Evidora Blog — Your go-to resource for everything related to digital interaction evidence, consent and verification

Evidora Blog — Your go-to resource for everything related to digital interaction evidence, consent and verification

By Nolan BryantPosted on Posted in Uncategorized
Chargeback Strategy

3D Secure vs. Evidora: Why Authentication Alone Won’t Stop Chargebacks

If you process online payments, you’ve probably wondered whether 3D Secure already handles your chargeback problem. Here’s the honest answer, and what it’s actually missing.

Dispute Prevention Friendly Fraud 8 min read
TL;DR

3D Secure and Evidora solve different problems. 3DS authenticates the cardholder at checkout and shifts liability on criminal fraud (about 20-30% of chargebacks). Evidora captures the behavioral, consent, and interaction evidence needed to defeat friendly fraud (60-80% of chargebacks) and qualify for Visa Compelling Evidence 3.0 liability shift. The best merchants run both: 3DS at the door, Evidora in the courtroom.

It’s one of the most common questions merchants ask when they first hear about Evidora: “Isn’t this basically the same as frictionless 3D Secure? Doesn’t my processor already do this?”

It’s a smart question. And getting the answer right matters, because betting your revenue on the wrong protection strategy can quietly cost you tens of thousands of dollars a year in chargebacks you should have won.

So let’s break it down, from the ground up.

What 3D Secure Actually Is (The Plain-English Version)

Imagine buying a candy bar and the cashier asks, “Hey, are you really the person who owns this credit card?” You have to prove it before they let you pay. That’s essentially what 3D Secure (3DS) does online.

When someone types a credit card into your checkout, the issuing bank wants to confirm the person holding that card is the real owner, not a thief using a stolen card number. So 3D Secure adds an extra layer: the bank sends a text message with a code, asks the customer to approve the purchase inside their banking app, or poses a security question.

The “3D” stands for “Three Domain,” because three parties are involved in the verification:

  1. The merchant (you)
  2. The card network (Visa, Mastercard)
  3. The issuing bank (the customer’s bank)
💡

The one job 3D Secure was built to do: stop criminal fraud, the kind where a bad actor uses someone else’s stolen card number to buy something online. That’s it. That’s the whole job.

“Frictionless 3DS,” the smoother upgrade

The original version of 3D Secure was notoriously annoying. Customers hated having to dig out their phone mid-checkout, wait for a code, and type it back in. Abandonment rates spiked, and merchants lost sales.

So the networks introduced Frictionless 3DS (3DS 2.0). Instead of always interrupting the customer, the bank now looks at silent background signals like device, location, and purchase history, and if everything looks legitimate, the transaction is approved without any extra step. Only suspicious transactions get challenged.

The big benefit merchants love: liability shift

Here’s the part that matters most. When a transaction is authenticated through 3DS and the cardholder later disputes it by claiming “that wasn’t me, it’s fraud,” the merchant is protected. The liability shifts to the issuing bank. The merchant doesn’t eat the chargeback.

Sounds amazing, right? Here’s the catch.

Why 3D Secure Doesn’t Solve Your Actual Chargeback Problem

3D Secure only protects against one type of chargeback: criminal fraud from stolen cards. That category is roughly 20–30% of all chargebacks. The overwhelming majority, the part that’s bleeding most merchants dry, is something completely different.

20–30% of chargebacks are criminal fraud (what 3DS protects against)
60–80% of chargebacks are friendly fraud (what 3DS does not protect against)
$0 recovered by 3DS on friendly fraud disputes

Friendly fraud isn’t a criminal using a stolen card. It’s the real cardholder, the actual person who owns the card, making a real purchase, then later disputing it. They passed 3D Secure with flying colors because it really was them. 3DS confirmed their identity perfectly. And then three weeks later, they call their bank and say:

  • “I don’t recognize this charge.”
  • “I never received the item.”
  • “I didn’t know it was recurring.”
  • “My spouse made that purchase without my permission.”

3D Secure has no answer for any of this. It was never designed to. It authenticated who the cardholder was at a single moment, but it didn’t capture what they did, what they saw, what they agreed to, or whether they actually used the product.

How Evidora Is Fundamentally Different

Here’s the cleanest way to think about it:

3D Secure is about identity. Evidora is about evidence.

3DS proves it was really the cardholder at the moment of checkout. Evidora proves what they did, what they agreed to, and what they received across the entire transaction lifecycle.

3D Secure

A single authentication event at checkout. Was this really the cardholder? Yes or no. End of story.

Evidora

A continuous record of the customer’s actual experience, every agreement, every interaction, every delivery, captured invisibly and preserved as defensible evidence.

