Blog > Payments

3RI payments: How hotels can protect revenue & eliminate chargebacks on post-stay charges

Last updated on April 13, 2026

April 13, 2026 · 9 min read

Hospitality doesn’t work like standard e-commerce; there’s a massive gap between the first booking on the website and the final minibar charge at checkout.

In the past, Merchant Initiated Transactions (MITs) have been used to bridge this gap, but charging a stored card without Strong Customer Authentication (SCA) poses a serious risk. There’s no liability shift, so merchants are often the ones who swallow the loss of a dispute.

As fraud continues to rise and regulations tighten up, this old MIT approach isn’t sustainable. Merchant-initiated authentications (3RI) have emerged as a solution, and by linking future charges to the first transaction, it protects merchants from fraud liability even when the customer isn’t present.

3RI is particularly handy for complex operations like third-party travel agents, split payments, and subscription models that require subsequent charges after the initial purchase.

In this article, we’ll explain how 3RI works, how it can be used by merchants across different scenarios, and how the right payment strategy can help with your operational workflows, guest journey, and overall revenue impact.

Learn more:

What is 3RI (3DS requestor-initiated)?

3RI, or merchant-initiated authentications, allows merchants to process transactions for a follow-up purchase when a customer is not actively present at checkout. This e-commerce framework is typically used for recurring, subscription, instalment, or other automated payments charged to the same card the customer used for the first purchase.

For example, when a customer signs up for a monthly subscription service, they input their card details during the initial transaction. The merchant then uses these same credentials and authentication values to process future transactions without needing the cardholder to reenter their details each month.

What sets 3RI apart from standard merchant-initiated transactions (MITs) is that 3RI transactions remain authenticated. Unlike normal MITs, 3RI transactions preserve the 3DS fraud liability shift, meaning if a transaction turns out to be fraudulent, the responsibility lies with the issuer, not the merchant (the hotel/business owner).

At its core, 3RI uses the authentication values captured during the customer’s original transactions. This enables merchants to apply the same validated identity to future charges when the customer is not present.

3. How 3RI works in practice

3RI is designed to allow merchants to authenticate future transactions when the customer is not present, while upholding the authentication chain created during the original purchase.

To understand 3RI in practice, here’s what the lifecycle of a transaction looks like from first checkout to later merchant-initiated charges.

Note: As a prerequisite, the issuer must support 3DS, and the cardholder needs to be enrolled. Otherwise, 3RI is not available.

The initial customer-present transaction

3RI begins with a standard e-commerce payment flow, in which the customer enters their card details on a merchant’s checkout page.

The merchant side triggers 3DS authentication, flagged with a recurring or instalment indicator so that the issuing bank (the bank that issues the card) can evaluate the transaction and either approve it or require further confirmation.

After a successful authentication, the 3DS process provides three crucial values:

Authentication value (CAVV)
DS Transaction ID (DSTransID)
3DS server transaction reference

The merchant stores this information, along with tokenised card data, enabling future charge processing without the customer present. This stored credential framework is what sets 3RI apart from standard MITs, as it’s what allows future transactions to be linked to the original authenticated event.

Subsequent merchant-initiated charges

Later, when the merchant needs to process a subsequent charge, they can use the stored credentials even if the customer isn’t present. This is handy for business models that include subscriptions, instalment payments, delayed charges, and usage-based billing.

In practice:

The gateway submits a 3RI authentication request that references the original DSTransID.
The issuer sees prior strong customer authentication (SCA) and tends to approve the request without a challenge, while returning a new authentication value (CAVV).
You, the merchant, will use this new value in your authorisation request to the bank.

When a customer isn’t present in a standard e-commerce scenario, the transaction can’t be authenticated. But 3RI allows merchants to perform the authentication needed to process a transaction without bringing the customer back into the flow.

Ultimately, this allows for the authorisation and capture of follow-up payments while upholding the original liability shift (away from the merchant).

Authentication validity and re-authentication

But here’s the kicker: despite ongoing subscription or billing agreements, authentication values typically have a 90-day validity window.

This can lead to challenges, especially in hospitality, which often has long booking windows and extended stays, during which the original authentication expires before final payment is due. If you attempt to make a charge with an expired value, it will often be returned by the bank as a “Soft Decline.”

However, 3RI exists so that merchants can refresh authentication values to trigger a new CAVV before the previous one expires.

