Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

3D Secure and card-not-present fraud: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: UK remote-purchase fraud cost businesses over £722 million in 2024, and 3D Secure remains the main mechanism for Strong Customer Authentication in online card payments, according to Sift. The real test is not whether 3DS exists, but whether merchants can tune exemptions, challenge flows, and telemetry without adding avoidable checkout friction.

NHIMG editorial — based on content published by Sift: 3D Secure Authentication and how it protects online payments

By the numbers:

Questions worth separating out

Q: What breaks when 3D Secure exemptions are not governed tightly?

A: Exemptions can become a standing trust path if they are not reviewed against fraud outcomes and transaction context.

Q: Why do card-not-present payments need stronger identity assurance than in-store payments?

A: Card-not-present payments lack the physical and behavioural signals available in a card-present transaction, so the issuer has less certainty about the real cardholder.

Q: How do security teams know whether 3D Secure is working as intended?

A: Look at challenge rate, approval rate, fraud losses, chargeback outcomes, and the false-decline rate together.

Practitioner guidance

  • Map 3DS decisions to payment identity policy Document which transactions are frictionless, challenged, exempted, or delegated, and assign an owner for each policy path so the decision model is reviewable.
  • Audit exemption logic for standing trust paths Review low-value, recurring, and whitelisted flows for abuse patterns, and require periodic validation that the exemption still matches actual fraud risk.
  • Verify contextual data quality at checkout Confirm that device signals, account history, and transaction metadata are consistently passed to the issuer so the bank can make a meaningful risk decision.

What's in the full article

Sift's full article covers the operational detail this post intentionally leaves for the source:

  • Version-by-version guidance on 3DS 2.2 and 3DS 2.3.1 implementation details
  • Practical fallback handling for older cards, non-supporting issuers, and edge-case checkout flows
  • Specific messaging examples and UX guidance for challenge prompts and customer reassurance
  • Monitoring ideas for challenge rate, approval rate, and fraud outcomes after deployment

👉 Read Sift's analysis of 3D Secure and card-not-present fraud →

3D Secure and card-not-present fraud: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

3D Secure is a payment identity control disguised as a checkout safeguard. The protocol's real value is that it turns a card-not-present transaction into a governed identity decision, using contextual evidence rather than trust alone. That matters because fraud teams often treat 3DS as a payment feature, while IAM practitioners should see it as an assurance workflow with business impact. Practitioners should govern it as a transaction identity layer, not a checkbox.

A question worth separating out:

Q: Who is accountable when delegated payment authentication fails?

A: Accountability depends on where the authentication decision was made, who owned the exemption or delegation policy, and whether the evidence trail is complete. If a merchant, wallet, or issuer participates in the assurance chain, each party needs clear ownership for logging, review, and dispute handling under SCA governance.

👉 Read our full editorial: 3D Secure is becoming a core control for card-not-present fraud



   
ReplyQuote
Share: