Card authentication and 3D Secure
In October of 2022, all major card brands will stop supporting 3D Secure 1. If you want to continue using 3D Secure, adopt the Payment Intents API or Setup Intents API. This new integration:
- Leverages benefits from Dynamic 3D Secure
- Supports 3D Secure 2
- Complies with Strong Customer Authentication regulation in Europe.
For extra fraud protection, 3D Secure (3DS) requires customers to complete an additional verification step with the card issuer when paying. Typically, you direct the customer to an authentication page on their bank’s website, and they enter a password associated with the card or a code sent to their phone. This process is familiar to customers through the card networks’ brand names, such as Visa Secure and Mastercard Identity Check. Watch our video for an example of an authenticated checkout flow.
The Strong Customer Authentication regulation in Europe requires the use of 3DS for card payments. 3DS is optional in other regions but you can still use it as a tool to reduce fraud.
Stripe supports 3D Secure 2. Your integration runs 3D Secure 2 when supported by the customer’s bank and falls back to 3D Secure 1 otherwise.
Disputed payments and liability shift
Payments that have been successfully authenticated using 3D Secure are covered by a liability shift. Should a 3D Secure payment be disputed as fraudulent by the cardholder, the liability shifts from you to the card issuer. These types of disputes are handled internally, don’t appear in the Dashboard, and don’t result in funds being withdrawn from your Stripe account.
If a customer disputes a payment for any other reason (for example, product not received), then the standard dispute process applies. As such, you should make the appropriate decisions regarding your business and how you manage disputes if they occur, and how to avoid them completely.
Liability shift might also occur when the card network requires 3DS, but it isn’t available for the card or issuer. This can happen if the issuer’s 3DS server is down or if the issuer doesn’t support it, despite the card network requiring support. During the payment process, the cardholder isn’t prompted to complete 3DS authentication, because the card isn’t enrolled. Although the cardholder didn’t complete 3DS authentication, liability still shifts to the issuer.
Sometimes payments that are successfully authenticated using 3DS don’t experience a liability shift. This is rare and can happen, for example, if you have an excessive level of fraud on your account and are enrolled in a fraud monitoring program. There are also some industries that certain networks have exempted from liability shift—for example Visa doesn’t support liability shift with businesses engaging in wire transfer or money orders, non-financial institutions offering foreign or non-fiat currency, or stored-value card purchase or load.
Although cardholders can’t dispute payments that have been successfully authenticated using 3DS as fraudulent with an upfront financial chargeback, issuers might initiate a dispute inquiry. This type of dispute is non-financial, and is basically a request for information.
Responding to inquiries is important for any charge, but is vital when it involves a 3D-Secure-authenticated charge. Although the cardholder’s bank isn’t allowed to file an upfront financial chargeback for fraud, they can initiate a financial chargeback if the merchant doesn’t respond to the inquiry, known as a no-reply chargeback. To prevent no-reply chargebacks on 3DS charges, be sure to submit sufficient information about the charge. Include information about what was ordered, how it was delivered, and whom it was delivered to (whether it was physical or electronic goods, or services).
Controlling when to present the 3D Secure flow
Stripe triggers 3DS automatically if required by a regulatory mandate such as Strong Customer Authentication. You can also use Radar rules or the API to control when to prompt customers to complete 3DS authentication, making a determination for each user based on the desired parameters.
To track whether 3DS was attempted on a card payment, read the three_d_secure property on the card information in the Charge’s
payment_method_details. Stripe populates the
three_d_secure property when the customer attempts to authenticate the card—
three_d_secure.succeeded indicates that authentication succeeded.
When you run 3D Secure, Stripe requires your customer to perform authentication to complete the payment if 3DS authentication is available for a card.
If a card doesn’t support 3DS or an error occurs during the authentication process, the payment proceeds normally. When this occurs, liability doesn’t generally shift to the issuer, as a successful 3DS authentication hasn’t taken place.
In a typical payment flow that triggers 3D Secure:
- The customer enters their payment information, which attaches to a PaymentIntent.
- Stripe assesses if the transaction requires 3D Secure based on Radar rules, manual requests, and other criteria.
- If 3D Secure is:
- Not required–Stripe attempts the charge. If required by the bank, the customer completes an additional authentication step for the charge to succeed.
