#coreyw - 3D Secure

(we currently bill primarily in the US)

Hello!

On a paymentMethod, if card.three_d_secure_usage.supported === true, is there always going to be a next_action when we try processing a paymentIntent?

No, card.three_d_secure_usage.supported indicates the card supports 3D Secure, not that it requires it for every transaction.

Or is the 3D secure action only required sometimes?

Correct. The card issuer ultimately decides when 3D Secure is required. You can request 3D Secure using Radar rules and whatnot via Stripe, but it's only a request, and the card issuer can require 3D Secure at any time for any reason.

Conversely, is next_action only present on a paymentIntent when used in conjunction with a 3D secure card or can there be other triggers for a next_action?

There are other potential triggers for next_action. For example, in some cases Stripe may present a captcha challenge when fraud/abuse is detected, and that captcha is displayed using the next_action system.

We are looking for clarity on these properties because until we have the 3D Secure flow worked out, we figure it's best to avoid having cards that use 3D secure added to our system in the first place.

Avoiding 3D Secure enabled cards means you're going to be avoiding a huge number of cards/customers, so I would not recommend that approach.

If you, the merchant, are in the US or your customer is in the US 3D Secure is very unlikely. It's a much more significant factor in Europe and other countries.

However, we do recommend you build support for next actions/3D Secure in your integration so you won't have to scramble to do it if 3D Secure or something similar starts becoming a thing here, if you expand to other countries, and/or to enable better fraud/abuse protection.

Thank you, Rubeus. That all makes sense. We do plan to support 3D Secure and next_action, but hopefully as a fairly quick follow-up to our initial release. Because we and most of our customers are in the US, we did assume that this approach would be less problematic, which sounds to be mostly true 🙂

that's good to know, regarding next_action and potential captchas, etc.