Dynamic 3D Secure with Radar and Stripe.js Beta

    Learn how to create a payment form that automatically prompts customers for authentication based on your Radar rules and regulatory requirements such as SCA.

    3D Secure provides an additional layer of protection against fraudulent payments by requiring customers to complete an additional verification step with their card issuer during payment. Typically, this involves prompting the customer to enter a password associated with the card.

    PaymentIntents natively support 3D Secure, integrating tightly with Stripe.js and Elements to simplify the authentication process. 3D Secure is automatically triggered if required by a regulatory mandate such as Strong Customer Authentication. You can also use Radar rules to control when customers are prompted to complete 3D Secure authentication, making a determination for each user based on the desired parameters.

    Triggering Dynamic 3D Secure authentication with Radar rules

    To enable dynamic authentication, set up 3D Secure Radar rules in your Stripe Dashboard. When using PaymentIntents, Stripe provides three default rules to dynamically request 3D Secure. The following screenshot depicts these Radar rules, which request additional authentication from customers when the issuer of their card requires 3D Secure:

    The first two rules are enabled by default. One or more of these rules must be enabled to allow dynamic authentication with 3D Secure in your live integration.

    If you have Radar for Fraud Teams, you can add custom 3D Secure rules using the syntax described in our Rules reference. Radar requests 3D Secure authentication for payments that match these rules. In the example below, the enabled rule requests 3D Secure authentication for payment attempts where the amount of the payment exceeds $500 USD and the risk level is not considered normal.

    Incorporating 3D Secure authentication into your integration

    If your Stripe integration uses the handleCardPayment function to complete the payment on the client side, Stripe.js automatically handles the authentication process—displaying a modal dialog where the customer can provide the requisite information. Using handleCardPayment is the recommended way to integrate PaymentIntents.

    If you choose to handle source actions yourself instead of using handleCardPayment, then you must supply a return_url when confirming the PaymentIntent.

    After confirmation, if the PaymentIntent has a status of requires_source_action, inspect the PaymentIntent’s next_source_action, determine if it is authorize_with_url, and redirect the customer to complete authentication:

    var action = intent.next_source_action;
    if (action && action.type === 'authorize_with_url') {
      window.location = action.authorize_with_url.url;
    }
    const action = intent.next_source_action;
    if (action && action.type === 'authorize_with_url') {
      window.location = action.authorize_with_url.url;
    }

    Testing 3D Secure payments

    Not all cards support 3D Secure or require prompting the customer for authentication. You can use the following card information to fully test 3D Secure payments.

    Number 3D Secure usage Description
    4000000000003063 required 3D Secure authentication must be completed for the payment to be successful. By default, your Radar rules will request 3D Secure authentication for this card.
    4000000000003089 recommended 3D Secure is supported and recommended but not required on this card. By default, your Radar rules will request 3D Secure authentication for this card.
    4000000000003055 optional 3D Secure authentication may still be performed, but is not required. By default, your Radar rules will not request 3D Secure authentication for this card.
    4242424242424242 optional 3D Secure is supported for this card, but this card is not enrolled in 3D Secure. This means that if 3D Secure is requested by your Radar rules, the customer will not go through additional authentication. By default, your Radar rules will not request 3D Secure authentication for this card.
    378282246310005 not_supported 3D Secure is not supported on this card and cannot be invoked. The PaymentIntent will proceed without performing authentication.

    All other Visa and Mastercard test cards do not require authentication from the customer’s card issuer.

    Testing the authentication process

    When you build an integration with your test API keys, the authentication process displays a modal with information about the API request. In that dialog, you can either authorize or cancel the payment. Authorizing the payment simulates successful authentication and redirects you to the specified return URL. Clicking on the Failure button simulates an unsuccessful attempt at authentication.

    You can write custom Radar rules in test mode to trigger authentication on test cards. You can learn more about testing your Radar rules in our Radar documentation.

    Next steps

    Congratulations, you have learned about performing Dynamic 3D Secure authentication with Radar and PaymentIntents. For more information, refer to the following documentation:

    Questions?

    We're always happy to help with code or other questions you might have! Search our documentation, contact support, or connect with our sales team. You can also chat live with other developers in #stripe on freenode.

    Was this page helpful? Yes No

    Send

    Thank you for helping improve Stripe's documentation. If you need help or have any questions, please consider contacting support.