Can 3D Secure be bypassed?

I’m wondering… can in certain cases 3D Secure be bypassed?
Some time ago I heard about how in US 3D Secure would not be “honoured” and will not even prompt for it. Is that true?

The US banking system is very archaic compared to ours and they have different rules and regulations.

Are you asking if the UK 3D secure can be bypassed or the US 3D secure? And by ‘bypass’ I assume you mean, dismiss it or make it so that it wont pop up?

1 Like

What I meant to ask is if 3D secure payments (of any bank) can be bypassed in general for any reason? So for example, you have your 3D set up. Can a payment go through without hitting that? I hear it can, depends on where you use your card data. Just want to confirm if it’s really true.

There’s a whole article on 3DS below that should hopefully answer all your questions:

Basically, if it’s a low value transaction and they trust it’s you using the card then it wont pop up.

5 Likes

3DSecure is optional for merchants (though in cases of UK/EU merchants and UK/EU issuer, the issuer may force them to go through the process in order to comply with its regulatory obligations under the Strong Customer Authentication regulations)

Using 3DSecure transfers liability for fraud from the merchant to the bank

4 Likes

If the issuer is forcing merchant to go through it, is there a merchant, for example, that doesn’t accommodate the process and the payment wouldn’t go through or would it go through, but bypass the 3D stuff?

If the issuer forces 3DS then the merchant has no choice other than to switch providers. They can’t override it in anyway.

With 3DS disabled the merchant has to absorb any losses from fraud, so I imagine that it’s rare and a bit silly to disable it if you had a business.

2 Likes

Forcing a transaction to go through 3DS is (effectively) done by declining the transaction with a specific reason code (Reason Code 65, which for non-ATM transactions means “Strong Customer Authentication Required”). If the merchant doesn’t support it, they’ll just treat it as a decline (This is why implementing the Strong Customer Authentication regulation was so painful)

The merchant then needs to react to this response by initiating a 3DS authentication. Once thats done, they retry the authorization with the 3DS cryptogram.

4 Likes

Nice explanation, thanks!
Is there a way of checking which issuers are forcing it without doing a request?

No. Merchants can also request exemptions, and issuers will normally honor those. Transactions which are determined to be low risk by the acquirer or issuer’s risk scoring can also be exempted, as can low value transactions. By and large issuers will never require it for transactions at merchants outside the EEA+UK, because they broadly don’t support the RC65 decline reason or 3DSecure (and hence there is no requirement to challenge them under the applicable law)

If a fraudulent transaction does happen, contact your card issuer to dispute it & they’ll refund you and raise a chargeback.

4 Likes

Thanks a lot for the info! :slight_smile: