Cardholder authentication via 3D Secure

    Learn about 3D Secure, an additional layer of authentication used by merchants to ensure a purchase is from a legitimate cardholder.

    Cardholders may encounter 3D Secure as part of their purchase flow when shopping online. Merchants use 3D Secure as an authentication method to verify that the identity of the shopper matches the cardholder.

    A growing number of online merchants use 3D Secure, and the Strong Customer Authentication regulation in Europe requires the use of 3D Secure for online purchases. The additional 3D Secure step at checkout typically involves showing the cardholder an authentication page on their bank’s website, where they are prompted to enter a verification code sent to their phone or email. This process is familiar to customers through the card networks’ brand names, such as Visa Secure and Mastercard Identity Check.

    Example of a 3D Secure flow

    Step 1: The customer enters their card details.

    Step 2: The customer’s bank assesses the transaction and can complete 3D Secure at this step.

    Step 3: If required by their bank, the customer completes an additional authentication step.

    When will 3D Secure be applied

    When a customer buys something online and the merchant supports 3D Secure, the payment will be authenticated. The authorization attempt will come to Stripe for authentication where we will carry out a risk assessment. If the authorization is legitimate, the customer will be able to continue shopping unaffected, and if the authorization is risky, Stripe will authenticate the user on your behalf.

    Stripe will send a text message containing a one-time passcode to your cardholder to verify that they are making the purchase.

    3D Secure shifts the liability for fraud disputes from the merchant to the issuer (you). It also requires Stripe to have complete up-to-date information on your cardholders to ensure we can reach out for authentication.

    Liability shift

    Payments that have been successfully authenticated using 3D Secure have a liability shift to the issuer applied to them. Should a 3D Secure payment be disputed as fraudulent by the cardholder, the liability shift will apply and you will automatically lose. Should a customer dispute a payment for any other reason (e.g., other), then the standard dispute process applies.

    Liability shift will also occur if the issuer (you) are not enrolled in 3D Secure and the merchant is. The advantage of being enrolled in 3D Secure is that it will prevent successful authorizations when your cardholder was not present, and therefore prevent potential fraud from occuring.

    Incorporating 3D Secure authentication into your integration

    Whilst we are currently in public beta, if you wish to sign up for 3D Secure please get in touch so that we can get you up and running.

    Was this page helpful?

    Thank you for helping improve Stripe's documentation. If you need help or have any questions, please consider contacting support.

    On this page