3D-Secure for high-risk payments: Webinar Q&A

During our 3D-Secure for high-risk payments webinar (watch it now), attendees asked many insightful questions. To ensure everyone benefits from the discussion, we've compiled some key questions with our answers below. You can also read our in-depth blog here.

Are data-only transactions showing significant improvement in approval rates?

Data-only transactions don't significantly improve approval rates for payment authorization, though they provide valuable fraud intelligence. Some sophisticated issuers with closely linked core banking and ACS servers may analyze the browser fingerprint data they have collected, which increases the likelihood of transaction authorization.

How does 3RI work?

3RI supports use cases with recurring payments, a split shipment, or a delayed shipment, among others. The first transaction would be a customer-initiated transaction where the customer authenticates the transaction. On subsequent transactions, as the customer can't be expected to be available to authenticate, the merchant can initiate a merchant-initiated authentication where they reference the initial transaction where the customer was present to authenticate.

Do European issuers treat US-based merchants differently from EU-based merchants in their approval decisions?

European issuers do make different decisions based on EU vs. US merchants. However, these differences are primarily fraud-related rather than systematic discrimination. For example, a US card used with an EU merchant is more likely to trigger fraud responses because card-not-present transactions from US cardholders in France, for example, are statistically more likely to trigger fraud rules. While processing US cards in Europe is more complicated, the quantitative impact is only a couple of percent, not a significant 20% drop-off.

Should we send ECI and UCAF data for recurring transactions, and if authentication fails, should we retry as a standard transaction without 3DS references?

You can pass a preference for recurring authentication when triggering 3DS authentication, but you should not reuse the ECI and cryptogram from the initial authentication. These values are considered sensitive authentication data under PCI and should only be used once before being discarded after a successful payment authorization. For subsequent transactions, you should trigger a 3RI (3DS Requestor Initiated) authentication using data from the initial 3DS authentication, which increases the likelihood of authentication success.

What are the advantages of choosing a standalone 3DS solution over an acquirer-provided solution?

Standalone 3DS solutions provide three key advantages: control and consistency of behaviour, unified implementation across multiple providers, and consistent user experience control. These advantages enable providers to optimize 3DS and trigger data-driven authentications with greater flexibility (often limited by acquirers), avoid the need to re-implement 3DS flows for individual acquirers, and gain complete control of 3DS components such as method URL, fingerprinting, and challenge step-ups.

How does 3DS compare to proprietary authentication methods in terms of effectiveness? Are there performance statistics available?

3DS effectiveness varies significantly by market. In the US, 3DS is perceived as a fraud signal, with no correlation between the success of authentication and the success of authorization, which is counterintuitive. However, higher authentication success rates in the UK and EU markets directly correlate with higher authorization success rates. The expectation is that the US and other markets where 3DS is less common will converge toward the European model over time, with effectiveness improving yearly as more issuers and processors support it and consumers become more experienced with 3DS.

What merchant data can be included in 3DS data-only transactions, and does this additional context help issuing banks make better approval decisions for potentially fraudulent transactions?

Yes, this additional data provides more context to issuers and card schemes. Merchants can include core transaction data, order information, and buyer information such as amount, currency, email address, shipping address, and phone number.

Would implementing 3RI in the US market cause approval rate issues, given that US issuers typically decline 3DS transactions more frequently?

Yes, 3RI does have lower authentication success rates in the US market, typically 60-70% depending on market and transaction size. However, the key advantage is that 3RI is non-blocking since it happens behind the scenes without user involvement, eliminating conversion rate impact. View 3RI as the "cherry on top" where you can shift liability for transactions at minimal cost beyond the 3DS server fee. For authorization success rates, successful 3RI authentications perform similarly to successful challenge 3DS authentications with negligible impact differences.

Is the 3DS data-only flow truly frictionless for determining transaction viability?

Yes, the data-only flow is a frictionless use of the 3DS rail to share data about a transaction with issuers.

If PSPs use alternative MCCs to improve approval rates instead of the merchant's actual high-risk MCC, does 3DS liability shift still apply for high-risk merchants? Particularly concerning high-risk merchants in industries like sports betting and gaming.

No. Liability shift under 3DS only applies when you’ve submitted fully accurate transaction data (including the true MCC). If a PSP sends a different MCC, that’s non‑compliant data—and if discovered, the issuer or scheme will treat the transaction as invalid and strip away any 3DS liability shift protections.