Hard Decline

3D Secure (3DS) Authentication Failure

3D Secure (3DS) authentication failure occurs when a customer does not successfully complete the additional verification step required by their bank. Under regulations like PSD2 in Europe, many transactions require Strong Customer Authentication (SCA) — the customer must verify via SMS code, banking app, or biometric confirmation. When this step fails or is abandoned, the payment is declined. This is technically a hard decline (the same attempt won't succeed), but the customer can easily retry with proper authentication, making recovery rates of 50-65% achievable.

Affected Percentage

~8% of all declines (higher in Europe/PSD2 regions)

Recovery Rate

50-65% with outreach

Recommended Action

Do not retry

Common Causes

Customer abandoned the verification step

The most common cause — the customer saw the 3DS popup or redirect and closed it without completing verification. They may not have recognized it as legitimate or found it confusing.

Verification code expired or not received

The SMS code sent by the bank expired before the customer entered it, or the SMS was delayed or never arrived due to phone issues.

Banking app not installed or not working

Some 3DS implementations require the customer to confirm in their banking app. If the app isn't installed, not updated, or having technical issues, verification fails.

Browser or device compatibility issue

The 3DS verification popup may not render correctly on certain browsers, devices, or in certain iframe configurations, preventing the customer from completing the step.

Incorrect verification attempt

The customer entered the wrong SMS code or password multiple times, causing the bank to reject the authentication.

Recommended Retry Strategy

Do not retry

Timing

Do not automatically retry. Send an email asking the customer to complete the purchase again with their bank verification ready. Include clear instructions about what to expect.

Max Retries

0 automatic retries — the customer must actively re-authenticate

Reasoning

3DS authentication requires active customer participation. Automatic retries won't work because the customer needs to complete the verification step themselves. The only recovery path is to bring the customer back and have them try again.

Best Practices

1
Send a clear, immediate email explaining that the payment requires bank verification and inviting the customer to try again with instructions on what to expect.
2
Use 3DS2 (the newer version) instead of 3DS1 — it provides a smoother in-app experience rather than a clunky redirect, reducing abandonment.
3
Test your 3DS flow across different browsers, devices, and screen sizes to ensure compatibility.
4
For recurring subscriptions in 3DS-required regions, authenticate the first payment and use merchant-initiated transaction (MIT) exemptions for subsequent charges.
5
Provide visual guidance in your outreach showing what the bank verification popup looks like so customers recognize it as legitimate.

How Rezoki Handles This Automatically

Rezoki detects 3DS authentication failures and immediately sends a user-friendly email explaining what happened in plain language — many customers don't understand why they were asked to verify or what went wrong. The email includes a retry link and clear visual instructions showing what the bank verification screen looks like, so the customer can complete it confidently on the next attempt. For recurring subscriptions, Rezoki ensures the initial authentication uses 3DS2 with proper SCA flags, enabling merchant-initiated transaction exemptions for future renewals to avoid repeated 3DS challenges.

Start Recovering Revenue

Related Decline Codes

Hard

Fraud-Related Declines

40-60% of false positives recoverable

Code 05Soft

Do Not Honor

40-60% recoverable

Code 2 (Stripe) / GenericSoft

Generic Decline

40-60% recoverable

Soft

Soft vs Hard Declines: Complete Guide

Soft: 70-95%. Hard: 30-65%. Ambiguous: 40-60%.

Frequently Asked Questions

What is 3D Secure authentication?+

3D Secure (3DS) is a security protocol developed by card networks (Visa, Mastercard, etc.) that adds an extra verification step during online payments. The customer must confirm their identity through their bank — typically via an SMS code, a banking app confirmation, or biometric verification. It reduces fraud and, under PSD2 in Europe, is legally required for most online card transactions.

Why is PSD2 causing more 3DS failures?+

PSD2 (Payment Services Directive 2) is a European regulation requiring Strong Customer Authentication (SCA) for most online payments. Before PSD2, 3DS was optional. Now it's mandatory for EU transactions, meaning more customers encounter the verification step and more fail to complete it — either from confusion, technical issues, or SMS delivery problems.

Can I avoid 3DS for recurring subscriptions?+

Yes, partially. Under PSD2, the first subscription payment requires full SCA. However, subsequent recurring charges can use a Merchant-Initiated Transaction (MIT) exemption, which doesn't require 3DS. This means the customer only needs to authenticate once at signup, and all subsequent renewal charges process without 3DS challenges.

What is the difference between 3DS1 and 3DS2?+

3DS1 (the original version) redirects customers to their bank's website for verification — often a clunky, unfamiliar page that causes high abandonment. 3DS2 is the modern version that embeds verification natively within the checkout flow (in-app biometrics, push notifications) and supports risk-based authentication, where low-risk transactions can skip verification entirely.

How can I reduce 3DS abandonment rates?+

Use 3DS2 instead of 3DS1 for a smoother experience. Test your 3DS flow across devices and browsers. Clearly communicate to customers that bank verification will be required before they reach the 3DS step. Use transaction risk analysis (TRA) exemptions for low-risk payments to skip 3DS when possible. Store authentication results for future MIT exemptions on subscriptions.