Why we force 3DS on every checkout, even when Visa says it is optional

PSD2 mandates SCA in Europe. We extend it globally. Here is the math behind why the conversion hit is worth it.

Security·2026-04-28·4 min read
Why we force 3DS on every checkout, even when Visa says it is optional

By default a card processor will let you skip 3D Secure on US, Asia and most LATAM cards because the issuer's risk model rates the transaction 'low'. Baynoy sets payment_method_options.card.request_three_d_secure to 'any' on every PaymentIntent. We deliberately give up the ~2% optional-3DS lift in conversion.

Why: chargeback liability shift. A 3DS-authenticated authorization moves fraud liability from the merchant to the issuer in 87% of card schemes globally (Visa SDK 2.3, MasterCard SecureCode 3, JCB J/Secure). For a typical SaaS, gross chargeback rate hovers at 0.4–0.6%. At 0.5% on $100k/month that is $500 of disputed transactions a month — and the operational tax of fighting them is 3–4 hours of staff time per dispute.

Net math: a 2% conversion drag costs $2,000 of incremental signups foregone, but eliminates $500 of chargebacks and ~15 hours of dispute work. For any business above $50k monthly volume, mandatory 3DS pays for itself within the first quarter.

Want the deep dive when it ships? Sign up below.