3D Secure

3D Secure for Online Casinos and Gambling: Managing Authentication in a High-Fraud, High-Chargeback Environment

Published:
June 29, 2026
Author:
Sascha Huwlyler
TL;DR

Online gambling sees high fraud and even higher friendly-fraud chargebacks. Run 3DS at deposit, not registration, so the liability shift attaches to each charge and the amount informs the issuer's risk model. Successful authentication shifts true-fraud liability and strengthens dispute evidence, but doesn't replace KYC. TRA is the most useful SCA exemption; pair 3DS with card-name verification.

3D Secure for Online Casinos and Gambling: Managing Authentication in a High-Fraud, High-Chargeback Environment

Online casinos and gambling operators face a 3DS environment unlike almost any other merchant category. The fraud rate is high. The friendly fraud rate is higher. Chargebacks from players disputing deposits they made voluntarily, problem gamblers seeking refunds, bonus abusers, or simply opportunistic players who know how the dispute system works, represent a significant and growing share of total chargeback volume. And uniquely among merchant categories, some of the most commercially important tools for fraud prevention, the liability shift from 3DS authentication, also carry a compliance wrinkle specific to gambling regulation.

Why does the gambling industry have elevated chargebacks?

Online gambling deposits are vulnerable to two distinct chargeback patterns. True fraud chargebacks occur when a stolen card is used to fund a gambling account, the real cardholder disputes the transaction, the funds have been wagered, and the merchant has no goods or digital content to reverse. Friendly fraud chargebacks occur when a genuine account holder disputes a deposit they made voluntarily, most commonly after losses. Problem gamblers in particular use the chargeback mechanism as a form of loss recovery.

The distinction matters because 3DS addresses both, but in different ways. Successful 3DS authentication shifts true fraud chargeback liability to the issuer. For friendly fraud, authentication provides evidence that the cardholder was present and authenticated the transaction, this is not a guaranteed defence against chargeback in all jurisdictions, but it is material evidence in dispute representment. Gambling operators with a high friendly fraud rate who are not running 3DS are absorbing chargeback losses that authenticated transactions would have made far more defensible.

What is the correct 3DS implementation for a gambling deposit?

A gambling deposit is a customer-initiated transaction. The player funds their account, the operator charges the card. SCA applies in full where the operator and the issuing bank are in scope. The authentication should be run at the point of deposit, not at registration or at a later point in the session.

Authentication at deposit, rather than at account registration, is the correct trigger for two reasons. First, the transaction amount is known at deposit time and is included in the authentication request, which improves the frictionless decision. A 50 EUR deposit is evaluated by the issuer's risk model as a 50 EUR transaction. Second, the liability shift attaches to the specific transaction that was authenticated. Authenticating at registration and then charging later as an MIT only works correctly under specific mandate-based MIT frameworks, and for gambling deposits of variable amounts, this is rarely the right structure.

How does the liability shift interact with gambling regulations?

Here is the compliance wrinkle specific to gambling: many gambling regulators require operators to verify player identity (KYC) and payment method ownership before allowing deposits. Some regulators require that the card used for deposit belongs to the verified account holder. A successful 3DS authentication provides strong evidence of card ownership, the cardholder completed a bank-authenticated step, but it does not replace the operator's KYC obligation.

In markets where SCA is mandatory, a gambling operator who runs 3DS but cannot verify that the authenticated cardholder is the same person as the verified KYC identity faces a regulatory gap distinct from the payment authentication gap. PCI Proxy's account name verification capability, covered in the Card Intelligence hub, closes this gap: by confirming that the name on the card matches the name on the gambling account, operators satisfy both the payment authentication and the card ownership verification requirement in a single pre-authorization step.

What SCA exemptions apply to gambling deposits?

The low-value exemption (under 30 EUR) is available but rarely strategically useful for gambling operators, where typical deposit amounts are higher and the liability shift value of authentication outweighs the conversion benefit of exemption. The TRA exemption is available for operators whose PSP's fraud rate qualifies, and is the most commercially relevant exemption for a high-volume casino processing large numbers of small-to-medium deposits.

Recurring deposit mandates, where a player sets up a regular deposit schedule, can be structured as MIT transactions once the initial mandate is established via a CIT with SCA. This is useful for VIP players with established deposit patterns but requires careful implementation to maintain compliance. The mandate must clearly define the recurring amount and frequency, and the player must have explicitly consented.

How does 3DS interact with gambling payment retries?

Players who fail a 3DS challenge do not simply abandon the deposit, they often retry immediately, either with a different payment method or by attempting the authentication again. Operators who track authentication failure rates by challenge type find that app-based OTP challenges have significantly higher completion rates than SMS OTP, which has higher completion rates than static password challenge. If the issuer offers multiple challenge paths, the 3DS 2.x protocol allows the merchant to signal preferred challenge methods.

PCI Proxy's 3DS Server gives gambling operators visibility into authentication outcomes at a granular level, by card network, challenge type, and outcome code, enabling continuous optimization of the authentication flow for their specific player base.

Frequently asked questions:

Does 3DS authentication prevent chargeback fraud from problem gamblers?

3DS shifts true fraud chargeback liability to the issuer. It does not automatically prevent friendly fraud chargebacks, but the authentication record is strong evidence in dispute representment. Operators in markets with explicit gambling dispute guidance (such as the UK under the FCA) find authentication records significantly improve their representment success rate.

Should a gambling operator run 3DS at account registration or at deposit?

At deposit. The liability shift attaches to the specific authenticated transaction. Authentication at registration creates a zero-auth record, not a deposit authentication. Running 3DS at each deposit ensures every chargeable event is covered by the liability shift.