Side-by-side: The problems each one solves

3D Secure Evidora
What it does Authenticates the cardholder at checkout Captures verifiable proof of the entire transaction experience
Type of fraud it stops Criminal fraud (stolen cards) Friendly fraud, refund abuse, consent disputes, “I didn’t order this” claims
% of chargebacks addressed ~20–30% 60–80% (the majority, friendly fraud)
Evidence captured Authentication event only IP, device data, session behavior, consent records, interaction proof, delivery/access confirmation
When it helps Only at the authentication moment Before the dispute, during the dispute, and in preventing future disputes
Works on subscriptions / recurring? Barely. Doesn’t prove consent to recurring terms Yes. Captures consent to recurring billing at signup
Works on digital goods? Yes for auth, but no proof of delivery or use Yes. Captures access logs, session activity, engagement
Liability shift for friendly fraud? No Yes. Provides the behavioral evidence required under Visa’s Compelling Evidence 3.0 to shift friendly fraud liability
Customer friction Sometimes adds friction (challenges) Zero friction. Completely invisible to the customer

The Core Insight Most Merchants Miss

When a chargeback lands on your desk, the issuing bank isn’t asking “was this cardholder authenticated?” 3DS already answered that.

The question the bank is actually asking is:

“Did this specific person, at this specific time, knowingly agree to this purchase, these terms, and receive what was promised?”

3DS can’t answer that. It wasn’t built to. It verifies identity at a single moment, the moment of checkout authentication. It doesn’t capture:

  • Whether the customer actually saw your recurring billing terms
  • Whether they clicked the consent box on your signup flow
  • What they did inside your checkout funnel
  • Whether they accessed the digital product they later claimed they “never received”

Evidora captures all of that automatically, invisibly, on every transaction.

“But 3DS Already Gives Me Liability Shift, So Why Do I Need More?”

This is the most common pushback, and the answer is simple: 3DS covers one narrow slice of your exposure. The rest of your chargeback volume is completely unaddressed.

The Missing Piece

Four reasons 3DS alone isn’t enough:

  1. Limited reason codes. 3DS liability shift only applies to fraud-coded chargebacks (reason codes like 10.4 and 10.5). It does nothing for non-fraud disputes like “item not received,” “not as described,” “subscription cancellation issues,” and “credit not processed,” which collectively make up a huge portion of disputes.
  2. Issuers push back anyway. Many issuers still challenge 3DS-authenticated transactions in friendly fraud cases, especially on subscriptions.
  3. Frictionless doesn’t guarantee protection. If the issuer decides not to challenge the transaction, the liability shift may not fully apply.
  4. No representment evidence. 3DS produces nothing you can use when you have to fight a non-fraud dispute. You have no record of consent, interaction, or delivery.

The Best Merchants Use Both

This isn’t an either/or decision. 3D Secure and Evidora solve different problems, and together they cover far more of your risk surface than either can alone.

Use 3D Secure for:

  • Authenticating cardholders at checkout
  • Liability shift on criminal fraud
  • Reducing stolen-card transaction risk

Use Evidora for:

  • Defeating friendly fraud and refund abuse
  • Proving consent on subscriptions and recurring billing
  • Winning “item not received” and “not as described” disputes
  • Qualifying for Visa Compelling Evidence 3.0 liability shift
  • Preventing disputes from being filed in the first place

Think of it this way: 3D Secure protects you at the door. Evidora protects you in the courtroom, which is where the real money is lost.

Frequently Asked Questions

Does 3D Secure stop friendly fraud?

No. 3D Secure only protects against criminal fraud where a stolen card is used, which is roughly 20-30% of chargebacks. Friendly fraud is committed by the real cardholder disputing a legitimate purchase, so 3DS authenticates them successfully and offers no protection when they later file a chargeback. You need behavioral and consent evidence, which is what Evidora captures.

What is Visa Compelling Evidence 3.0?

Visa Compelling Evidence 3.0 (CE 3.0) is a Visa program that lets merchants provide behavioral and transactional data to shift liability on friendly fraud disputes. To qualify, merchants must show matching data points like device ID, IP address, email, shipping address, or login credentials across at least two prior undisputed transactions with the same cardholder. Evidora captures exactly the kind of evidence CE 3.0 requires.

Do I need both 3D Secure and Evidora?

Yes. They solve different problems. 3D Secure shifts liability for criminal fraud chargebacks (stolen cards). Evidora protects against friendly fraud, refund abuse, consent disputes, and non-fraud disputes like “item not received” or “not as described.” Together they cover the full spectrum of chargeback risk, while either one alone leaves major gaps.

What percentage of chargebacks does 3D Secure actually prevent?

3D Secure only addresses criminal fraud chargebacks, which are about 20-30% of total chargeback volume. The remaining 60-80% come from friendly fraud and other disputes that 3DS was never designed to address. For most ecommerce merchants, 3DS alone leaves the majority of chargeback exposure unprotected.

Does Evidora add friction to my checkout?

No. Evidora captures evidence silently in the background. Customers see no extra steps, challenges, or interruptions. Conversion rates are preserved while you gain a complete, defensible record of every transaction.

Can Evidora help me win “item not received” or “not as described” disputes?

Yes. Evidora captures delivery confirmation, access logs, session activity, and engagement data, which is exactly the evidence issuers look for when evaluating non-fraud disputes. 3D Secure produces no evidence that can be used in representment for these reason codes, which is a large and growing share of chargebacks.

Stop losing disputes you should be winning.

Evidora gives you the behavioral, consent, and interaction evidence you need to deflect friendly fraud, win chargeback representments, and qualify for Visa Compelling Evidence 3.0, all without adding a single step of friction for your customer.

See How Evidora Works →
3D Secure vs Evidora
Scroll to top