Founder & CEO
3D Secure (3DS) in the US hasn’t become an industry standard the way it has in the European Union and many other regulated markets. We’ll cover the reasons why, but what’s important is that this trend is changing. US businesses are realizing that modern 3DS can reduce fraud without hurting conversion rates, and that waiting to adopt 3DS comes with risks.
To fully understand 3DS in the US, we’ll cover:
3DS adds a layer of security to online transactions. It’s a protocol designed to reduce fraud during card-not-present transactions, where either the card or the cardholder aren’t physically present.
Instead of relying solely on credit card details, 3DS introduces an authentication step at checkout. The goal is to quickly determine whether a transaction is legitimate using signals like the device being used, purchase behavior, and issuing bank risk models. If a transaction is low-risk, 3DS allows it without interrupting the customer. This is known as as a frictionless flow. When authentication is needed, a challenge flow is initiated that requires customers to verify their identity before the transaction goes through, often using:
For many customers, 3D Secure is nearly invisible, especially with newer implementations. On mobile browsers or in apps, 3DS2 (the latest version of the 3DS protocol) runs entirely in the background for trusted purchases.
When verification is needed, customers might see a branded screen from their bank asking them to confirm the purchase with Face ID, fingerprint, or a passcode. In some cases, they’ll approve the transaction in their banking app without leaving the checkout flow. These options ensure challenge flows create as little friction as possible.
This is what happens in the background for 3D Secure purchases:
This process only takes a few seconds but it makes a major difference in fraud detection, especially for e-commerce transactions and mobile payments. This is because traditional signals like physical signatures and chip readers don’t apply to these transactions.
The first version of the 3DS protocol (3DS1) was clunky, slow, and unfriendly to users. Customers were redirected to unfamiliar pages, asked to enter static passwords, and they frequently dropped out of the checkout process altogether. This increased transaction abandonment, and frustrated merchants. These issues had a lasting impact on the US, resulting in a lower adoption rate.
3DS2 is a completely overhauled version of the protocol that prioritizes speed, flexibility, and mobile compatibility. The updated version introduced:
These changes significantly improved the customer experience. Frictionless flows were better supported, and issuing banks still had enough control to challenge high-risk and fraudulent transactions in realtime.
3D Secure still isn’t mandatory in the US but momentum is building. In addition to the 3DS2 improvements, there are a few other factors accelerating adoption:
It’s sometimes assumed that 3DS is only necessary for large enterprises or international retailers, but that’s no longer the case. If your business accepts online payments, or you handle card-not-present transactions, 3DS is becoming a baseline requirement.
Some businesses are more vulnerable to fraud than others. High-volume e-commerce platforms, digital goods providers, and subscription services all experience elevated fraud rates and chargebacks.
| Industry | Average Chargeback Rate | Common Triggers |
|---|---|---|
| Digital Goods & Gaming | 1.5% – 2.0% | Account takeovers, subscription fraud |
| Travel & Events | 0.9% – 1.4% | Cancellations, high-ticket disputes |
| Subscription Services | 1.8% – 2.2% | Recurring billing conflicts |
| E-commerce Retail | 0.6% – 1.2% | Friendly fraud, shipping disputes |
When purchases are disputed, whether it’s for real fraud or friendly fraud, you’re liable for any chargebacks. However, liability shifts for purchases that pass 3DS authentication. This means the issuer is liable for fraudulent chargebacks instead of you. So not only does 3DS fight fraud and reduce chargebacks, it can translate into significant revenue retention by shifting liability, and reducing the internal overheard of dealing with disputes.
Chargeback rates also need to be kept low to prevent businesses from getting flagged by chargeback monitoring schemes. These schemes are defined and implemented by card networks, and when businesses exceed certain thresholds, card networks can impose fees or block transactions.
Evervault helps businesses realize these benefits by making it easy to implement 3DS, while reducing friction during the checkout process. FlightHub is an online travel agency that operates in an at-risk industry and they decided to use Evervault for 3DS. This resulted in a 33% reduction in fraudulent chargebacks, a 73% reduction in friendly fraud chargebacks, and saved ~65 hours of manual review time per quarter.
Fraud assessment models have gotten very advanced, but there are scenarios they struggle with that 3DS can help with. For example, new customers and guest customers often present a challenge. There’s less information available for these customers, so fraud models have more difficulty determining whether a purchase is legitimate. In these scenarios, especially for higher priced items, models often default to blocking the transaction or flagging it for manual review. If you support 3DS, you can instead pass these transactions through the authentication process. If it succeeds, you’ve saved the transaction without any manual review, and you can use the successful authentication as a positive signal for that customer profile. If the authentication fails, you can flag the card and customer details from that transaction as suspicious for future reference.
Adopting 3DS can also have positive impacts on your brand. Customers are genuinely concerned about fraud, and having secure authentication methods like 3DS helps build trust. For many global consumers, authentication methods like 3DS and passkeys are actually expected for online payments. And in the US specifically, there’s a trend of more Gen Z and Millennials using updated authentication tools.
As mentioned before, the initial rollout of 3DS wasn’t ideal. This resulted in two primary concerns at the time: that 3DS lowered conversion rates and that it was difficult to implement. Since then, there’s also been a concern that many issuers in the US don’t support 3DS. While there was some validity to these concerns, modern 3DS has resolved many of the original issues. Let’s talk about issuer support first since it feeds into other concerns.
