3D Secure and SCA. When it triggers

Strong Customer Authentication, 3DS challenge vs frictionless flows, exemptions, and what the buyer sees when their bank steps in.

Last updated 2026-05-10

3D Secure (3DS) is the second-factor handshake between the customer's bank and the buyer at checkout. SCA. The EU's regulation. Mandates it for most online card payments. Here's what actually happens.

Frictionless vs challenge

Modern 3DS (3DS2) sends 50+ data points to the issuer at the moment of payment: device fingerprint, IP, billing address, transaction history. The issuer decides one of three outcomes:

  • Frictionless. Bank approves silently. The customer sees nothing. ~85% of 3DS2 transactions
  • Challenge. Bank asks for a code (SMS, app prompt, biometric). Customer pauses, completes, payment goes through
  • Decline. Bank refuses authentication. Payment fails before it reaches the network

The buyer never gets a "you must do 3DS" choice. It's the bank's call.

When it triggers

Always: SCA-mandated regions (EU, UK, EEA) for transactions over €30 with no exemption. Often: high-risk transactions (large amount, new card, unusual geography) anywhere in the world. Rarely: established subscription renewals (covered by MIT. Merchant Initiated Transaction. Exemption).

Exemptions you can claim

Per SCA you can mark certain transactions as exempt:

  • Low value. Under €30, no 3DS required (limit: 5 consecutive low-value charges per card)
  • Recurring. Subsequent renewals after the first authenticated charge
  • TRA. Transaction Risk Analysis: if your processor is below the regulatory fraud threshold, certain transactions exempt automatically
  • Whitelisted merchant. The customer added you to their bank's allow-list (rare)

We claim eligible exemptions automatically. You don't configure this.

What goes wrong

The most common 3DS issue: the merchant has 3DS turned off in their NMI / Stripe / Fiserv portal. The card networks then decline EU transactions on liability grounds. Settings → Payments → Provider → 3DS Status. Active means we can do it; Inactive means call your processor.

The second most common: a "challenge" gets blocked by the customer's pop-up blocker. If your checkout sees a high abandonment rate at the 3DS step, switch to inline 3DS instead of the popup variant. Settings → Checkout → 3DS UX → Inline.

Testing

Real test cards trigger real 3DS in sandbox. The card 4000 0027 6000 3184 (Stripe sandbox) always triggers a challenge. Use it to verify your checkout handles the iframe handshake before going live.

Related guides

Still need help?

Real humans, real answers. We respond fast and we never use chatbots as the front line.

Email Support