The gateway may proactively initiate an authentication refresh flow on Day 89 when the guest is not present, allowing for repeat charges outside the original 90-day window while preserving the liability shift and the continuity of the payment flow.

In hospitality, this process is automated by the merchant’s Property Management System (PMS) and booking platform, which track guest check-in and check-out dates against the original authentication timestamp.

As the PMS monitors these dates and IDs, it can automatically trigger the gateway for re-authentication at the exact moment it’s needed. This keeps merchants protected under the liability shift and creates an entirely frictionless experience for guests.

Why 3RI matters for hotels and travel

In an industry swathed with long booking windows and endless minibar bills, 3RI is a necessity for hotels and travel operators.

Balancing a smooth guest experience with the realities of repeat charges and add-ons can be challenging, but 3RI offers a clear solution that ensures long-term security, seamless recurring payment flows, and liability protection from the initial reservation through a guest’s final checkout.

Key benefits for merchants (hoteliers):

Maintain fraud liability shift: 3RI offers protection against traditionally exposed revenue, like no-shows, late cancellations, add-ons, and damages. Historically, these have been processed as standard MITs, but 3RI brings these charges back under 3DS, moving fraud liability from the merchant back to the issuer.
Reduction in chargebacks: Because 3RI ensures that follow-up transactions are fully authenticated, merchants can reduce their fraud loss and chargebacks. If a guest disputes a legitimate post-stay charge, the merchant can defend it using the 3DS authentication record.
Support frictionless guest experiences: 3RI allows you to truly centre your customers. You can process payments in the background throughout multiple touchpoints without ever needing to bring guests back into the flow. This also means no biometric challenges or holding up a guest’s checkout just to process a final payment.
Ensure SCA compliance in complex ecosystems: Hotels and travel often involve online travel agencies (OTAs), global distribution systems, and multiple service providers. With various touchpoints, 3RI ensures that the strong customer authentication (SCA) performed at the start of the flow remains compliant and valid as the booking moves across different platforms.

Benefits for guests and travellers:

Smoother guest journeys: If customer payment details are authenticated at the time of booking, the main benefit for 3RI is that it handles the rest. Guests no longer need to present their physical card for check-in or checkout, or enter an SMS code from the bank while on vacation. Thanks to 3RI, authenticated charges can continue to happen without disrupting guests.
Transparency and trust: 3RI runs in the background but still provides transparent notifications when additional charges (like that $10 bottle of water from the minibar) are applied after a guest checks out. This builds trust and reduces billing shock because guests are kept up to date, know the payment has been pre-authorised, and their details are being handled securely.
Consistent digital-first experiences: Regardless of whether a guest books via a hotel’s website, a mobile app, or a third-party OTA, the 3RI experience is identical, from security to authentication. The guest doesn’t feel any difference just because they use a different booking channel.

Core 3RI use cases in hospitality and travel

The technical aspect of 3RI happens behind the scenes, but its impact is felt throughout the guest journey. By moving away from manual card charges and towards a framework that centres around authentication, payment flows become safer for both guests and your bottom line as an operator.

Here are core use cases for 3RI in the hospitality and travel industry:

Direct online hotel bookings

3RI powers a true “book and go” experience. When a customer books directly on a hotel website, they undergo full 3DS authentication, in which card details are tokenised, and authentication data is securely collected and stored.

This process takes only seconds, but the flow ensures that when the guest arrives at the property, the hotel already has everything it needs to secure the stay without requiring a physical payment method at check-in.

Because most guests book travel months in advance, the hotel PMS can track the dates of their stay and trigger a 3RI authentication refresh on Day 89.

Doing this proactively (and automatically) means that the authentication remains valid from the moment a guest books until final charges after checkout. All without ever prompting for a card again.

When hotels operate this way, they can process 3RI payment requests via the gateway for post-stay extras and incidentals like mini-bar snacks and late checkouts.

Since these charges are linked to the original authentication event, the liability shift is upheld, while guests receive transparent notifications of charges with no friction.

No-show charges for online bookings

No shows are a classic security gap in hospitality that can lead to lost revenue for merchants. When a guest doesn’t arrive for their online booking, merchants often struggle to charge a cancellation fee to a stored card because there’s no SCA in place. This gives the guest grounds to dispute the charge and leave the merchant to swallow the loss.

But when merchants implement 3RI, this risk is eliminated. Hotels can apply no-show or late cancellation fees to bookings by referencing the original 3DS authentication. Because the no-show charge is linked to the original trust established during the booking session, the liability shifts to the issuer, and the hotel is protected if the guest disputes the charge.

Beyond revenue protection, this simplifies operations for managers and front-office teams, as there’s no need to manually run guest cards at check-in or push through broad pre-authorisations. 3RI automates and enforces your property’s cancellation policies while keeping revenue secure.

Alternative to card-present payments at check-in

Even if a guest books a hotel online, they’re still often required to present a physical card at check-in to cover incidentals. This adds friction by forcing guests to wait in line just to perform a payment operation that could have been completed at the time of booking.

3RI allows hotels to bypass manual card requests by using the original e-commerce authentication for any future charges, including incidentals, damages, and extras. Rather than holding guests up at reception, front desk staff can use 3RI to authorise additional amounts in the background.

In addition to improving check-in speed and reducing queues in your lobby, you’re creating a seamless experience for guests who can authorise their card once and have services automatically charged to it without having to sign the bill over and over. This is a true “just go to your room” journey while making access to add-ons and extras completely frictionless.

Holiday booking via third-party OTA

When a guest books a holiday via an online travel agency (OTA) like Expedia or Booking.com, they perform a full 3DS authentication to secure their stay. The agency stores the guest’s tokenised card data and authentication details, then passes them to the hotel’s payment gateway to complete the transaction.

Since the hotel receives payment authorisation and authentication data via the gateway, this digital handover allows guests to check in and out without presenting a physical card.

Even though the guest didn’t book the stay directly with the hotel, 3RI allows the property to bridge the gap and charge for incidentals through a 3RI merchant-initiated request. By referencing the original authentication values provided by the OTA, your hotel maintains the liability shift for additional charges and ensures a secure, seamless guest experience regardless of the channel used to book their stay.

Split payments from a travel agent

For complex bookings where, for example, a guest pays an initial deposit and the final balance at a later date, 3RI is paramount for maintaining security and ensuring full settlement of funds.

In this scenario, the guest’s initial deposit is fully 3DS-authenticated with tokenised card details. This first event generates the cryptographic values needed to later trigger a 3RI request for the final payment, without ever bringing guests back to your checkout page.

For complex agent models, the main benefit is that this payment flow enables you to capture an initial authentication that supports subsequent 3RI authorisations. So, beyond deposits, 3RI also allows agents to book flights, car rentals, and activities, not only hotel rooms. When working this way, the entire itinerary is supported by SCA and protected by a liability shift away from the merchant. Not to mention the high-end feel for a customer who only has to input payment details once… the rest is taken care of.

3RI vs traditional merchant-initiated transactions

To understand the value of 3RI, it’s helpful to compare it with traditional merchant-initiated transactions (MITs). While both allow merchants to charge guests who are not present, the main difference is in their security and protection.

Traditional MITs are merchant-initiated and use tokenised card data without 3D Secure (3DS) authentication. This is what normally occurs when you think about the standard “card on file” payment. It’s a convenient way to charge customers, but the major downside is there’s no liability shift.

In most cases, if a customer disputes an MIT as fraudulent, the merchant is almost always the one to bear the burden of the chargeback. Because there’s no cryptographic link between the MIT and the cardholder's authorisation, it's more difficult to prove that the customer approved the charge.

In contrast, 3RI leverages a prior 3DS authentication to secure follow-up transactions, shifting liability away from the merchant. Instead of a standard charge, the merchant submits a request that the issuer can link back to a previously authenticated session. This bridge between the initial checkout and follow-up charges changes the security and liability of the payment. 3RI ensures there’s cryptographic proof that the customer approved future transactions, protecting merchants from chargeback exposure and fraud risk.

By creating this trust link, 3RI helps merchants with:

Issuer approval rates: Banks are more likely to approve a charge when a customer is not present if there’s proof of the original authorisation or a clear follow-up to a secure booking.
Regulatory alignment: 3RI is critical to ensuring complex payments are fully compliant, particularly given its use cases in the travel industry and global regulations.
Fraud risk and chargeback exposure: 3RI is essentially cryptographic proof of the cardholder’s intent. Because of this evident link, merchants are better protected against “unauthorised” or “transaction not recognised” disputes.

3RI vs MIT comparison table

Feature	Traditional MIT	3RI
Authentication	None (relies on stored credentials)	Verified (linked to CSA)
Liability shift	Merchant is 100% liable	Issuer (protection stays with bank)
Fraud risk	High, easy to dispute MIT charges	Minimal, backed by proof of 3DS
Issuer approval	Lower, banks often cautious	Higher, clear trust
Compliance	Risk of "soft declines"	Fully compliant with CSA standards

All in all, merchants can think of 3RI as a strategic upgrade for recurring, follow-up, or complex payments that don’t require the customer to be present for every charge.

Implementation considerations for payment and hospitality teams

As a merchant, moving to 3RI means aligning your payment processes with guest-facing operations.

To bridge the gap between the first checkout and the final bill, your tech stack and team workflows need to shift from manual card entry to automated charges authenticated in the background. Success relies wholly on ensuring your systems are technically capable of executing the 3RI protocol and the trust exchange it requires.

Technical prerequisites

Before you can implement 3RI, your payment setup needs to support:

Initial checkout with SCA: The customer’s first transaction must go through the full 3DS flow with tokenisation. Without this first authorisation, there’s no authentication to reference for later transactions.
Gateway and acquirer support: Your payment partners need to support 3RI, including the ability to pass on and store values like the DSTransID and original authentication reference.
Integration: Your PMS or booking engine needs the ability to trigger 3RI requests when they’re needed. For example, a refresh on Day 89, upon checkout for incidentals, or for no-show scenarios.

Operational design

3RI gives you the freedom to design your guest journey to be way less intrusive than standard checkout flows. But this requires a clear map of your payment touchpoints and an understanding of how to incorporate 3RI into them.

Mapping the guest journey: It’s helpful to identify every point where a charge might occur after a customer’s initial booking. Consider incidentals like minibar charges, along with guest behaviours like late checkouts, no-show reservations, and even partial payments for more complex itineraries. Mapping out transaction flows will help you understand what can be automated by 3RI.
Automating payment flows: As a merchant, you can design your operations to replace manual card handling or large pre-authorisations with 3RI. When you embed 3RI flows into your PMS or channel manager, you can secure final payments automatically without manual intervention or tying up guest credit limits.
Extra transparency: Because 3RI transactions happen in the background, transparency is key to guest comprehension and overall satisfaction. Take this further by implementing automated notification templates to keep customers in the loop about post-stay charges, helping to maintain trust and reduce chargeback requests.

Risk and compliance alignment

Beyond customer satisfaction and operational efficiency, transitioning to 3RI helps merchants mitigate risk. But for this to happen, every player in the payment ecosystem needs to be aligned.

Network configuration: Merchants need to work with their acquirers to make sure 3RI is configured correctly within card scheme frameworks like Visa and Mastercard. Doing this establishes a clear chain of trust and ensures that, in 3RI transactions, liability shifts away from the merchant.
Internal policy updates: Review your internal policies related to stored cards, data protection, and how chargebacks are handled regarding the 3RI liability shift. Since 3RI gives merchants a stronger defence against unauthorised disputes, you can move away from manual verification while still reducing your fraud profile.
Team training: To ensure everything runs smoothly on a day-to-day basis, your finance and front office teams need to understand the 3RI shift and how it affects guest payments. Hospitality teams should be prepared to accept fewer card-present transactions and understand how 3RI works to explain background charges to guests and answer questions.

How 3RI reshapes payment strategy in hospitality and travel

3RI marks a new generation of frictionless guest journeys in hospitality and travel. Previously, merchants had to choose between a secure but clunky payment experience or a smooth, high-risk one. But 3RI finally does away with this compromise, enabling an era of seamless customer payments without sacrificing even an ounce of security.

Beyond an enhanced guest experience, 3RI has a serious revenue impact on the business side of things. Think fewer failed payments, lower chargebacks, higher approval rates, and, beyond all else, greater operational freedom to offer flexible payment options and cancellation terms that could previously threaten your bottom line. Yes, 3RI is designed to protect guest data, but its greatest value is in how it protects merchant revenue, too.

When looking to the future, MITs are on their way out. For payment leaders, hotel chains, and OTAs, the next step is to audit your payment process and build a roadmap towards 3RI transaction flows across your guest journey. Moving in this direction sets the stage for a more secure, profitable, and guest-centred hospitality experience over the long term. The choices are to adopt now or be left in the dust.