- Required–Stripe starts the 3D Secure authentication flow by contacting the card issuer’s 3D Secure server and creating a 3D Secure source.
- When Stripe requests 3D Secure and the attempt is:
- Successful–The PaymentIntent transitions to a status of
requires_action. After the customer completes the 3D Secure authentication step, Stripe attempts the charge and the PaymentIntent transitions to a status of
- Unsuccessful–Stripe makes a final attempt to complete the payment without authentication. The PaymentIntent transitions to one of the following statuses, depending on the outcome of the payment:
- Successful–The PaymentIntent transitions to a status of
Use Radar rules in the Dashboard
Stripe provides three default rules to dynamically request 3DS when creating or confirming a PaymentIntent or SetupIntent. You can configure these 3D Secure Radar rules in your Stripe Dashboard. The following screenshot shows these Radar rules, which request additional authentication from customers when the issuer of their card requires 3DS:
The first rule is enabled by default, but you can disable it.
If you have Radar for Fraud Teams, you can add custom 3DS rules using the syntax described in the Rules reference. Radar requests 3DS authentication for payments that match these rules. In the example below, the enabled rule requests 3DS authentication for payment attempts where the amount of the payment exceeds 500 USD and the risk level isn’t considered normal.
Custom rules for 3D Secure and liability shift
If you have Radar for Fraud Teams, you can customize your rules to allow charges to succeed and check that any on-session charges are authenticated. For example, you can do the following:
|Allow recurring subscription charges (that request exemptions) to succeed. When creating payments with the API, use |
|Allow recurring charges on Apple Pay or Google Pay to succeed. In addition, request 3D Secure on all charges and check that any on-session charges are authenticated. To check if Stripe received a cryptogram during tokenization for Google Pay, modify the rule as shown.|
|Use Radar to request 3D Secure on all charges and check for a 3D Secure source. You can specify a custom metadata attribute for all charges that require 3D Secure. The rule checks for that condition and then requests 3D Secure. For example, you can replace |
|Use Radar to check if 3D Secure was requested on charges that match the condition you specified in the rule above.|
|Use Radar to request 3D Secure on all charges and check for a 3D Secure source. Modify the rule as shown to check for the custom metadata attribute that you specify on all Apple Pay or Google Pay charges, and to check if Stripe received a cryptogram during tokenization for Google Pay.|
Manually request 3D Secure with the API
The default method to trigger 3DS is using Radar to dynamically request 3D Secure based on risk level and other requirements. Triggering 3DS manually is for advanced users integrating Stripe with their own fraud engine.
To trigger 3DS manually, set
any when creating or confirming a PaymentIntent or SetupIntent. This process is the same for one-time payments or future off-session payments. When you provide this parameter, Stripe attempts to perform 3DS and overrides any dynamic 3D Secure Radar rules on the PaymentIntent or SetupIntent.
When to provide this parameter depends on when your fraud engine detects risk. For example, if your fraud engine only inspects card details, you know whether to request 3DS before you create the PaymentIntent or SetupIntent. If your fraud engine inspects both card and transaction details, provide the parameter during confirmation—when you have more information. Then pass the resulting PaymentIntent or SetupIntent to your client to complete the process.
request_three_d_secure parameter’s usage for each case in the API reference:
When you set
any, Stripe requires your customer to perform authentication to complete the payment successfully if 3DS authentication is available for a card. If it’s not available for the given card, the payment proceeds normally.
Stripe’s SCA rules run automatically, regardless of whether or not you manually request 3DS. Any 3DS prompts from you are additional and not required for SCA.
Displaying the 3D Secure Flow
Testing the 3D Secure flow
Use a Stripe test card with any CVC, postal code, and future expiration date to trigger 3DS authentication challenge flows while in test mode.
When you build an integration with your test API keys, the authentication process displays a mock authentication page. On that page, you can either authorize or cancel the payment. Authorizing the payment simulates successful authentication and redirects you to the specified return URL. Clicking the Failure button simulates an unsuccessful attempt at authentication.
All other Visa and Mastercard test cards don’t require authentication from the customer’s card issuer.
You can write custom Radar rules in test mode to trigger authentication on test cards. Learn more about testing your Radar rules.