your Stripe app to verify your payment. Your payment of 2 euro to ShirtShop. Last, there is clickable text to Cancel Payment. The footer shows: 3D-Secure (3DS) helps prevent fraud when using payment cards online. Learn more.

Step 3: If required by their bank, the customer completes an additional authentication step.

When is 3D Secure applied

The Strong Customer Authentication regulation in Europe requires the use of 3D Secure for card payments. 3D Secure is optional in other regions but can still be used as a tool to reduce fraud.

3DS is only used for online transactions, and only if the merchant supports it. When a 3DS authentication request comes through for your cardholder, Stripe sends them either a text message or an email containing a one-time verification code.

The method of authentication depends on the contact information provided for the cardholder. For EU and UK, cardholders must have a phone number on file to authenticate with a one-time text message verification code. For other regions, if cardholders provide both an email and phone number, they can generally pick which method to use at the time of the transaction. Otherwise, the authentication request defaults to using whichever contact info is available.

To enable us to best secure you and your cardholders, we recommend keeping up-to-date phone numbers and email addresses for cardholders. This enables us to contact them during authentication. You can update your cardholders information by changing the field to its new value through the API or dashboard.

Cardholders without a phone number or email on file won’t be enrolled in 3DS. You can come back and add contact information to Cardholder objects later, and we’ll auto-enroll them for you. Likewise, if you remove the contact info from your cardholder, we’ll un-enroll them from 3DS.

Note

To comply with the Strong Customer Authentication regulations, any cardholders who create EU or UK cards must have a phone_number on file.

Cardholders may also see an additional security question. The cardholder is presented with a list of transactions on the card, from which the cardholder selects the transaction they recognize. If the cardholder is using the card for the first time, they should select the option indicating they don’t recognize any of the presented transactions.

A dialog showing a sample security question with choices of payment history. The header has a Your Bank placeholder logo and Card Network placeholder logo. The security question says, From the following list please identify a recent payment you have made using this card. There are 5 options with payment information of whether or not the payment was online, the purchase amount, and the merchant name. The last option says None of the above. There is a blurple button at the bottom that says Verify.

The list of transactions the cardholder is presented with.

How is the 3D Secure language chosen?

The display language of the 3D Secure flow is determined by the preferred_locales field of the Cardholder object. If this field is not set, the 3D Secure language defaults to English.

Liability shift

When a payment is authenticated with 3DS and the cardholder later disputes it as fraud, the issuer might be liable for losses. This is called a liability shift. If the cardholder disputes the payments for any other reason (for example, other) then the standard dispute process applies.

If the merchant is enrolled in 3DS but you, or your cardholder, aren’t enrolled, that liability shift also applies. To prevent this from happening, enroll in 3DS and reject authorizations that weren’t properly authenticated. By rejecting these authorization attempts, the purchases won’t go through, so your cardholders won’t need to file fraud disputes on them in the future.

How to prevent fraud and reduce losses

On the Authorization, the three_d_secure hash on the verification_data hash will help you determine if an authorization was successfully authenticated.

The following table serves as a guide to help you determine what action to take on an incoming authorization.

ResultMeaningSuggested action
attempt_acknowledgedThe merchant attempted to authenticate the authorization, but the cardholder is not enrolled or was unable to reach Stripe.There is insufficient evidence to determine if the authorization is fraudulent or not.
authenticatedThe shopper was successfully verified as the cardholder as they entered the correct verification code sent to their phone. The online purchase was legitimate and not fraudulent.Approve the transaction.
failedThe cardholder wasn’t authenticated as the shopper which could mean the cardholder is not the actor making the purchase.Decline the transaction.
requiredThe authorization was declined because regulatory requirements mandated an authentication for this transaction but it wasn’t submitted correctly by the merchant, and they didn’t claim an applicable exemption.Decline the transaction.

Note

If the card is enrolled in 3DS, when verification_data.three_d_secure isn’t present, 3D Secure wasn’t attempted by the merchant on an authorization.

However, if the card isn’t enrolled in 3DS and the merchant attempts 3D Secure, the payment can be declined, and verification_data.three_d_secure won’t be present. Please reach out to support to enroll in 3DS.

Was this page helpful?
Need help? Contact Support.
Watch our developer tutorials.
Check out our product changelog.
Questions? Contact Sales.
Powered by Markdoc
On this page
Example of a 3D Secure flow
When is 3D Secure applied
How is the 3D Secure language chosen?
Liability shift
How to prevent fraud and reduce losses
Products Used
Issuing
Stripe Shell
Test mode

Welcome to the Stripe Shell!

Stripe Shell is a browser-based shell with the Stripe CLI pre-installed. Log in to your
Stripe account and press Control + Backtick (`) on your keyboard to start managing your Stripe
resources in test mode.

- View supported Stripe commands: 
- Find webhook events: 
- Listen for webhook events: 
- Call Stripe APIs: stripe [api resource] [operation] (e.g., )
The Stripe Shell is best experienced on desktop.
$