3D Secure threshold tuning
This page explains how the “3D Secure losses by amount” panel on your Revenue Recovery tab estimates numbers, where each figure comes from, and what to do with them. It is the long-form companion to the short notes shown in the dashboard itself.
What the panel measures
The panel only looks at one specific cohort of transactions: payment intents that, at the end of the selected timeframe, had a final status of failed or abandoned 3D Secure. These are intents where 3D Secure friction stopped completion and no later retry succeeded. They are the intents a tuned threshold could have helped — either by letting the legitimate customer through, or by accepting a small fraud risk in exchange for fewer drop-offs.
Unique intents only. If a customer retried under the same Brippo UID and one attempt eventually succeeded, that intent counts as recovered and is excluded from this panel.
What each number means
- Intents that would skip 3D Secure: the count of unique intents in the failed-3DS cohort whose amount is at or below the proposed threshold. Source: your own DynamoDB intent-winner items for the selected timeframe.
- Revenue freed: the sum of those intents’ amounts. This is the revenue that previously hit 3D Secure friction and never recovered. Setting the threshold to this tier would have let those payments skip 3D Secure entirely.
- Estimated fraud loss: a modelled range, not a measurement. Each freed intent’s amount is multiplied by an industry CNP fraud rate that depends on the band that amount falls into. We sum the per-intent contributions to get a low–high range.
The fraud-rate model
We use a soft U-shape: fraud rate is higher at the low-value end (card-testing), quietest in the £100–£500 mid band, and bumps up again at the high-value resale tail.
| Intent amount band | Low estimate | High estimate | Why |
|---|---|---|---|
| ≤ £100 / €100 | 4% | 6% | Card-testing band. Fraudsters validate stolen cards with small charges that are unlikely to trigger issuer scrutiny. |
| £100 – £500 | 2% | 3% | The quietest band. Genuine mid-ticket purchases dominate; fraud is harder to blend in without raising flags. |
| > £500 | 3% | 5% | High-value resale tail. Fewer attempts overall, but the ones that happen target items the fraudster can resell quickly. |
Two important points about this model:
- It is a model, not your actual fraud rate. We do not measure your historical fraud per band — we apply published industry curve shapes to the amounts of intents you have lost. Your real fraud rate depends on your customer base, your acquirer’s rules, and your product category, and it can be materially higher or lower than this range.
- It is much higher than the PSD2 TRA ceiling numbers. Those ceilings (0.13% / 0.06% / 0.01%) measure something different: they are the maximum fraud rate an acquirer is allowed to have across all card-not-present transactions, pooled at the acquirer level, for the EU Transaction Risk Analysis exemption to apply. They are not predictions for a self-selected failed-3DS subset. The cohort here is risk-enriched: the 3D Secure challenge was specifically what stopped these transactions, and a meaningful share of that cohort is genuine fraud attempts — far above the acquirer-wide pooled rate.
Why fraud rate varies with amount
Published fraud reports show fraud rates by amount are not flat:
- Card-testing dominates the low end. The EBA/ECB 2024 Payment Fraud Report flags low-value SCA-exempt transactions as a growing share of fraud volume.
- Resale-driven attacks dominate the high end. Carding patterns documented across industry sources describe small probe charges, mid-ticket “blend in” purchases, and a smaller tail of high-value attempts on resellable goods.
- Issuers and acquirers monitor more carefully at higher amounts. This pulls the mid band down. The regulator’s decreasing TRA fraud-rate ceilings (0.13% → 0.06% → 0.01%) reflect the same principle: higher-value bands are held to tighter standards.
What this panel cannot tell you
- Your specific fraud rate per band. We do not have access to your dispute-level data at the per-amount-band granularity. The estimate is a model.
- What issuers will do. Issuers can require 3D Secure on any transaction regardless of your threshold (soft decline / step-up). A low threshold on your side does not guarantee 3D Secure is skipped — only that your processor will not request it.
- Future fraud rates. Estimates use the last 6 months of unrecovered 3D Secure intents. Card-testing campaigns can change the picture week to week.
How to choose a threshold
- Start with your data. The hint cards show your P25, median, P75 and P90 amounts in the failed-3DS cohort. P25 protects 75% of losses with minimal friction reduction; P90 only challenges your highest-value transactions.
- Cross-reference the suggested-threshold table. The PSD2 tier rows (£25, £85, £220, £440) are regulatory snap-points; your own percentile rows sit alongside them. Pick a row whose Revenue freed feels worth recovering and whose Estimated fraud loss range you can absorb.
- Adjust if your customer base is unusual. Higher-risk verticals should sit closer to the strict end (low threshold). Mainstream consumer-facing merchants with stable customer bases usually find the sweet spot between your median and P75.
Sources. EBA/ECB 2024 Payment Fraud Report (ECB); Stripe SCA guide (stripe.com); SCA-RTS Articles 18 & 19 (Art. 18,Art. 19).