3DS: How does it work?

Why American Express Chargebacks Persist Despite 3DS (And How to Fix It)

This is a very common and well-understood pain point for ecommerce merchants. The discrepancy you’re observing is not due to the 3DS protocol itself being different, but rather due to key differences in adoption, enforcement, and technical implementation between American Express and the other networks.

Here’s a breakdown of why this happens:

1. Differences in Issuer Adoption and Enforcement

This is the single biggest factor.

  • Visa & Mastercard: For many regions (especially in Europe due to PSD2’s Strong Customer Authentication mandate), issuing banks are required to participate in 3DS. It’s not optional. When a merchant requests a 3DS check (a “challenge”), the Visa or Mastercard issuer is almost always equipped to process it and will return a response (either a successful authentication or a failure). The liability shift is clearly established and widely adopted.

  • American Express: Amex is both the card network and the issuer. However, they also have many third-party partner banks that issue Amex cards (e.g., in co-brand arrangements). The adoption and enforcement of 3DS (SafeKey) among all Amex issuers globally is not as universal or as strictly mandated as it is with Visa/Mastercard in regulated markets.

    • Result: When your payment gateway sends a 3DS authentication request for an Amex card, there is a significantly higher chance that the issuing bank on the other end does not support it, is not enrolled, or is not configured to respond correctly. The transaction then falls back to a “non-3DS” or “attempted” state, leaving you without the liability shift protection.

2. Technical and User Experience (UX) Friction

  • Visa & Mastercard: Their systems are highly optimized. They use sophisticated risk-based authentication. Many transactions are “frictionless” – the issuer validates the cardholder in the background without any customer interaction, and you still get the liability shift. Only risky transactions are “challenged” with a step-up (e.g., entering a code sent via SMS).
  • American Express: The SafeKey user experience has historically been cited as less streamlined. It can sometimes redirect to a clunkier, older-looking authentication page, which can increase cart abandonment. To combat this, some issuers might be more hesitant to enforce it on every transaction, again leading to a fallback scenario.

3. Regional Rollout and Prioritization

  • The 3DS infrastructure was built and rolled out first for Visa and Mastercard due to their massive market share. American Express, with a smaller share of the e-commerce market, has sometimes been slower to ensure global, uniform support from all its issuing partners. Your business might be processing transactions from regions where Amex issuer support for SafeKey is particularly low.

     

    Summary Table

    FactorVisa / MastercardAmerican Express
    Typical 3DS Success RateVery High (Often >95%)Variable, Often Lower
    Primary ReasonWidespread, often mandatory issuer adoption due to regulations (e.g., PSD2).Patchier adoption and enforcement across its global issuer base.
    Result for MerchantStrong liability shift protection on successfully authenticated transactions.Higher likelihood of transactions falling back to a non-3DS state, leaving you liable for chargebacks.

    What Can You Do?

    1. Review Your Amex Data: Work with your payment processor to get a report on Amex transactions. Specifically, look for the 3DS response codes. You will likely see a high number of attempted or non-3DS statuses (e.g., code U or N) compared to successful Y codes.
    2. Contact American Express: Reach out to your Amex merchant representative. They have teams dedicated to fraud prevention. Present them with your data and ask for guidance. They can often provide insight into specific issuing banks that are causing problems and may have tools to help.
    3. Consider Strategic Decisions: For some merchants with extremely high Amex chargeback rates, the only recourse is to become more aggressive. This could mean:
      • Implementing a Stricter Ruleset: Configuring your gateway to decline Amex transactions that do not successfully complete 3DS authentication, rather than letting them process without protection.
      • Re-evaluating Amex Acceptance: In extreme cases, some merchants temporarily disable Amex until the issue is resolved, though this is a last resort due to the potential loss of sales.
Scroll to Top