When looking at our own data, 88% of the issuers in the US that we have data for support 3DS. And the percentage of transactions that failed 3DS just because the card wasn’t enrolled (meaning the issuer doesn’t support 3DS) was .16%. This actually tracks because many of the major issuers in the US support 3DS. What this means is that 3DS is supported, it’s just not being used.
Even though the number of cards we see not enrolled is relatively small, Evervault built functionality into our 3DS solution to improve the experience in these situations. When a 3DS session is created, we can tell you whether the card is enrolled. If it’s not, you can decide whether to continue with the authorization or take some other action. Evervault only charges for successful authentications so this enrollment check doesn’t cost you anything. It also provides a much better customer experience because you won’t accidentally send customers through a 3DS flow that’s going to fail because the issuer doesn’t support it.
Customer experience improvements, like risk-based authentication and embedded challenge flows, have made conversion rates less of a concern. Risk-based authentication allows low-risk transactions to go through frictionless flows that don't require extra steps. When a challenge occurs, customers can complete the process within the checkout flow, often through biometric prompts, mobile banking apps, or one-time codes that are already familiar to most consumers.
Redirects are commonly flagged for negative impacts on conversion rates, and this is actually still an issue with the current protocol. During a challenge flow, these redirects transition customers out of the checkout flow to a completely different page. This is now an unnecessarily disruptive process because you can use embedded challenge flows instead. In these flows, customers complete challenges in a modal as a part of the checkout process instead of a different page.
Even though 3DS2 was designed to support embedded challenge flows, many 3DS providers themselves still use redirects. So the concern about redirects and conversion rates is still justified, but you can avoid it by choosing a 3DS provider like Evervault that fully supports embedded challenge flows.
Challenge preferences are another way to control your 3DS implementation and improve conversion rates. On every authentication request, you can specify a preference for challenging the customer or not. This increases the chances of a frictionless 3DS flow for low-risk transactions, while ensuring challenges for transactions you want authenticated. The issuer, however, still makes the final decision based on its own risk assessment.
Outside the European Economic Area (EEA), fail-on-challenge flows are becoming popular. These flows let you attempt 3DS authentication to secure a liability shift, but if a challenge is required, the authentication is automatically skipped and the transaction proceeds to authorization. This approach is ideal for companies that prioritize a frictionless customer experience ,while still benefiting from liability protection when a frictionless flow is available. With Evervault, you can implement this with a straightforward flag in the authentication request.
Looking at our own data, 3DS performs surprisingly well in the US. Overall, 86.4% of 3DS sessions succeeded, which included frictionless flows, challenged authentications, and scenarios where the card network completed the authentication rather than the issuer. Even more striking, 74% of transactions were frictionless, higher than in the UK (63.5%) and Germany (62.2%), where 3DS has been mandatory for years. Despite being less prevalent, 3DS in the US can deliver a smooth and effective authentication experience, rivaling or even exceeding countries with long-standing 3DS adoption.
There are different ways to implement 3DS, with varying degrees of difficulty. Many businesses rely on their payment gateway’s solution, which offloads the implementation work but comes at a cost. It locks businesses into individual vendors which means limited flexibility, and little control over performance. It also means you can’t change what your 3DS solution looks like, and you can’t use logic like Evervault’s preauthorization checks to verify cards are enrolled in 3DS. These issues are compounded if you use multiple PSPs because you have to set up 3DS with each provider.
Evervault’s 3D Secure product isn’t a wrapper around legacy technology like other solutions. We built it from scratch so it’s simple to integrate and scalable. You can add it as a standalone service independent of your payment processor, and you can tailor it to fit your checkout and risk model. That means you control when to move forward with authorizations, and you can customize the experience with your own copy, fonts, and colors. Our solution doesn’t use redirects either, so customers stay within your checkout flow regardless of whether you have a mobile app, a single page application (SPA), or a progressive web app (PWA).
After deciding to implement 3D Secure, the next step is choosing the right solution. Not all providers are the same, and the way you integrate 3DS can make a big difference. The ideal 3D Secure solution should:
Many gateway-provided 3DS tools fall short in one or more of these areas. It's also common for them to be tailored to the gateway rather than your own business logic, fraud patterns, and customer experience goals.
Evervault doesn’t have any of the constraints that gateway-provided solutions have. Instead of bundling 3DS inside a tightly coupled gateway or payment processor, Evervault offers it as a modular, standalone layer that works across multiple payment providers. This means you can:
Evervault’s 3DS solution was built from scratch for developers. Using our API, you specify how you want 3DS to behave, and then Evervault converts that into a request that fits both the 3DS specification, and the card issuer’s preferences. Evervault even processes error codes from issuers so that you receive human-readable errors instead of cryptic messages that make debugging difficult.
With Evervault, you don’t have to understand the full 3DS specification, and you don’t have to work through a lengthy integration process. You essentially create a 3DS session (which returns an ID), and then render the 3DS modal on the frontend using the session ID and one of our SDKs. Compared to other providers, this cuts down the integration to a couple of steps, and you can go live in minutes. Check out our website to get started.
If you're responsible for payments infrastructure, you've probably heard conflicting advice about network tokens. Some vendors promise dramatic authorization rate improvements, while others downplay the benefits entirely.
Shane Curran
Visa's 2025 Acquirer Monitoring Program (VAMP) represents one of the most significant changes to payment fraud monitoring in over a decade.
John Hetherton