You cannot fully disable 3D Secure in Stripe because it is mandated by European SCA regulations and controlled by issuing banks. However, you can reduce 3DS triggers by configuring Stripe Radar rules to request exemptions for low-risk transactions, using Radar's machine learning to skip 3DS when regulations allow, and enabling automatic exemption requests for transactions under 30 EUR.
Can You Disable 3D Secure in Stripe?
3D Secure (3DS) is an authentication layer required by Strong Customer Authentication (SCA) regulations in Europe and mandated by card networks for certain transactions worldwide. You cannot turn it off entirely in Stripe — and doing so would violate regulations and increase your liability for fraud. However, Stripe provides tools to minimize unnecessary 3DS challenges. Radar rules can request exemptions for low-risk payments, merchant-initiated transactions, and small amounts. The goal is to reduce checkout friction without sacrificing compliance.
Prerequisites
- A Stripe account with Radar enabled (included on all accounts)
- Admin access to the Stripe Dashboard
- Understanding of your customer geography (EEA vs non-EEA)
- Familiarity with SCA exemption categories
Step-by-step guide
Understand when 3DS is required vs optional
Understand when 3DS is required vs optional
3DS is required for most customer-initiated card payments in the European Economic Area (EEA) and UK under SCA rules. It is optional for non-EEA transactions, merchant-initiated charges, recurring subscription payments (after the first), and transactions under 30 EUR (low-value exemption).
1// SCA Exemptions (when 3DS may be skipped):23// 1. Low-value transactions: under €30 (cumulative limit €100 or 5 txns)4// 2. Low-risk transactions: Stripe's fraud rate qualifies for exemption5// 3. Merchant-initiated transactions: recurring charges after initial auth6// 4. Trusted beneficiary: customer whitelists your business7// 5. Corporate cards: business/corporate cards in some cases8// 6. Non-EEA transactions: one-leg-out rule (payer or merchant outside EEA)Expected result: You understand which transactions can potentially skip 3DS.
Enable automatic exemption requests in Radar
Enable automatic exemption requests in Radar
Stripe Radar automatically requests applicable exemptions for your transactions. Go to Dashboard → Radar → Rules to verify that the default rules are active. Stripe's machine learning assesses each transaction and requests exemptions when the risk is low enough.
Expected result: Radar is configured to automatically request 3DS exemptions for qualifying transactions.
Configure Radar rules for exemptions
Configure Radar rules for exemptions
With Radar for Fraud Teams, you can create custom rules that request specific exemption types. For example, request the low-risk exemption for transactions from trusted customer segments.
1// Radar rule examples (set in Dashboard → Radar → Rules):23// Request low-risk exemption for returning customers:4// Rule: Request 3DS exemption when customer has 5+ successful payments56// Block 3DS for non-EEA cards (3DS is optional):7// These are handled automatically by Stripe89// Note: The issuing bank has final authority on whether to10// accept or reject an exemption request. Stripe requests11// the exemption, but the bank decides.Expected result: Custom Radar rules are active, requesting exemptions where regulations allow.
Use off-session payments for recurring charges
Use off-session payments for recurring charges
For subscription renewals and merchant-initiated charges, set off_session: true and confirm: true. These are classified as merchant-initiated transactions (MIT) and are exempt from SCA in most cases.
1const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);23// Charge a saved card off-session (merchant-initiated)4const paymentIntent = await stripe.paymentIntents.create({5 amount: 2500, // $25.006 currency: 'usd',7 customer: 'cus_ABC123',8 payment_method: 'pm_SAVED456',9 off_session: true,10 confirm: true,11});1213console.log('Status:', paymentIntent.status);14// Should be 'succeeded' without 3DS for MITExpected result: The payment processes without triggering 3DS because it is a merchant-initiated transaction.
Handle cases where the bank requires 3DS anyway
Handle cases where the bank requires 3DS anyway
Even with exemptions, issuing banks can override and require 3DS. Your code must handle the authentication_required error gracefully by sending the customer back through the payment flow.
1try {2 const paymentIntent = await stripe.paymentIntents.create({3 amount: 5000,4 currency: 'eur',5 customer: 'cus_ABC123',6 payment_method: 'pm_SAVED456',7 off_session: true,8 confirm: true,9 });10} catch (err) {11 if (err.code === 'authentication_required') {12 // Bank overrode the exemption — bring customer back on-session13 console.log('3DS required. PI:', err.raw.payment_intent.id);14 // Notify customer to complete payment with 3DS15 }16}Expected result: Your code catches the authentication_required error and can prompt the customer to re-authenticate.
