3D Secure Authentication
An additional authentication layer for online card payments that requires cardholders to verify their identity through their bank, mandated by regulations like PSD2/SCA in Europe.
Description
3D Secure (3DS) is a protocol that adds an authentication step during online card payments, requiring the cardholder to verify their identity with their issuing bank. 3DS2, the current version, supports frictionless authentication where the bank can approve the transaction based on risk signals without prompting the cardholder, as well as challenge flows that present a one-time password, biometric prompt, or in-app confirmation. In the European Economic Area, Strong Customer Authentication (SCA) under PSD2 mandates 3DS for most online card payments, making proper 3DS handling essential for any application serving European customers.
Stripe handles 3DS automatically when you use PaymentIntents or SetupIntents with automatic_payment_methods enabled. When 3DS is required, the PaymentIntent enters a requires_action status, and stripe.confirmPayment() on the client renders the bank's authentication modal. Your integration must handle this status correctly: if using redirect-based confirmation, the customer is redirected to the bank's 3DS page and back to your return_url; if using the embedded flow, Stripe.js handles the modal inline. Off-session payments (like subscription renewals) that trigger 3DS require sending the customer an email or notification to complete authentication.
Liability shift is a key benefit of 3DS: when a payment is authenticated via 3DS, the liability for fraudulent chargebacks shifts from the merchant to the issuing bank. This means you won't lose disputes on 3DS-authenticated transactions due to fraud (though you can still lose disputes for product/service complaints). Stripe's Radar rules can be configured to request 3DS selectively, requiring it for high-risk payments while letting low-risk transactions proceed frictionlessly.
Prompt Snippet
Enable automatic 3DS handling by setting automatic_payment_methods: { enabled: true } on PaymentIntent creation and using stripe.confirmPayment() with a return_url on the client, which handles the full 3DS redirect flow. For off-session payments (subscription renewals), set payment_intent.setup_future_usage: 'off_session' during the initial authentication to register an SCA exemption, and handle payment_intent.requires_action webhook events by notifying the customer to complete authentication via email with a link to a payment confirmation page. Check the payment_intent.charges.data[0].payment_method_details.card.three_d_secure.result field to verify the authentication outcome (authenticated vs. attempt_acknowledged) for fraud analytics.Tags
Related Terms
Payment Intent Flow
The server-driven flow using Stripe's PaymentIntent API to create, confirm, and track a payment through its complete lifecycle from creation to settlement.
PCI DSS Compliance
Adhering to the Payment Card Industry Data Security Standard requirements that govern how cardholder data is collected, transmitted, stored, and processed in your payment infrastructure.
Fraud Detection Basics
Implementing fraud prevention measures using Stripe Radar rules, risk scoring, velocity checks, and behavioral signals to block fraudulent transactions before they result in chargebacks.
Stripe Checkout vs Elements
The two primary Stripe frontend integration approaches: Checkout (a hosted, pre-built payment page) versus Elements (embeddable, customizable UI components for building your own payment form).