Visa Secure: Optimizing Cardholder Authentication

The online checkout experience is rapidly evolving from frustrating redirects and forgotten passwords to seamless, secure interactions built on cryptographic standards. At the heart of this transformation is Visa Secure, Visa's global authentication program based on the EMV 3-D Secure protocol.

In this post, we unpack how Visa Secure is reshaping digital commerce by combining rich data, AI-driven risk assessment, and device-level trust to deliver secure yet frictionless payments. As phishing-resistant, passwordless technologies like passkeys and Secure Payment Confirmation (SPC) enter the mainstream, understanding Visa’s strategy becomes critical for developers, product owners, and security teams alike.

This article explores five key questions:

1. What is Visa Secure and how did it evolve from its predecessors like Verified by Visa?

2. What are the core principles, such as liability shift and data-rich risk assessment, that make the program effective?

3. How does Visa leverage rich data and the EMV 3-D Secure protocol to enable a frictionless yet secure checkout experience?

4. What is the future of payment authentication, and how do innovations like Secure Payment Confirmation (SPC) and passkeys fit into Visa’s strategy?

5. What are the tangible benefits and key integration steps for merchants and card issuers who adopt this new standard?

By answering these questions, we aim to clarify Visa’s role in shaping the next generation of payment authentication - one that reduces fraud, protects users, and prepares businesses for a passkey-first future.

At its core, Visa Secure is Visa's global program built upon the EMV® 3-D Secure (EMV 3DS) protocol. It serves a dual mandate: to make online authentication simple and to prevent card-not-present (CNP) fraud. It is the modern standard for verifying a cardholder's identity during an online transaction, providing an additional layer of protection that works across desktops, mobile devices, and in-app purchases. This service is not something consumers need to register for or download; it operates automatically at checkout on participating merchant sites, creating a consistent and secure global framework.

The predecessor to Visa Secure was a program known as "Verified by Visa". Launched in the early 2000s, it was a pioneering effort to address the growing risk of online fraud. The mechanism, based on the original 3-D Secure 1.0 protocol, was straightforward: after a customer entered their card details, they were redirected away from the merchant's site to a page hosted by their card-issuing bank. There, they had to prove their identity by entering a static password or answering personal security questions they had previously set up.

While this added a necessary layer of security, it came at a significant cost to the user experience. The abrupt redirect was jarring, the password was yet another credential for users to forget, and the entire process introduced considerable friction into the checkout flow. This friction had a direct and measurable negative impact on business, leading to high rates of cart abandonment as frustrated customers simply gave up on their purchases. In fact, studies have shown that authentication issues can cause as many as 62% of consumers to abandon a purchase.

The market's demand for a better way led to the development of EMV 3-D Secure (often referred to as 3DS 2.x), the advanced protocol that powers the modern Visa Secure program. The transition was not merely a branding update but a fundamental re-architecting of the authentication process, driven by the explosion of mobile commerce and the imperative for a smoother, more integrated user experience. The central innovation of EMV 3DS is its ability to transmit a vast amount of contextual data between the merchant and the issuer behind the scenes, before a decision to challenge the user is ever made. Instead of challenging every transaction with a password, the system uses this rich data to perform a sophisticated risk analysis in real-time. This allows the majority of legitimate transactions to be approved without any interaction from the cardholder, creating what is known as the frictionless 3-D Secure flow. The eventual sunsetting of the 3DS 1.0 protocol in October 2022 cemented this shift, compelling the entire payments ecosystem to upgrade and fully embrace this more intelligent and user-centric approach.

The Visa authentication program is more than just a technical protocol; it is an economic framework built on three interdependent pillars. These pillars work in concert to create a system of shared trust, aligned incentives, and mutual benefit that underpins billions of secure transactions globally.

• Global rules: The first pillar is the establishment of a standardized set of rules and a common technical language—EMV 3DS—that enables thousands of different merchants, acquirers (merchant banks), and issuers (cardholder banks) to communicate securely and predictably. Visa acts as the central governor of this system, ensuring the integrity of the network and providing the infrastructure for global interoperability. This common framework means that a small online shop in one country can securely authenticate a customer from another, using the same trusted process as a multinational corporation.

