AMANDEEP BATRA: Welcome, everyone. I’m Amandeep, and I lead the payments performance team at Stripe. So if I were to ask a room full of payments experts in 2020, “What’s the first thing that comes to your mind when you think about 3D Secure?” I’m sure everyone would say, “Friction.” Well, in 2020, they weren’t wrong, but payments evolve fast. 3DS of 2026 is no longer the 3DS of 2020. Authentication today is much more seamless. Machine learning now helps us decide in real time when and how to apply the different 3DS flows, especially with an option of a challenge pathway and a frictionless pathway. The protocol has evolved to a lot more frictionless flow types. We have exemptions pathway that exist in mandated markets, where 3DS is a regulatory requirement, and we have the Data Only pathway, which is available more globally. So the protocol has evolved, but the perception has not. Today, we are here to close that perception gap. So let’s start with a quick poll, maybe a quick show of hands. Raise your hands if you are using 3D Secure today.

Oh, wow. Keep them raised. There’s another question coming. Wow. We have a lot of people using 3DS. Great. Now, lower your hands if you’re only using it for compliance reasons or for high-risk transactions only. Great. Look around you. There’s not many hands raised when I asked the second question. So great. Thank you. You can all put them down. By end of this session, we want more of you having your hands raised wanting to try 3D Secure, because 3DS isn’t just a compliance checkbox. Used well, it’s one of the most effective, and perhaps the most underused revenue levers, available in your payment stack. So here’s how we’re going to spend the next 25 minutes. First, we’re going to talk about the 3DS paradox. Why 3DS hurts conversion in some markets, but helps in other markets. Second, what 3DS can unlock for you and your business.

Third, we’ll talk about how Stripe can help you there. And finally, your questions. So please, scan this QR code and keep them questions coming. So let’s start with the 3DS paradox. In 2024, we ran an experiment in the United States requesting 3DS on a set of transactions for select businesses. Most of these transactions were approved by the issuers frictionlessly, meaning there was no redirects, no one-time codes, or anything that a cardholder could see in their checkout experience. Yet, we saw the conversion rates dropped on those transactions from 87% to 82%. Five percentage point drop. Zero friction added. Just a 3DS flag. Well, if you are a US business looking at this, your reaction would be obvious. Why would I ever turn this on?

Here’s what happened behind the scenes. In markets where 3DS is optional, such as the United States, the usage is very low. Because the usage is low, issuers haven’t had to invest much to improve the user experience in the checkout journey. In the experiment that I was showing you earlier, one major US bank was processing 100% of the 3DS transactions frictionlessly. They were not even attempting to challenge the cardholders. And there’s something more counterintuitive here. When the US issuers see a 3DS request associated to a transaction, many treat that as a risk signal. Well, if a merchant is requesting 3DS on this transaction, something must be off. So they decline at a higher rate, which leads to poor conversion rates overall. That becomes this vicious cycle. So the protocol designed to reduce fraud was being used as a signal of fraud. That is what we are calling as the paradox.

Now, let’s look at the markets where 3DS is a mandate. Starting with Japan. Japan rolled out the 3DS mandate very recently in April 2025. The result post-mandate have been striking. So the transactions that started to go through 3D Secure since the mandate started remained steady on the conversion rates, which is roughly about 93%. We saw no change in the conversion. And 60% of these 3DS requests were also going frictionlessly. And cherry on top, we saw the dispute rates fell down by more than 50% since the mandate has kicked in. Another example is United Kingdom, where strong customer authentication exists since 2020 as part of PSD2 requirements. So in market as mature as United Kingdom, 3DS adoption and penetration is high. The merchants are not using it selectively, but using it more broadly. The issuers have invested more in it. So we see the authentication success rates and the authorization success rates work together and are proportional to each other. They go hand in hand. Same protocol, different ecosystem, better conversion when it’s a mandate.

Here’s one of the reasons why this might be happening. So we tried to compare the nonmandated markets and the mandated markets, and saw how issuers are authenticating their cardholders side by side. Starting with the US, where 3DS is optional, we see over half of the challenges that are presented to the cardholders are going by one-time passcodes over SMSs. Mere 24% of those transactions are going through biometrics flow, which is a more seamless flow. That number is gradually going up, especially starting 2025, but still it’s pretty low. Now, you look at the markets such as a French market, where 3DS is a mandate. It’s one of the European markets which comes under the SCA rules, and it requires almost 100% of their transactions to go via 3DS flows. The ratio is inverse over there: 80% of the challenges are going through some form of biometrics. Only 6% use an OTP.

So when every transaction needs authentication, issuers invest in making the experience more seamless. When it is optional, nobody optimizes for something they would not use. Remember this vicious cycle that I had shown you a minute ago? That hints that the protocol might be broken. No. The protocol isn’t broken. The ecosystem around it looks different, depending upon where your business is and where your consumers are. This vicious cycle becomes a virtuous cycle with the mandate. In regulated markets, mandate accelerated the investments across the board. Issuers built more seamless flows when it comes to authentication. Merchants are using it more broadly, and data improves for everybody. It almost creates a flywheel effect. So the question is not that whether 3DS works or not. It clearly does. The question rather is, how would you make 3DS work for you? And to discuss about that, I’m going to invite Cip on the stage.

CIP BLUJDEA: All right. Hi, everyone. I’m Cip. I’m the product manager for intelligence commerce, and I lead Stripe’s authentication products. Let’s explore how 3DS can actually drive your payment performance goals. And we’re going to cover how we can prevent fraud, reduce our transaction costs, and even boost conversion. Let’s start with the most common goal, and that is of preventing fraud. To make matters concrete, let’s put ourselves in the shoes of a company that sells adult light-up sneakers. Mark my words. These are having a comeback. Give it until fall and you’ll see everyone wearing them. You sell the sneakers for $100 on your ecommerce website in the US and Europe. So, fraud. Authentication is the strongest tool we have against fraud, short of outright blocking that transaction. This is because we’re verifying the cardholder’s identity during the purchase, but there’s a trade-off. Verifying adds friction and friction costs sales.

Let’s imagine a customer in the US orders a pair of sneakers for $100. It’s the first time you see this card, and you’re getting some suspicious signals, such as a mismatched CVC. What do you do? Do you add 3DS and verify the identity, but risk losing that sale due to the friction? Or do you skip 3DS? Take on any fraud risk, but you ensure the transaction is successful. And how do you even know if the issuer will handle 3DS well or not? As we’ve just seen, this can vary quite a lot. That’s where Adaptive 3DS comes in. This lives inside Radar, and it’s a new feature that calculates a risk score for every transaction and is also trained on past issuer behavior, and is able to model exactly how well that issuer will handle 3DS for that type of transaction. If you have an issuer that doesn’t handle 3DS well, it’s more likely to go straight to authorization.

If, on the other hand, you have an issuer that does handle 3DS well, and that transaction is looking to be towards the higher-risk spectrum, then you will actually authenticate that transaction. This means you get a protection only where it matters. And for merchants that have been using Adaptive 3DS, we’ve measured fraud reduction with no loss in conversion at all. And the best part? There’s no integration work required. It’s just a toggle in your Radar dashboard.

Next, let’s talk about cost reduction, and here we’re referring to interchange costs. Networks are incentivizing authentication on both sides of the Atlantic. In Europe, we’ve got Visa and Mastercard that charge extra for nonauthenticated transactions. Visa hiked this fee up to 7.5 basis points last October, and Mastercard will be doing the same this October. Over in the US, we’ve got Visa that last week launched DCAP, or the Digital Commerce Authentication Program. This gives you a five basis points saving on your interchange costs. So a few cents here and a few cents there for every pair of sneakers that you sell, but at the scale that you’re running, this can add up to make a real difference to your bottom line. However, how do you know if these cost incentives are actually worth the authentication friction that you’re adding in the checkout flow? Is there a way to get a cost incentive and not add any friction?

In fact, there is, and it’s called “Data Only.” This means we’re sharing enriched data with the issuer over 3DS rails, such as postcode, IP address, phone number, and so on. And what’s different than a regular 3DS flow is that the issuer can’t actually trigger a challenge on that flow. So there’s no friction, but you still satisfy the network requirements and get that cost incentive. Now, this sounds like a free lunch. Should you just apply this on all of your transactions? No, there’s a catch. When applied indiscriminately to all transactions, this year we’ve measured 17 basis points of conversion degradation in the US. So we’re going to show you how Stripe works around that in a moment. But before, let’s cover the third and the more surprising goal that 3DS can help drive: that of actually boosting your conversion.

Did you know that one in five completed checkouts gets declined by the issuer on the first try? One in five. And what’s worst is that most of those are actually legitimate transactions, but the issuer simply did not have enough information to have the confidence to approve that. That’s where Authorization Boost comes in. This is Stripe’s auth optimization product that has something we call “3DS retries.” What it will do is it will take these decline transactions, perform 3DS on them, and then resubmit them to the issuer. But this time with an added layer of data and security. On transactions we’ve done this in the US, we’ve measured 90 basis points of conversion uplift. That’s almost 1% more of your orders that otherwise would have never shipped. And remember Data Only from earlier? That gave us the cost savings? It can also boost conversion, because we’re sharing enriched data signals with the issuers and this gets them approving at higher rates.

