Guides
Start typing to search…

3-D Secure (3DS)

3DS is an authentication step added to online (card-not-present) card transactions. Before the payment is authorised, the cardholder may be asked to confirm their identity by their card issuer before the payment is finalised (for example, approving a push notification in their banking app). The issuer uses this step to verify that the transaction is genuine.

While 3DS helps protect you against unauthorized use of a card, it does not prevent non-fraudulent chargebacks (for example ‘goods not received’ or disputes over service/quality).

For PopUp and EmbeddedFields integrations, all 3DS handling logic is managed by finby’s back end.

3DS authentication flows

Depending on the issuer’s risk assessment, a transaction can follow one of two paths:

  • Frictionless flow – The issuer approves the transaction without any additional interaction from the customer, and accepts the liability shift.
  • Challenge flow – The issuer requires the customer to complete an additional authentication step (for example a one-time passcode, biometrics, or a push-notification approval).

From a business perspective:

  • Frictionless flows have higher conversion because the customer is not interrupted during checkout. These transactions are still considered authenticated by the schemes.
  • Challenge flows add an extra layer of security but may increase checkout abandonment if the customer fails or abandons the challenge.

Whether a transaction is processed as frictionless or challenged is primarily determined by the issuer’s risk engine. finby sends additional data (such as order, customer, and device information) to support issuer risk assessment, but you cannot directly force a frictionless flow.

If the customer fails or abandons a 3DS challenge, the authentication fails and the authorization is usually declined by the issuer. You may then offer the customer another payment attempt (for example with a different card or payment method).

SCA exemptions

Certain transactions can be processed without 3DS if they qualify for a Strong Customer Authentication (SCA) exemption and the issuer accepts it. Common exemptions include:

  • Low-value transactions (≤ €30)
  • Recurring or merchant-initiated subsequent transactions
  • Trusted beneficiaries (customer whitelists the merchant at their issuer)

finby can request exemptions where applicable, but it is the issuer that always makes the final decision on whether 3DS is required for a given transaction.

3DS information in responses

3DS results are exposed via paymentStatus / paymentDescription and standard error codes; finby does not return raw 3DS fields (such as ECI, CAVV, or 3DS version) in responses. For a complete list of 3DS-related statuses and errors, see the Reason and error codes in our API reference.

Updated 7 days ago