Complete working example
1const express = require('express');2const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);34const app = express();5app.use(express.json());67// On-session payment with automatic exemption handling8app.post('/api/pay', async (req, res) => {9 try {10 const { amount, customerId, paymentMethodId } = req.body;1112 const paymentIntent = await stripe.paymentIntents.create({13 amount,14 currency: 'usd',15 customer: customerId,16 payment_method: paymentMethodId,17 confirm: true,18 automatic_payment_methods: {19 enabled: true,20 allow_redirects: 'never',21 },22 });2324 if (paymentIntent.status === 'requires_action') {25 // 3DS triggered — return client_secret for frontend handling26 return res.json({27 requires_action: true,28 client_secret: paymentIntent.client_secret,29 });30 }3132 res.json({ status: paymentIntent.status, id: paymentIntent.id });33 } catch (err) {34 res.status(500).json({ error: err.message });35 }36});3738// Off-session charge (merchant-initiated, exempt from 3DS)39app.post('/api/charge-saved-card', async (req, res) => {40 try {41 const { customerId, paymentMethodId, amount } = req.body;4243 const paymentIntent = await stripe.paymentIntents.create({44 amount,45 currency: 'usd',46 customer: customerId,47 payment_method: paymentMethodId,48 off_session: true,49 confirm: true,50 });5152 res.json({ status: paymentIntent.status, id: paymentIntent.id });53 } catch (err) {54 if (err.code === 'authentication_required') {55 return res.status(402).json({56 error: '3DS authentication required',57 payment_intent_id: err.raw.payment_intent.id,58 });59 }60 res.status(500).json({ error: err.message });61 }62});6364const PORT = process.env.PORT || 3000;65app.listen(PORT, () => console.log(`Server on port ${PORT}`));Common mistakes when disabling 3D Secure in Stripe
Why it's a problem: Trying to fully disable 3DS for all transactions
How to avoid: This is not possible and violates SCA regulations. Focus on requesting exemptions for qualifying transactions instead.
Why it's a problem: Assuming exemption requests are always approved
How to avoid: The issuing bank decides whether to accept exemptions. Always handle the authentication_required error as a fallback.
Why it's a problem: Not using off_session for recurring subscription charges
How to avoid: Set off_session: true for merchant-initiated charges. Without it, Stripe treats the charge as customer-initiated and may trigger 3DS.
Why it's a problem: Ignoring liability shift implications
How to avoid: Without 3DS, fraud liability falls on you (the merchant). With 3DS, liability shifts to the issuing bank. Consider this tradeoff when requesting exemptions.
Best practices
- Use Stripe Radar's automatic exemption requests — it handles most optimization automatically
- Set off_session: true for all merchant-initiated and recurring charges to skip 3DS
- Always handle authentication_required as a fallback when banks override exemptions
- Monitor your 3DS challenge rate in Dashboard → Analytics to understand friction
- Use Radar for Fraud Teams for granular control over exemption request rules
- Authenticate the first payment in a subscription on-session with 3DS, then charge renewals off-session
- Test with cards 4000000000003220 (3DS required) and 4242424242424242 (no 3DS) to verify both paths
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
Write a Node.js Express server with two Stripe payment endpoints: one for on-session payments that handles requires_action status for 3DS, and one for off-session merchant-initiated charges that catches authentication_required errors. Use the stripe npm package.
Optimize my Stripe payment flow to minimize 3D Secure friction. Set up off-session charging for saved cards, handle the authentication_required fallback, and configure the payment creation to work with Stripe Radar's automatic exemption requests.
Frequently asked questions
Can I completely turn off 3D Secure?
No. 3DS is mandated by SCA regulations in Europe and required by card networks in many scenarios. Even outside Europe, issuing banks can request 3DS. You can minimize it with exemptions but not eliminate it.
What is the liability shift with 3DS?
With 3DS authentication, fraud liability shifts from you to the issuing bank. Without 3DS (using exemptions), you carry the liability. This means if a fraudulent charge is disputed, you bear the cost.
Do all cards support 3DS exemptions?
Not all cards and issuers support all exemption types. Stripe requests the exemption, but the issuer decides. Newer cards from major banks in the EEA generally support exemptions well.
Does 3DS apply to non-European transactions?
SCA mandates only apply to EEA/UK transactions. However, card networks may require 3DS globally for high-risk transactions, and some non-European banks implement their own 3DS requirements.
How does Stripe Radar decide when to request exemptions?
Radar uses machine learning to assess transaction risk. If the transaction qualifies for a low-risk or low-value exemption and the risk score is below the threshold, Radar automatically requests the exemption.
What if I need help optimizing my checkout conversion rate with 3DS?
For businesses where 3DS friction significantly impacts conversion, the RapidDev team can analyze your payment flow, implement smart exemption strategies, and optimize the authentication experience.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation