Good Carder
Professional
- Messages
- 903
- Reaction score
- 520
- Points
- 93
From carder to carders. 3D Secure isn't a wall, but a smart filter. If you try to breach it by force (by hit a card from a compromised IP address or using a fake BIN), the system will respond and request confirmation. But the 3D Secure 2.0 and 2.3 protocols are designed not only for security, but also for a seamless user experience. It allows banks to NOT request 3D Secure if the transaction appears low-risk. Your task is to trick the system into believing you are such a client. You don't need to fight 3D Secure, but rather "pass" it by emulating the behavior of a trusted merchant, using a combination of exemption parameters, spoofing merchant data, and selecting the correct MCC.
SCA (Strong Customer Authentication) Exemptions are official exceptions to the rules, allowing a bank to process a payment without a 3DS certificate. The idea is that not all transactions are equally risky. For low-risk transactions, the authentication process can be omitted to avoid creating unnecessary barriers for the customer. Your goal is to disguise your transaction as such a low-risk one. To do this, you need to manage flags in the request (trigger the correct exemption type), impersonate a trusted merchant, and reduce scoring by substituting data. Using exemption means you assume financial responsibility for a chargeback, but for us, this is an acceptable cost for going through the process without 3DS.
You specify exemptionReason and, optionally, merchantFraudRate (your fraud rate in BPS) to increase the issuer's trust.
Carder tip: To minimize scoring, always use the combination of lowValue and transactionRiskAnalysis. To do this, send an API request with both values in the threeDSExemption field. This hybrid approach increases your chances of success.
If you're registered as a merchant with Stripe, Shopify, or another gateway, you can change your MCC through your settings (sometimes you need to contact support). It's important to us that the merchant MCC on the payment form matches what the bank sees.
By understanding the mechanics of threeDSExemption, choosing the right MCC, and lowering the environment's scoring, you can achieve payment approval in 70-80% of cases even with non-3DS cards. The key to success isn't simply hit the CVV, but systematically working with the protocol.
A quick one-line cheat sheet:
"TRA (transactionRiskAnalysis) for checks up to €500, LVE (lowValue) up to €30, MIT (merchantInitiatedTransaction) for subscriptions. Replace the MCC with a "green" (4814, 4900, 9399). Reduce your scoring with a clean IP and a warmed-up profile. Avoid the trigger — 5 LVE or €100 in accumulated funds. You're not asking to bypass 3DS; you're asking to have the transaction considered low-risk. The bank might agree."
Part 1: Why 3DS Can Be Bypassed Without Breaking Cryptography
Why might Stripe request a 3DS certificate even for a non-3DS card? Because the bank doesn't make this decision alone. Stripe Radar's algorithms analyze hundreds of signals (mouse behavior, browser fingerprinting, IP geolocation, card BIN, and much more) and assign a risk score. If the score is high, Radar insists on a challenge, even if the card doesn't formally require authentication. The antifraud system decides whether a 3DS certificate is needed, not the card itself. This is where the loopholes lie — in the SCA Exemptions mechanism.SCA (Strong Customer Authentication) Exemptions are official exceptions to the rules, allowing a bank to process a payment without a 3DS certificate. The idea is that not all transactions are equally risky. For low-risk transactions, the authentication process can be omitted to avoid creating unnecessary barriers for the customer. Your goal is to disguise your transaction as such a low-risk one. To do this, you need to manage flags in the request (trigger the correct exemption type), impersonate a trusted merchant, and reduce scoring by substituting data. Using exemption means you assume financial responsibility for a chargeback, but for us, this is an acceptable cost for going through the process without 3DS.
Part 2. Exemption Options in 3DS 2.3: Your Controls
Understanding the API is half the battle. In the threeDSExemption parameter, you specify the reason why you want to skip the 3DS. In challengePreference, you indicate to the bank how confident you are in the transaction. The most interesting values for us are:| Parameter (API) | Meaning | How to use |
|---|---|---|
| transactionRiskAnalysis (TRA) | Low transaction risk | Use for low-cost products with a "clean" environment |
| lowValue (LVE) | Amount < €30 (and ≤5 transactions since last SCA) | A classic for small checks |
| merchantInitiatedTransaction (MIT) | Payment initiated by the seller (subscription) | Ideal for recurring payments |
| trustedBeneficiary | Whitelist (merchant added by client) | Only for Visa, but the most powerful flag |
| delegatedAuthority | A trusted payment provider (e.g. Stripe) | Not our case |
You specify exemptionReason and, optionally, merchantFraudRate (your fraud rate in BPS) to increase the issuer's trust.