This works very well in Europe. We’ve seen 3.2% uplift on conversion on transactions where we share Data Only signals with the issuers versus transactions where we don’t. So those are transactions over €250. That’s your highest-value orders converting at higher rates.

Let’s recap what we’ve seen just now. We’ve seen how 3DS can prevent fraud, lower our network costs, and even help increase our conversion. But as a sneaker company, your job is to create the coolest sneakers this decade has ever seen. So you shouldn’t have to get into the weeds of 3DS if you don’t want to. Let’s show you how Stripe helps get you there. Let me introduce to you the authentication engine. This abstracts all the complexity away for you. What it does is, takes in hundreds of data points to understand the context of a transaction, then enables you to be compliant. That’s table stakes. But after that, its AI inference model models the optimal path between 20 different types of flows that it can take. You’ve got various types of 3DS flows, various types of Data Only, and different types going directly to authorization.

And that’s really key here, that 3DS is not just on or off. Rather, think of it as a dial with many more options than most people realize. The engine will pick the optimal path out of this 20 for that specific issuer, for that specific transaction, and balance across cost, conversion, and fraud altogether. How does it actually balance across all of those and make that optimal decision? Let’s go one level deeper.

On a $100 order where you have a 20% margin, what the model will do, is it will actually calculate the probability of conversion, any network costs and incentives, probability of fraud, and many other factors, putting them all together to come up with a expected net profit for each one of the 20 different paths. And then it will pick the one that has the highest profit. What’s also really cool about this is that it’s continuously self-learning. It’s testing new paths, discovering better outcomes, and scaling what works. If you’re using Authorization Boost, the engine is applied to all of your Stripe payments by default. But what if you’re using other PSPs to process? That’s where Standalone 3DS comes in. This is Stripe’s dedicated authentication API. It allows you to do 3DS on Stripe and process that transaction with any PSP on your own terms. You also get much deeper control.

You can set challenge preferences, control what data to share with the issuer. Actually, there’s more than 30 different parameters that you can tune over the API to get exactly the 3DS flow that you want. But if you don’t want to mess with 30 different parameters, you can also tell the API the reason you are doing 3DS: so, fraud prevention, cost reduction, compliance, and so on. And the engine will actually tune those 30 different parameters for you. With Standalone 3DS, you can centralize your authentication in one integration, one dashboard, and you get all the Stripe intelligence—no matter who you process the payment with. In terms of how we can actually help get you there. All the benefits we discussed today are available with three Stripe products. You’ve got Radar for fraud prevention with Adapted 3DS. You’ve got Auth Boost for conversion and cost savings with Data Only and 3DS retries. And then Standalone 3DS if you’re using multiple PSPs.

We started this session by asking how many of you use 3DS and why. And here’s what we hope has changed. 3DS isn’t just compliance or just friction. When used well, it can fight fraud, lower costs, or improve conversion, or even all three at the same time. And today the tools are available to get 3DS working for you. The question is, are you using them? Thank you.

AMANDEEP BATRA: All right. Let’s go to the Q&A. Cool. I’m seeing some submissions coming. Okay. Well, there is a theme of questions that are centric around agentic commerce and authentication. So how do you see authentication evolving with agentic commerce? It’s a good question and also a very hot topic right now. Well, if you look at 3D Secure in particular, the framework of 3D Secure, especially for cardholder-initiated transactions, is built on one key assumption: that the cardholder is part of the journey. So you are authenticating the human actually doing that transaction. Agentic definitely challenges that assumption because the agents can act on your behalf and make a purchase when you are not in the checkout journey. So we see that with agentic commerce, there is going to be an evolution in how you authenticate. Especially for 3D Secure and EMV 3DS, the protocol that governs the rules around it, there does exist decoupled authentication and it exists for many years.

But I think with agentic commerce, it will find its mainstream use case. So that’s one of the options, which we can see evolve over time with agentic commerce taking the mainstream. That’s one of the things. And also, if you look at the card schemes, most card schemes are building their programs right now purely for authentication in agentic commerce space with passkeys as their baseline. So they are the two options which we think could evolve and become new modes of how you authenticate with an agent around you. Okay. Another question is… Okay.

CIP BLUJDEA: I can take that one.

AMANDEEP BATRA: Isn’t 3DS outdated? Will it be relevant in 10 years?

CIP BLUJDEA: So yeah, that’s a fun one. I don’t think it will be outdated. And I’m not just saying that because I’m the product manager for 3DS. I think 3DS is here to stay. And the reason for that is that the governance structure that exists around it is extremely evolved. We’ve got dispute resolution, liability shift, near universal adoption by networks, regulators and issuers almost globally. And that’s something that’s very hard to unwind and it’s also very hard to build up in an alternative system. But having said that, I’m not saying that 3DS will not change. We’ve got upcoming protocol versions and Aman, you just mentioned passkeys for agentic commerce. Authentication methods keep evolving and the data keeps getting better. So what we’re going to see is, I think we’re going to see an evolution of better authentication methods, but these will be actually built on top of the 3DS rails rather than necessarily replace those rails. So it’s an area that I think is of continued excitement and worth investing in. And yeah, we’re certainly doing that.

