How 3DS and VDCAP are changing payment security

Third-party credit card fraud is a huge, global problem, estimated to reach $43 billion by 2026. But with global e-commerce sales exceeding $6 trillion annually, merchants and card issuers must carefully balance clamping down on abuse with facilitating swift transactions.

3D Secure (3DS) aims to balance convenience and security by using lots of data from the transaction and the buyer’s device to seamlessly authenticate the cardholder, requiring step-up verification challenges (like biometrics or one-time passwords) only when the risk of fraud is high. While 3DS shifts liability to the card issuer if the transaction is found to be fraudulent, it introduces additional cost and friction — this type of payment authentication costs merchants money to use and can add occasional interruptions to the user experience.

To give merchants more flexibility, payment networks are expanding their authentication frameworks beyond 3DS. For example, Visa’s Digital Commerce Authentication Program (VDCAP) builds on 3DS with several complementary initiatives that empower merchants, payment providers, and issuers to verify users using richer data and modern authentication methods without adding unnecessary friction.

In this article, we’ll explain how 3DS works, explore examples of broader initiatives such as VDCAP, and look at how these innovations are shaping the future of secure online payments.

What is 3D Secure?

3D Secure is a final step in the online checkout process to verify that the purchaser is the legitimate cardholder. It reduces third-party fraud — that is, when someone uses someone else’s card without their knowledge or approval. Unlike standard transactions, issuers assume liability when approving 3DS transactions, but they benefit by being able to approve more transactions confidently while maintaining security.

The 3D in 3DS stands for “three domains,” which refers to:

• Issuer: the bank that operates the credit card account
• Acquirer: the company that processes credit card transactions for the merchant
• Interoperability: the card network that facilitates communication between issuer and acquirer

Each credit card network has its own implementation of the 3DS protocol, such as Visa Secure (formerly Verified by Visa), Mastercard Identity Check, and American Express’s SafeKey.

From 3DS1 to 3DS2

The original 3D Secure (also known as 3DS1) required manual user verification, such as logging into an account or a one-time password (OTP), at every use. This approach proved burdensome and led to more abandoned transactions, and was also subject to phishing and spoofing.

3D Secure 2, also known as 3DS2 or EMV 3-D Secure, allows for situational context, including transaction information and device intelligence, to factor into the transaction approval decision. While the responsibility is on the issuing bank to determine if the user is trusted, merchants can help improve the issuer’s confidence in skipping a challenge and allowing a frictionless transaction. They can do this by sending additional information, like the details of the transaction at hand, order history, demographics from the account, and device details. The issuer can then run their own risk assessment across many factors, including the card’s shopping patterns, merchant category, user location, and device intelligence.

Most transactions (95% is a commonly claimed number, but we could find no original source!) will go through in a few seconds with no extra input; otherwise, the 3DS system will present a challenge screen for an OTP or other verification.

When is 3DS used?

While 3DS balances security and convenience for merchants and shoppers, additional considerations influence a merchant’s decision to use it. Even though 3DS shifts liability from the merchant to the card issuer, merchants have to pay a per-transaction fee to run their transactions through 3DS. As a result, many merchants may choose to run some but not all transactions through 3DS. For instance, they may skip 3DS for smaller amounts or credit cards that have already been successfully used by the same account.

However, sometimes it’s not a choice. Many jurisdictions, such as India and the European Economic Area, require strong customer authentication, such as 3D Secure, by statute; in others, banks or networks may require it in certain circumstances. As with many financial regulations, there are complications and exceptions: For instance, the EEA has an exception for low-value transactions or recurring payments after the first one.

How 3DS works

3D Secure requires participation from both the card issuer and the payment processor. Here’s a high-level overview of how the process works:

1. The merchant optionally runs internal fraud and risk checks to decide whether to trigger 3D Secure authentication (or it may be required anyway by regulations).
2. The merchant sends transaction details to the payment eGateway (e.g., Stripe).
3. The gateway initiates a 3D Secure authentication request via a 3DS service.
4. The service routes the request through the card network (e.g., Visa, Mastercard) to the card issuer (e.g., Chase Bank, HSBC).
5. The issuer evaluates the risk and chooses between a frictionless or challenge flow.
   • Fingerprint can make a big difference here: our device intelligence helps distinguish trusted users from fraudsters, reducing unnecessary friction by allowing the confidence to make more decisions without a challenge.
6. If a challenge is required, the issuer prompts the customer to authenticate (e.g., via OTP, banking app, biometric). If it’s frictionless, the buyer sees nothing.
7. The issuer returns the authentication result through the 3DS system back to the merchant via the payment gateway.
8. If authentication is successful (or if the merchant makes the request properly, even if they don’t get a response from the card issuer), the merchant proceeds with payment authorization. As the delegated verifier, the bank takes on liability if the cardholder later disputes it as fraud.

Challenges and limitations

3D Secure 2 (the latest version is in fact 2.3.1) has meaningfully reduced online transaction fraud, especially in places where its use is mandatory, such as Europe and India. It’s not a perfect solution, though.

As one more step in the checkout process, it can add friction for shoppers. At best, and most commonly, the few seconds of waiting it adds are tolerable. When it does present a challenge, the extra hassle of processes like waiting on and typing an OTP or logging into a banking app to authenticate increases the chances that a buyer will abandon the transaction.

3DS also adds complexity for the merchant. E-commerce stacks are already complicated, and 3DS introduces another layer to be implemented, maintained, and occasionally repaired. 3DS also costs money: 3DS services charge between 10 and 30 cents for each transaction. The expense cuts into margins, and the assessment of whether it’s worth paying in order to shift liability complicates risk decisions.

Finally, while 3DS is a global standard, it doesn’t always work seamlessly and isn’t adopted universally. For instance, some US-based prepaid Visa or Mastercard issuers don’t support it, rendering their cards unusable where either regulation or seller policy requires 3DS.

Beyond 3DS: Visa’s Digital Commerce Authentication Program

Some card networks are taking the security of transactions even further. For example, Visa’s Digital Commerce Authentication Program (VDCAP) represents the next step in balancing fraud prevention with a seamless payment experience. Building on its implementation of 3DS (known as Visa Secure), Visa has added three programs — Data Only, the Digital Authentication Framework (DAF), and Payment Passkey — to enable merchants to design frictionless checkout experiences without increasing fraud.

Each program applies the same core principle as 3DS: using richer data and trusted credentials to seamlessly verify genuine customers. Some, like Data Only, focus on sharing detailed risk signals with issuers; others, like DAF and Payment Passkey, streamline or replace traditional authentication steps. This gives merchants and issuers flexibility to choose the approaches that make the most sense for their customers and stack.

Here’s an overview of how each program works:

• Data Only: Built on top of Visa’s Intelligent Data Exchange (IDX), Data Only provides issuers with enhanced data to make more informed authorization decisions. In this program, third-party providers can send Visa extra data (e.g., device data, geolocation, cardholder account information, risk assessment scores) on behalf of their merchant clients. Visa then shares select signals with issuers when authorizing a transaction, giving issuers a richer context to validate the customer’s identity and assess transaction risk. Visa reports that they’ve seen a 4.2% increase in approval rate on medium-risk transactions through this enhanced data sharing.
• DAF: Launched in 2023, DAF allows merchants to reduce shopper friction when authenticating customers using 3DS. Merchants who enroll in the program can perform a one-time, fully verified 3DS authentication of the shopper (e.g., prompting biometrics or OTP) so that future transactions from that same merchant-cardholder pair can be automatically authenticated without any challenge. Note that this doesn’t mean that the transaction is authorized, but rather, the user is authenticated. Since it’s still a 3DS transaction, issuers are liable for any associated risks, and merchants still have to pay 3DS fees (though there’s no extra fee to use DAF).
• Payment Passkey: Instead of asking customers for OTPs (which can be phished or spoofed), Payment Passkey uses a more secure approach. It leverages biometric authentication—like fingerprint or face recognition—along with the FIDO (Fast Identity Online) standard to verify customers safely without adding friction to checkout. Here’s how it works: Customers register once with their card issuer or digital wallet provider, creating a passkey that securely links their card credentials to their device. When they shop at participating retailers, they simply authenticate with a fingerprint, face scan, or device PIN. The benefits are considerable: Visa estimates that, by using biometric authentication instead of OTPs, merchants and issuers can reduce fraud rates by 50%.

Merchants can also combine programs. For instance, merchants using Visa Secure could use Payment Passkey as the authentication method within their 3DS challenge flow, which reduces friction and fraud by replacing one-time passwords with a quick biometric confirmation.

How device intelligence works with 3D Secure and VDCAP

Device intelligence is the technique of analyzing dozens or hundreds of data points about the user’s specific browser and device, ranging from easily gathered info like device model and time zone to more esoteric factors like minute differences in graphics rendering. Together, these signals create a reliable device profile that can help identify returning customers or detect anomalies that suggest fraud.

Across 3DS Secure and VDCAP, device intelligence plays a key role in balancing security and convenience for users, merchants, and issuers. In 3D Secure, the issuer can use device intelligence to determine whether they’ve seen a device before (i.e., logged into the bank’s website), reducing the need to challenge users without increasing fraud. In other VDCAP programs, device intelligence complements core authentication and authorization flows. For example, in Data Only, the system enriches authorization messages with device and behavioral context, helping issuers make more confident approval decisions.

Fingerprint is a device intelligence platform, and financial institutions and fintechs make up many of Fingerprint’s 6,000+ customers. Our industry-leading accuracy gives them the confidence to decide whether they’re dealing with an authentic user — their core responsibility in the 3D Secure process. Additionally, Fingerprint’s Smart Signals can help determine if a device’s profile is suspicious, a feature many merchants also use in their in-house fraud prevention programs.

The future of safer online payments

3D Secure remains the foundation of secure online card payments, but it’s no longer the whole story. Programs like VDCAP expand that foundation with initiatives like Data Only, DAF, and Payment Passkey, which use shared data, device trust, and biometric authentication to reduce friction while strengthening fraud prevention. Together, they signal the future of online payments: seamless, data-driven identity verification.

Device intelligence can help bring that future to life by connecting behavioral and device signals across sessions, enabling merchants and issuers to recognize trusted users (like for 3DS transactions) and confidently identify legitimate transactions (like for the Visa Data Only program). The result is a frictionless user experience and a safer payment ecosystem for merchants, issuers, and shoppers.

If you’re ready to see how device intelligence can result in safer online payments, our team is available to chat with a free trial.