2.1. Transaction Risk Analysis (TRA)
TRA is the most flexible exemption for us. You tell the bank, "I've conducted my risk analysis, the transaction is safe, don't bother the customer." Available TRA thresholds depend on your acquirer's fraud rate and range from €100 to €500. The main risk is that you assume liability for a chargeback (liability shift) in the event of fraud. But for our purposes, this is an acceptable fee. Stripe can also request TRA exemption through Adaptive Acceptance if your overall fraud metrics fall within their limits.2.2. Low Value Exemptions (LVE)
The LVE rules are strict and elegant. The threshold is €30. It is also necessary to ensure that the buyer has not accumulated €100 or made five LV transactions since the last full authentication (SCA). LVE is the best method for carders with small checks or for testing the viability of a BIN.2.3. Merchant-Initiated Transactions (MIT)
If you have access to the victim's saved card account, this is the ideal scenario. By creating a recurring payment (subscription) and correctly setting the credentialOnFile (CoF) and merchantInitiatedTransaction flags, subsequent debits can proceed without 3DS. The main requirement is that the first payment for this subscription must be fully authenticated. This creates a "bridge of trust."2.4. Trusted Beneficiary (TRA)
This flag allows the issuer to skip any transaction if the cardholder has previously whitelisted the merchant. It's ideal for transactions with Fullz cards, where you can log in to your account and activate this option. However, this exception type only works for Visa cards.Part 3. How to Reduce Transaction Fraud Score to Zero
Even if you set all the flags, Stripe Radar or Adyen may block the transaction due to poor peer-to-peer scoring. You need multi-layer emulation.- Geolocation and BIN: The IP address must match the card's billing ZIP code, and the BIN country must match the IP address. Use only residential proxies, preferably mobile (4G/5G).
- Browser Fingerprint: Make sure the navigator.webdriver flag is false, Canvas and WebGL are spoofed with realistic noise, and AudioContext is not disabled.
- Behavioral emulation: Add delays between field completions, simulate mouse movement and human pauses.
- Account history: Even for guest checkouts, use a pre-warmed profile. A payment from an account that has been browsing products for several weeks and has a saved cart looks much more legitimate than a carding attempt from scratch.
Carder tip: To minimize scoring, always use the combination of lowValue and transactionRiskAnalysis. To do this, send an API request with both values in the threeDSExemption field. This hybrid approach increases your chances of success.
Part 4. Merchant ID Substitution: The Art of Appearing Harmless
In addition to specifying the exemption, it's important to provide the correct context. The issuer and anti-fraud system evaluate the seller based on three parameters:4.1. Merchant Category Code (MCC)
MCC is a four-digit merchant activity code. Some MCCs are considered "leaky" and almost never request 3DS, as they are considered low-risk for fraud. Here's a list of "green" MCCs for 2026, recommended for your scams:| MCC | Category | Justification |
|---|---|---|
| 4814 | Communication services (telephony, Internet) | Predictable amounts, low fraud rate |
| 4900 | Utilities (electricity, gas) | Extremely low risk, legitimate payments |
| 5812 | Restaurants and fast food | Huge volume, small-ticket |
| 5815 | Digital goods (software, subscriptions) | Moderate risk, but high-volume |
| 5816 | Games and digital content | It may be risky, but it's high volume. |
| 5912 | Pharmacies | Low risk |
| 6012 | Financial institutions (credit cards) | High risk! Best avoided. |
| 7997 | Membership clubs (golf, fitness) | Low risk, high average check |
| 8220 | Higher education institutions | Extremely low risk |
| 9399 | Government services | The safest MCC (taxes, penalties) |
If you're registered as a merchant with Stripe, Shopify, or another gateway, you can change your MCC through your settings (sometimes you need to contact support). It's important to us that the merchant MCC on the payment form matches what the bank sees.
4.2. Merchant Name и Descriptor
The line the cardholder sees on their statement. "AMAZON.COM" looks legitimate, while "MYSTERIOUS SHOP" is suspicious. Use neutral names whenever possible.4.3. Merchant Fraud Rate
If you operate through your own merchant account, it's important to maintain a low fraud rate. When requesting an exemption, you can pass a low value (e.g., 4 bps) in the merchantFraudRate parameter, increasing the issuer's trust.Part 5. A Practical Checklist: How to Avoid Requesting a 3DS in 5 Steps
- Evaluate the target: If the receipt is < €30, use lowValue. If the receipt is > €30 but you have access to the account, use merchantInitiatedTransaction. Otherwise, use transactionRiskAnalysis.
- Set up your environment: Warm up your account, use a residential proxy that matches the geo BIN of your card.
- Add custom parameters: In the API request, insert threeDSExemption with the desired exemptionReason and generate a merchantFraudRate (from 1 to 99). If possible, change the merchant MCC to one of the "green" values.
- Check your parameters: Make sure you don't violate the LVE rules (less than 5 transactions and accumulated amount). For MIT, make sure the card has previously passed full authentication.
- Send and monitor: If successful, the payment will go through without a 3DS. If a soft decline occurs, connect a regular 3DS and change your strategy.
Summary
Bypassing 3DS isn't hacking, but the art of disguising yourself as a legitimate merchant. Systems like Stripe Radar aren't impenetrable. They're a filter that can be fooled by properly simulating a low-risk transaction.By understanding the mechanics of threeDSExemption, choosing the right MCC, and lowering the environment's scoring, you can achieve payment approval in 70-80% of cases even with non-3DS cards. The key to success isn't simply hit the CVV, but systematically working with the protocol.
A quick one-line cheat sheet:
"TRA (transactionRiskAnalysis) for checks up to €500, LVE (lowValue) up to €30, MIT (merchantInitiatedTransaction) for subscriptions. Replace the MCC with a "green" (4814, 4900, 9399). Reduce your scoring with a clean IP and a warmed-up profile. Avoid the trigger — 5 LVE or €100 in accumulated funds. You're not asking to bypass 3DS; you're asking to have the transaction considered low-risk. The bank might agree."
Last edited by a moderator:
