Quick answer
3D Secure (3DS2) moves fraud chargeback liability from the merchant to the card issuer when authentication succeeds. For high-risk merchants with significant fraud dispute volume, 3DS implementation can eliminate a large category of chargebacks — but it comes with conversion tradeoffs that need to be measured carefully.
How 3DS2 works in plain English
When a customer enters their card details at checkout, 3DS2 sends over 100 data points to the card issuer in the background — device fingerprint, browser data, purchase history, IP address, and more. The issuer uses this data to decide whether to approve without friction (frictionless flow) or request additional authentication (challenge flow — OTP, biometric, etc.).
The critical difference from older 3DS1: the frictionless path. In 3DS2, most low-risk transactions authenticate without the customer seeing any extra step. This means the liability shift benefit is available without the checkout friction that killed conversion rates under the older protocol.
The liability shift table
3DS authentication succeeds (frictionless or challenge)
Liability shifts to the issuer for fraud disputes — merchant wins.
3DS authentication attempted but issuer does not respond
Liability shifts to the issuer — merchant protected even without full authentication.
Merchant does not offer 3DS at all
Merchant retains full fraud liability — no protection.
3DS attempted but cardholder fails the challenge
Transaction should be declined. If merchant proceeds, no liability shift.
Exemption claimed (low-value, trusted merchant, etc.)
No liability shift — merchant takes the risk in exchange for frictionless flow.
What 3DS does not protect
The liability shift only applies to fraud disputes — specifically, chargebacks filed under reason codes like Visa 10.4 (card-absent fraud) and Mastercard 4837 (no authorization). Consumer dispute codes — not as described, services not rendered, subscription cancellation — are not affected by 3DS. Your liability for those chargebacks does not change.
This is an important nuance. If your dispute volume is dominated by 13.1 (not received) or 13.3 (not as described), 3DS will not solve your ratio problem. Fix the operational issues behind those codes first. See the chargeback reason codes guide to identify which codes are driving your volume.
Implementation considerations for high-risk merchants
Most payment gateways support 3DS2 natively — you typically enable it in your gateway settings or SDK configuration. The key decision is which exemptions to claim. Low-value exemptions and trusted merchant exemptions skip the authentication step but forfeit liability shift. For high-risk merchants, claiming fewer exemptions is usually the right call even if it adds slight friction.
Measure your conversion rate before and after 3DS enablement. In most high-risk categories, the drop in fraud chargebacks more than compensates for any conversion impact. If it does not, look at your exemption strategy and consider requesting frictionless flows for returning customers.