Surprising findings from our analysis of 3DS transactions in the US
For the last four years, electronic transactions processed in Europe have been subject to Strong Customer Authentication (SCA), which requires businesses to support two-factor authentication (a “challenge”) on their checkout page to reduce fraud. The most common way of authenticating an online card payment relies on the 3D Secure (3DS) authentication standard. While this extra authentication step does add friction to the checkout experience, it has prevented about €900 million worth of fraud per year in Europe.
Global businesses have told us they’re interested in replicating the fraud prevention success seen in Europe by requesting 3DS. Last year, we had a front-row seat as several Stripe users chose to do exactly that: request 3DS authentication to prevent fraud for businesses in the United States (US), where SCA is not a requirement.
The results in the US were very different from what we have seen in Europe. Our analysis suggests that issuers in the US perceived transactions requesting 3DS to be particularly high-risk, often declining these transactions more aggressively rather than putting US users through an unfamiliar 3DS challenge flow.
These findings reflect uneven issuer preferences between the US and Europe regarding authenticated transactions. As a result, businesses shouldn’t assume that the performance of authentication strategies in Europe will automatically port over to other markets. Instead, global businesses that are concerned about fraud mitigation may want to use payment methods such as digital wallets, which offer increased security with a streamlined user experience. At Stripe, we recognize there’s no one-size-fits-all approach, which is why we support a breadth of authentication pathways and continually work with ecosystem partners to evolve issuer approaches to authentication.
You can read more about our analysis below, and learn how these findings can help you better fine-tune your authentication strategy.
Issuing banks in the US sent most transactions through a frictionless flow
Issuer behavior varies in the US, but many of the top 10 US banks we analyzed had high rates of frictionless authentication, with one of the top banks even sending 100% of transactions through a frictionless flow (meaning the issuer didn’t challenge any transaction with two-factor authentication). This is in stark contrast with regulated markets such as the European Union (EU) and the United Kingdom (UK) where, according to Stripe data, a minority of SCA-eligible transactions—that do not qualify for SCA exemptions—are passed through frictionless authentication.
The use of the frictionless pathway can sometimes facilitate fraud because it bypasses the need for a second layer of customer authentication. As a result, we’ve observed that banks in the EU and the UK use frictionless pathways only when they are confident that a transaction is not fraudulent. However, in the US, issuers use it broadly—even on higher-risk transactions.
Authorization rates decreased when businesses in the US requested 3DS via the frictionless pathway
Our data suggests that US issuers might treat a 3DS request as a fraud signal itself. Issuers might believe, with reason, that US businesses are requesting 3DS because they know the transactions are higher risk, and they are hoping to shift liability to the issuer to manage this risk and authenticate the cardholders.
We noticed this behavior for a subset of transactions where US businesses on Stripe requested 3DS. Prior to adding 3DS to their US entities, these businesses saw an average authorization rate of 87%. Then they ran a two-week experiment in which they used 3DS. For transactions where issuers required two-factor authentication and the transactions were successfully authenticated, the authorization rate remained the same—87%. But when the transaction was sent down the frictionless authentication pathway, the authorization rate decreased to 82%.
In other words, the authorization rates decreased when transactions requested 3DS, even when all other factors related to the customers and their cards remained the same. This suggests that issuers in the US might be viewing these transactions as riskier because they requested authentication in the first place.
Authorization and authentication success rates varied inversely in the US
Building on the results of the two-week experiment, we zoomed out and looked at the relationship between authentication and authorization in the US and regulated markets such as the EU and UK.
In the EU and UK, authentication success rates and authorization rates moved together. As shown in the above graph, the more transactions that were successfully authenticated—whether via a frictionless flow or a two-factor challenge—the higher the authorization rates. This is likely because issuers in the region have adapted to regulatory requirements and have trained their risk models to grant frictionless pathways to lower-risk transactions.
The same is not yet true for the US, where we saw that authorization and authentication rates tended to vary inversely. As shown above, as authentication rates climbed—particularly through frictionless pathways—authorization rates actually declined. This again suggests that issuers in the US declined riskier transactions without challenging them.
Businesses can’t lift and shift their fraud strategies
Our analysis shows that authentication strategies work best when they are tailored to the particular circumstances of different markets. Businesses need to fine-tune their fraud prevention strategy not only to the products and services they sell, but also to the nuances of both the ecommerce and regulatory landscape around them.
For businesses in the EU and UK, Stripe’s SCA optimization engine and delegated authentication solution help you meet SCA requirements while reducing checkout friction for your customers. You can benefit from built-in machine learning–based optimizations that adapt to various geographical requirements and business needs. This allows you to request authentication of your customers only when necessary, so you can maximize conversion while also keeping transactions secure and fraud rates low.
For businesses in the US, Stripe collaborates with ecosystem partners to evolve issuer approaches to authentication. We’re also continuing to invest in our optimization offerings, such as testing a new generation of machine learning models that can optimize more than 600 factors per transaction (including the use of 3DS authentication) and collaborating with card networks on potential future expansions of passkey-based biometric authentication.
Get started with Stripe today or contact sales to learn more.
The insights, projections, and forward-looking statements contained here are for informational purposes only and should not be relied upon. These are based on assumptions and information currently available, but actual results may differ materially.