• Data-rich risk assessment: The second and most technologically significant pillar is the principle of data-driven risk assessment. The entire program is predicated on the idea that more contextual data leads to more accurate risk decisions. The EMV 3DS protocol is the channel through which this data flows, allowing merchants to send more than 100 different data elements to the issuer with each transaction request. This includes not only basic transaction details but also information about the customer's device, browser, location, and even their historical behavior with the merchant. Visa has a long history in this domain, having pioneered the use of artificial intelligence in payments since 1993 to detect fraud, and this deep expertise in responsible data use and AI forms the bedrock of the program's risk assessment capabilities.

• Issuer liability shift: The third pillar provides the primary business incentive for merchants to participate in the program: the liability shift. In the world of online commerce, merchants are typically held financially responsible for fraudulent transactions that result in a chargeback. The liability shift rule fundamentally alters this dynamic. When a transaction is successfully authenticated using Visa Secure, the liability for certain types of fraudulent chargebacks (such as those claimed due to a lost or stolen card) shifts from the merchant to the card issuer. This is a powerful form of financial protection that directly safeguards a merchant's revenue. However, this protection is not automatic; it is earned. It is the reward for participating fully in the data exchange. By providing the rich data required for an accurate risk assessment, merchants enable the issuer to make a confident authentication decision, and in return, the issuer assumes the risk.

To execute this complex dance of data exchange and risk assessment, Visa has built a sophisticated, multi-layered service architecture. The Visa Payer Authentication Service functions as a robust, high-uptime network that links tens of thousands of merchants with thousands of issuers, operating on a federated, hub-and-spoke model. The merchant's 3DS Server sends an authentication request to Visa's Directory Server (the hub), which then intelligently routes the message to the correct issuer's Access Control Server, or ACS (the spoke), based on the card number. This federated model greatly simplifies connectivity, as merchants and issuers only need to connect to Visa, rather than establishing direct links with every other party in the network.

Enrolment in these secure services happens at various touchpoints. Cardholders can be enrolled by their issuing bank when they receive their card, sometimes automatically. Enrollment can also occur during an online checkout, where a merchant's systems, integrated with Visa's services, can check if a card is enrolled and initiate the process. Modern banking apps are another key touchpoint, allowing users to manage their card services, including security features like Visa Secure, directly from their mobile devices.

A cornerstone of this service is robust device recognition. The system leverages a wide array of data to recognize a legitimate user's device, including technical fingerprints like IP address, device ID, and browser settings. This is enhanced by services like the Visa Consumer Authentication Service (VCAS), which uses AI to analyze transaction details, geo-location, and device information to generate a real-time risk score. The evolution of this is the Visa Payment Passkey Service, which is built on FIDO standards. This service binds the payment credential to a specific device, using its built-in biometrics (like a fingerprint or face scan) for authentication. This creates a strong, phishing-resistant link between the user, their device, and the transaction, representing the future of secure device recognition.

The "magic" of a modern online checkout—where a purchase is approved instantly with no extra steps—is the result of a highly efficient, data-driven process called frictionless 3-D Secure. This process, which successfully authenticates the vast majority of transactions, hinges on the quality of the data exchanged between the merchant and the issuer.

When a user clicks "Pay," the merchant's 3DS Server compiles a rich data packet containing over 100 potential data points. These include device and behavioral signals such as the user's IP address, device ID, browser language, and screen resolution. It also includes contextual data from the merchant about the customer's account, such as its age, purchase history, and whether the shipping and billing addresses match.

The issuer's Access Control Server (ACS) ingests this data and feeds it into a sophisticated Risk-Based Authentication (RBA) engine. These engines use AI to calculate a risk score in real-time. Based on the issuer's predefined RBA thresholds, a decision is made. If the risk score is low, the transaction is approved silently via the "frictionless flow," with no cardholder interaction needed. This is the ideal path for about 95% of transactions. If the score is high, a "challenge flow" is initiated, requiring the user to provide additional verification, such as a one-time passcode or a biometric confirmation. This real-time decisioning, fueled by rich data, allows issuers to confidently approve more legitimate transactions, directly reducing cart abandonment and increasing sales for merchants.

Visa is actively investing in and piloting the next wave of technologies, all of which point toward a future dominated by cryptographic, FIDO-based standards. Two innovations stand out as particularly transformative: Secure Payment Confirmation (SPC) and Delegated Authentication.

