How 3D Secure Works
When a customer enters their card number on your checkout page, 3D Secure sends a request to the card-issuing bank. The bank evaluates the transaction risk using data like the customer's device, location, purchase history, and transaction amount.
If the bank considers the transaction low-risk, authentication happens silently โ the customer sees nothing extra. This is called a "frictionless flow" and it happens on roughly 85โ95% of transactions with 3DS2.
If the bank flags the transaction as higher-risk, the customer gets a challenge: a one-time SMS code, a push notification to their banking app, or biometric confirmation. This adds 10โ15 seconds to checkout.
3DS1 vs 3DS2: The Difference That Matters
The original 3D Secure (3DS1) was terrible. Every transaction redirected to a clunky bank page asking for a password nobody remembered.
Cart abandonment rates increased 20โ30%. Most Canadian merchants disabled it.
3DS2 (launched in Canada in 2019โ2020) fixed this. It sends 150+ data points to the issuing bank for risk assessment, enabling the silent "frictionless" authentication on most transactions.
Challenge rates dropped to 5โ15% of transactions. Cart abandonment impact is minimal.
| Feature | 3DS1 (Legacy) | 3DS2 (Current) |
|---|---|---|
| Authentication method | Static password / redirect | Risk-based / biometric / OTP |
| Frictionless flow | โ Never | โ 85โ95% of transactions |
| Mobile-optimized | โ Breaks on mobile | โ Native mobile SDKs |
| Data points shared | ~15 | ~150+ |
| Cart abandonment impact | +20โ30% | +2โ5% |
| Liability shift | โ Yes | โ Yes |
| Status in Canada | Deprecated (Visa sunset Oct 2022) | Current standard |
All major Canadian processors now support 3DS2. If someone offers you only 3DS1, walk away.
The Liability Shift โ Why You Care
Without 3D Secure, when a stolen credit card is used on your website, the chargeback and the $15โ$25 chargeback fee land on you. You lose the product, the revenue, and pay the fee.
With 3D Secure, authenticated transactions shift fraud chargeback liability to the issuing bank. If a cardholder claims fraud on a 3DS-authenticated transaction, the bank absorbs the loss โ not you.
What the Liability Shift Covers
- Covered: Fraudulent transaction chargebacks (reason code 10.4 / 4837 โ unauthorized use)
- Not covered: Product not received, product not as described, duplicate charges, service disputes
- Not covered: Transactions where 3DS authentication was attempted but failed or was unavailable
The liability shift only applies to fraud-related chargebacks. Customer disputes about quality, delivery, or service are still your responsibility regardless of 3DS status.
Brand Names by Card Network
Each card network has its own brand name for 3D Secure. They all use the same EMV 3DS2 protocol underneath.
| Card Network | 3DS Brand Name | Common in Canada? |
|---|---|---|
| Visa | Visa Secure | โ Yes (most common) |
| Mastercard | Mastercard Identity Check | โ Yes |
| Amex | American Express SafeKey | โ Yes |
| Interac | N/A (Interac Online has own auth) | Separate system |
| Discover | ProtectBuy | โ ๏ธ Rare in Canada |
Interac Online uses its own bank-redirect authentication โ separate from 3D Secure โ and has zero chargebacks by design since funds move directly from the customer's bank account.
Setting Up 3DS with Canadian Processors
Stripe
Stripe enables 3DS2 automatically through Stripe Checkout and Payment Intents API. If you use Stripe's recommended integration (Payment Element or Checkout), 3DS challenges are handled automatically. No extra configuration needed.
Stripe Radar (their fraud detection tool) triggers 3DS selectively based on risk score. Low-risk transactions skip the challenge.
High-risk ones get prompted. This is the smartest implementation in the Canadian market.
Moneris
Moneris offers 3DS2 through its Moneris Gateway (eSELECTplus). You need to enable "Moneris 3DS" in your merchant portal and add the 3DS JavaScript library to your checkout page. Moneris charges no extra fee for 3DS authentication.
Implementation requires more manual work than Stripe. You'll need to integrate the Moneris 3DS SDK, handle the authentication response, and pass the 3DS result into your payment request.
Helcim
Helcim supports 3DS2 through Helcim.js, their hosted checkout fields. When enabled, 3DS authentication happens automatically during the payment flow. Like Stripe, there's no extra fee for 3DS.
Helcim's implementation is simpler than Moneris but less configurable than Stripe. You can't selectively trigger 3DS based on risk score โ it either runs on all transactions or none.
Shopify Payments
If you use Shopify Payments, 3DS2 is handled automatically. Shopify triggers 3DS authentication when the issuing bank requests it. No configuration needed โ it just works.
Impact on Conversion Rates
The fear of losing sales keeps many Canadian merchants from enabling 3DS. The data tells a different story with 3DS2.
| Metric | Without 3DS | With 3DS2 |
|---|---|---|
| Checkout completion rate | ~72% | ~69โ71% |
| Fraud chargeback rate | 0.5โ1.5% | 0.05โ0.2% |
| Chargeback costs (on $50K/mo) | $250โ$750/mo | $25โ$100/mo |
| Net revenue impact | Baseline | Usually positive (fewer chargebacks > lost sales) |
For most Canadian online merchants, the reduction in fraud chargebacks more than offsets the small dip in checkout completion. This is especially true for businesses selling digital goods, electronics, or anything with high resale value.
When NOT to Use 3D Secure
- Subscription renewals: Don't trigger 3DS on recurring charges after the initial signup. Use tokenized cards instead.
- Micro-transactions under $10: The friction isn't worth it on small amounts. Most issuers exempt these anyway.
- In-person/POS transactions: 3DS is for online (card-not-present) only. In-person has its own chip + PIN authentication.
- B2B invoicing: If your customers pay via invoice links and you know them, 3DS adds unnecessary friction.
SCA and Canada
Strong Customer Authentication (SCA) is mandatory in the European Union under PSD2. Canada has no equivalent regulation โ 3D Secure is optional for Canadian merchants.
However, if you sell to European customers, their card issuers will decline transactions that don't support 3DS2. If you do any cross-border business with Europe, 3DS2 is effectively mandatory for those transactions.
Checklist: Enabling 3DS for Your Canadian Store
- Confirm your processor supports 3DS2 (Stripe, Moneris, Helcim, Shopify Payments all do)
- Enable 3DS in your merchant portal or payment integration settings
- Test with a real card โ verify you see the frictionless flow on low-risk transactions
- Monitor your chargeback rate for the first 30 days โ it should drop noticeably
- Check conversion rates โ if checkout completion drops more than 3%, adjust your 3DS trigger rules
- Ensure your checkout page sends device/browser data to maximize frictionless authentication rates