Good Carder
Professional
- Messages
- 551
- Reaction score
- 437
- Points
- 63
Many perceive 3D Secure as an absolute barrier, beyond which payment becomes impossible. However, if you delve into the details of how it works, you'll discover its weaknesses and understand that the statistics and logic behind processing cards with different BINs play a key role. Let's take a closer look.
Before panicking that the card has "burned out," you need to use indirect signs to determine for sure that it was 3DS authentication that stopped you.
The main pitfall of 3DS isn't the request itself, but rather the fact that it dramatically increases the transaction's fraud score in the bank's eyes, thus "burning" the card.
Ravelin's latest data for 2025-2026 gives us insight into the situation:
The essence of the strategy is to reduce the likelihood that the bank's automated systems will suspect fraud and request 3DS. To achieve this, the payment must be made as "trusted" as possible for automated systems.
Understanding the legal (for business) exceptions will help you assess risks in a non-global manner.
The 3DS isn't a chasm, but a condition of the environment. The main conclusion is that success comes to those who carefully analyze these conditions rather than trying to crudely circumvent them.
Part 1: How to tell if your 3DS is the one that's failing
Before panicking that the card has "burned out," you need to use indirect signs to determine for sure that it was 3DS authentication that stopped you.- Statuses and response codes: If the attempt fails, look for the following codes in the gateway (Stripe/Adyen) response: authentication_required, 3d_secure_required, or redirect_required. The payment intent (such as pi_123456) will have a requires_action status, and the server may send a next_action object with the redirect_to_url type.
- External manifestations: The browser window is redirected to the bank's page with a code entry form, an iframe from the validation site pops up, or an automatic call to the linked bank application is triggered for confirmation.
- Manual verification: On most websites, the presence of 3D Secure is determined by the card's BIN (the first 6 digits) when the number is entered.
Part 2. Statistics: Why the 3DS is killing cards and what trends have to do with it
The main pitfall of 3DS isn't the request itself, but rather the fact that it dramatically increases the transaction's fraud score in the bank's eyes, thus "burning" the card.Ravelin's latest data for 2025-2026 gives us insight into the situation:
- The decline of "secure" (frictionless) payments: While seamless (no code required) 3DS authentication is a goal, its level has fallen worldwide in 2025, including in Europe and the US.
- Conflicting trends: Issuers are tightening their scrutiny, blocking transactions even when the merchant requests an exception. This is leading to an increase in 3DS (Challenge Rate) requests and outright refusals.
Result: even for a pure BIN, the risk of encountering mandatory authentication in 2026 is higher than in 2025.
Part 3. Bypass Practice: How and Where to "Slip Through"
The essence of the strategy is to reduce the likelihood that the bank's automated systems will suspect fraud and request 3DS. To achieve this, the payment must be made as "trusted" as possible for automated systems.3.1. Non-3DS Bins
The simplest method is to use cards not registered in the protocol. Their BIN ranges are known as Non-3DS / Non-VBV BINs. Although their availability has decreased in 2025-2026, they are still found for some countries (USA, Asia) and card types (Debit).- Where to get information: Current lists are sold on closed forums and are constantly updated.
- Free public database of Non-VBV BINs (binx.vip) shows 3DS status.
3.2. BIN Hiding: Illusion and Reality
"BIN hidding" sounds like the perfect way to block a 3DS request by spoofing the BIN. However, modern systems see the real BIN through the acsTransID (3DS session identifier).- Technical reality: Attempting to spoof the BIN in client scripts is futile — bank-side validation will still reveal the real BIN. 2025 methods rely on 3DSecureID spoofing only for transactions with specific Non-3DS BINs.
- It's much safer to invest your efforts in finding fresh Non-3DS BINs rather than trying to technically cheat the system.
3.3. Platforms and Gateway Rules (Stripe/Shopify/Amazon)
Understanding payment gateway policies is critical. Some merchants are required to request 3DS by law (EU, UK), while others do so selectively.| Platform | 3DS situation in 2025–2026 |
|---|---|
| Stripe | The decision to request a 3DS is made dynamically by Radal. The request depends on many factors: the card and store country, the amount, and the account history. Countries like India require 3DS for international payments. |
| Shopify | Implementing 3D Secure 2.0 has become a mandatory requirement. This is critical for the EU ; without 3D Secure support, a store will not accept payments. This is currently the default setting for Shopify Payments (using Cardinal Commerce). |
| Amazon Pay | 3D Secure is enabled by default for everyone. Cards that support 3DS are automatically verified. However, for those that do support 3DS, the process is unavoidable. |
| General rule | Websites regulated by the EU and UK require 3DS for all cards from these regions. Stripe/Shopify may request 3DS for any cards based on their scoring. |
Part 4. Realities of 2025–2026: Risk Zones and Loopholes
Understanding the legal (for business) exceptions will help you assess risks in a non-global manner.- Mandatory authentication zones: EU/UK (even for small amounts over €30), countries with strict regulations (India, Australia) and rules for large amounts - this is where the risk is highest.
- Low-Risk Corridors: Where 3DS is least likely in 2025-2026:
- US Maps for the US: 3DS requirements are less common than they were a year ago; 3DS denials are growing slowly here.
- Low-Ticket (small amounts): A legal loophole for businesses — transactions under 30 euros don't always require authentication. Keep the amounts low ($10-30).
- High-Quality Non-3DS: Using Non-3DS BINs is the most reliable tactic, although their share is declining. High-quality Non-3DS BINs are certified by Mastercard for use without mandatory authentication.
Results and action plan
The 3DS isn't a chasm, but a condition of the environment. The main conclusion is that success comes to those who carefully analyze these conditions rather than trying to crudely circumvent them.- "Green" (USA/US Card):
- Look for Non-3DS BIN.
- Work with small amounts up to $20-30.
- Use a pure residential US proxy.
- Objective: Complete as Frictionless.
- "Yellow" (EU/EU Card):
- High risk!
- Look for Non-3DS BIN
- Bet on a fresh BIN and a "dormant" profile.
- Get ready for the 3DS challenge.
- Advanced (emulation):
- Use an Android emulator.
- Intercept traffic with Burp Suite.
- Use SSL Pinning and Root Detection bypass techniques.
- General Plan B (if the 3DS request has already arrived):
- Check if you can authenticate by accessing SMS or push notifications in your banking client.
- If you can't access the card, immediately discard it and don't waste your proxy or account with repeated attempts.
- Add the BIN of the card that called the 3DS to your personal blacklist.