AMANDEEP BATRA: Cool. I have another question related to the data we were showing in the first half, that, where do you see the paradox shifting? Will the United States catch up with the regulated markets? Good question again. So if we look at United States, the usage of 3DS is pretty low right now as we were talking about. But we are seeing, especially starting of 2025, that the uptick in usage of 3DS directly by merchants have gone up. There’s also a signal that you can see from Visa’s new program, DCAP, that Cip was talking about. I think this is the first time any scheme has come up with a program that incentivizes merchants for using 3D Secure. Because the main thing that 3D Secure brings in the table when it comes to the data pipe is like it is data rich in comparison to the authorization message rails.

So if you’re giving more data, you will be incentivized by lowering network costs now by Visa. And I think other schemes might follow the same suit. So I think with that and economic incentives coming in play, there will be an uptake in the usage of 3DS when it comes to United States. Whether US will become a regulated market or not, I think my near-term answer would be probably not. Even now, I think merchants as well as the whole ecosystem in the US wants to stay away from 3DS as much possible, but these incentives might change things. I showed you a slide around how issuers are authenticating cardholders. We are seeing like many issuers now in the United States are investing in biometrics-based authentication. I think that will also change the game, because ultimately you as a merchant do not want that your cardholders, which you have acquired spending millions making your checkout experience the best, to go through some form of a friction that you lose that transaction.

And biometrics, especially in-app or app-to-app redirects, have become so seamless now. If issuers are going to invest in that, your cardholders, your consumers, are not going to even feel the difference when they’re making a purchase and they only have to do a face ID or biometrics as part of it. We see more issuers actually adopting that, and that uptick is also a signal that usage of 3DS will go up and the experience will get better at it. So if we have a—

CIP BLUJDEA: Yeah, a couple on DCAP, so I can combine these. So the first one is, “What do I need to qualify for DCAP? How does it work?” And the next one is, “Why would you use Visa DCAP if it doesn’t provide liability shift?” So this is a program that’s just launched last week in the US from Visa. It’s the first of its kind to incentivize higher authentication and data sharing over 3DS. In order to qualify, you have to send specific data points, so billing address, email address, IP address over the 3DS rails, and then Visa will actually give you this five basis points interchange saving on eligible transactions. So there’s a few requirements—for example, not Apple Pay or Google Pay authenticated or MITs, but we do see actually a lot of merchants have been taking a lot of advantage of this because it can actually really make a difference at large scale.

Why use it if there’s no liability shift? So that’s why actually Visa is adding this incentive in the US specifically because 3DS adoption is lower than in other markets, as we’ve just discussed. So they actually launch DCAP globally, but it’s only in the US and it will be in Canada as well where there’s a cost incentive. Because these are the markets that need the most help. Even without the cost incentives—so, for example, we are doing Data Only flows, which is this type of flow that qualifies in all markets that we operate in, and there’s no cost incentive, but it’s still, the authentication engine is still picking this as a pathway because it does provide a conversion uplift, given we are sharing this data with the issuers and gives them that confidence to approve, like I was discussing earlier. So in an ideal world, you’d be incentivized to do Data Only, share data with the issuers without the cost incentive, but for now—for the next couple of years—hopefully Visa will have this in place to get us to that state of higher 3DS adoption in the US and better data sharing and a safer ecosystem for all. So it shouldn’t be just for liability shift that, to do 3DS, it’s about getting that safer ecosystem for everyone involved and for the transaction as a whole.

AMANDEEP BATRA: The authentication engine, how can I override the logic of the authentication engine?

CIP BLUJDEA: Yep. So the authentication engine does abstract the complexity away for you if you want that, but you still have different access points to actually control it yourself and tune it. The simplest way is always to just request 3DS via the Stripe Payments API, but then, for example, Adaptive 3DS, as part of Radar, you can actually tune a risk preference depending on more or less risk averse that you are. So be more or less aggressive with your 3DS. And you’ve also got Radar for Fraud Teams, where you can kind of set your custom rules—for example, “Trigger 3DS for every transactions over $50 coming from cross-border,” or something like that. And there’s of course Standalone 3DS as well, where you’ve got a multitude of parameters where you can kind of tune more what you want rather than treat it as a kind of black box, do all the magic for me.

AMANDEEP BATRA: Brilliant. I think there were a few more questions, but we are running short of time. So thank you everybody for coming and attending this session.