Secure Payment Confirmation (SPC) is a web standard designed to revolutionize the "challenge" flow. Instead of redirecting the user or relying on phishable OTPs, SPC invokes a secure, browser-native interface that displays transaction details and prompts the user for biometric confirmation. This provides a vastly superior user experience and is inherently resistant to phishing attacks. While a definitive public SPC pilot timeline is not available, confidential Visa presentations confirm active pilots with partners like Netcetera and Modirum. These pilots are being conducted in phases, starting with internal teams and moving to limited production environments, with the goal of gathering feedback to scale the technology globally. However, it remains uncertain whether SPC will achieve widespread adoption, primarily due to Apple's lack of support. Without backing from major platforms like Apple, SPC faces substantial barriers to mainstream implementation.

Conversely, Delegated Authentication offers a more promising and scalable model. This approach allows card issuers to delegate the responsibility of performing Strong Customer Authentication (SCA) directly to trusted merchants. To qualify, merchants need a robust, FIDO-based authentication system—typically one employing passkeys—for their customer logins. By authenticating users securely at the point of login, merchants effectively satisfy the SCA requirements for payments as well, creating a seamless, truly "one-click" biometric checkout experience. Given its compatibility with widely supported FIDO and passkey technologies, Delegated Authentication holds significantly greater potential for broad market adoption compared to SPC.

For a card issuer, joining the Visa Secure ecosystem is a complex but essential undertaking. The first and most crucial step is selecting and onboarding a certified ACS vendors. Most issuers license a solution from a third-party vendor whose products are certified compliant with EMVCo and Visa standards, including the PCI 3DS Core Security Standard. Issuers can find a list of all approved and compliant vendors on the official Visa Global Registry of Service Providers.

Once an ACS is in place, the next step is BIN activation. A Bank Identification Number (BIN) is the first six to eight digits of a card number that identifies the issuing institution. BIN activation is the technical process where an issuer registers their specific BINs with the Visa Directory Server. This registration "flips the switch," telling the Visa network that cards under that BIN are enabled for 3DS authentication and providing the network endpoint for the issuer's ACS.

Finally, to manage the program, issuers can leverage a comprehensive suite of reporting and management APIs provided by Visa. These APIs allow issuers to integrate core functions directly into their own systems for monitoring, fraud management, and card lifecycle administration.

For merchants and their acquiring banks, adopting Visa Secure is a strategic investment with a clear and quantifiable return. One of the most compelling advantages is the documented increase in successful transactions. A case study of Best Buy Canada's implementation of EMV 3DS revealed that transactions processed through Visa Secure achieved an 86% approval rate, compared to just 62% for non-3DS transactions. This lift in higher authorisation rates translates directly into increased revenue.

The program also protects the bottom line by slashing fraud and the cost of reduced chargebacks. The same Best Buy Canada case study reported a 61% reduction in their CNP fraud rate and a 17 basis point decrease in chargebacks after implementation. This is bolstered by the liability shift, which protects merchants from the financial cost of certain types of fraudulent chargebacks for authenticated transactions.

Beyond the hard numbers, Visa Secure enhances the merchant's brand by building customer confidence. The program's global acceptance allows merchants to securely accept payments from customers around the world, facilitating international growth. Furthermore, by enabling businesses to meet critical regulatory mandates like the Payment Services Directive 2 (PSD2) in Europe, it ensures compliance and avoids potential penalties.

The evolution of Visa Secure reflects a broader shift in payment authentication - from rigid, password-based systems to intelligent, seamless, and data-driven experiences. What began as Verified by Visa has matured into a global program rooted in EMV 3DS standards, offering merchants and issuers a common language for secure transactions and a framework where trust is built through shared data.

This trust is operationalized through real-time risk scoring and frictionless flows, powered by over a hundred data points exchanged behind the scenes. When authentication becomes invisible yet reliable, it no longer interrupts the user journey - it enhances it. That’s the balance Visa has struck: strong security paired with minimal friction.

Visa’s forward-looking approach is especially evident in its support for Secure Payment Confirmation and passkey infrastructure. These technologies reduce dependency on vulnerable credentials like OTPs or passwords and embrace the biometric capabilities of modern devices, setting a new bar for authentication across web and mobile.

For businesses, this translates to fewer abandoned carts, higher approval rates, and a significant reduction in fraud-related losses. The integration process - while technically involved - is well supported by Visa’s certified vendor ecosystem and reporting APIs, making it possible to build authentication into the core of the user experience, not bolted on at the margins.

In a world where digital trust is a competitive edge, Visa Secure is no longer just a security protocol - it’s a strategic advantage. And with passkeys and device-based credentials at the center of its roadmap, it’s clear where the future of secure commerce is heading.