---
url: 'https://www.corbado.com/blog/visa-secure'
title: 'Visa Secure: Optimizing Cardholder Authentication'
description: 'Discover how Visa Secure is transforming online payments with EMV 3DS, risk-based authentication and passkeys enabling frictionless, secure checkouts.'
lang: 'en'
author: 'Max'
date: '2025-06-16T16:32:43.321Z'
lastModified: '2026-03-27T07:01:33.979Z'
keywords: 'Visa Secure, Visa authentication program, certified ACS vendors'
category: 'Passkeys Strategy'
---

# Visa Secure: Optimizing Cardholder Authentication

## Key Facts

- Visa Secure is Visa's global authentication program built on EMV 3DS, replacing Verified
  by Visa to deliver frictionless, cryptographic cardholder authentication.
- The **frictionless flow** approves about 95% of transactions silently using over 100
  data points, eliminating cardholder interaction for low-risk purchases.
- Best Buy Canada's EMV 3DS implementation achieved an **86% approval rate** versus 62%
  for non-3DS transactions and a 61% reduction in CNP fraud rate.
- **Liability shift** transfers chargeback responsibility from merchants to card issuers
  for authenticated transactions, directly protecting merchant revenue from certain fraud
  claims.
- **Delegated Authentication** holds greater adoption potential than SPC: Apple's lack of
  SPC support creates substantial barriers to its mainstream implementation.

## 1. Introduction: Visa Secure

The online checkout experience is rapidly evolving from frustrating redirects and
forgotten passwords to seamless, secure interactions built on cryptographic standards. At
the heart of this transformation is **Visa Secure**, [Visa's](https://www.corbado.com/blog/visa-passkeys) global
authentication program based on the EMV [3-D Secure](https://www.corbado.com/glossary/3d-secure) protocol.

In this post, we unpack how [Visa](https://www.corbado.com/blog/visa-passkeys) Secure is reshaping digital
commerce by combining rich data, AI-driven risk assessment, and device-level trust to
deliver secure yet frictionless [payments](https://www.corbado.com/passkeys-for-payment). As
[phishing](https://www.corbado.com/glossary/phishing)-resistant, passwordless technologies like passkeys and
[Secure Payment Confirmation](https://www.corbado.com/blog/dynamic-linking-passkeys-spc) (SPC) enter the
mainstream, understanding [Visa](https://www.corbado.com/blog/visa-passkeys)’s strategy becomes critical for
developers, product owners, and security teams alike.

This article explores five key questions:

1. What is [Visa](https://www.corbado.com/blog/visa-passkeys) Secure and how did it evolve from its predecessors
   like Verified by Visa?

2. What are the core principles, such as liability shift and data-rich risk assessment,
   that make the program effective?

3. How does Visa leverage rich data and the EMV [3-D Secure](https://www.corbado.com/glossary/3d-secure) protocol
   to enable a frictionless yet secure checkout experience?

4. What is the future of [payment](https://www.corbado.com/passkeys-for-payment) authentication, and how do
   innovations like [Secure Payment Confirmation](https://www.corbado.com/blog/dynamic-linking-passkeys-spc)
   (SPC) and passkeys fit into Visa’s strategy?

5. What are the tangible benefits and key integration steps for
   [merchants](https://www.corbado.com/glossary/merchant) and card [issuers](https://www.corbado.com/glossary/issuer) who adopt this new
   standard?

By answering these questions, we aim to clarify Visa’s role in shaping the next generation
of [payment](https://www.corbado.com/passkeys-for-payment) authentication - one that reduces fraud, protects
users, and prepares businesses for a passkey-first future.

## 2. What is Visa Secure?

At its core, **Visa Secure** is [Visa's](https://www.corbado.com/blog/visa-passkeys) global program built upon
the EMV® [3-D Secure](https://www.corbado.com/glossary/3d-secure) (EMV 3DS) protocol. It serves a dual mandate:
to make online authentication simple and to prevent card-not-present (CNP) fraud. It is
the modern standard for verifying a cardholder's identity during an online transaction,
providing an additional layer of protection that works across desktops, mobile devices,
and in-app purchases. This service is not something consumers need to register for or
download; it operates automatically at checkout on participating
[merchant](https://www.corbado.com/glossary/merchant) sites, creating a consistent and secure global framework.

The predecessor to Visa Secure was a program known as "Verified by Visa". Launched in the
early 2000s, it was a pioneering effort to address the growing risk of online fraud. The
mechanism, based on the original 3-D Secure 1.0 protocol, was straightforward: after a
customer entered their card details, they were redirected away from the
[merchant's](https://www.corbado.com/glossary/merchant) site to a page hosted by their card-issuing bank. There,
they had to prove their identity by entering a static password or answering personal
security questions they had previously set up.

While this added a necessary layer of security, it came at a significant cost to the user
experience. The abrupt redirect was jarring, the password was yet another credential for
users to forget, and the entire process introduced considerable friction into the checkout
flow. This friction had a direct and measurable negative impact on business, leading to
high rates of [cart abandonment](https://www.corbado.com/blog/ecommerce-authentication) as frustrated customers
simply gave up on their purchases. In fact, studies have shown that authentication issues
can cause as many as 62% of consumers to abandon a purchase.

The market's demand for a better way led to the development of EMV 3-D Secure (often
referred to as 3DS 2.x), the advanced protocol that powers the modern **Visa Secure**
program. The transition was not merely a branding update but a fundamental re-architecting
of the authentication process, driven by the explosion of mobile commerce and the
imperative for a smoother, more integrated user experience. The central innovation of EMV
3DS is its ability to transmit a vast amount of contextual data between the
[merchant](https://www.corbado.com/glossary/merchant) and the [issuer](https://www.corbado.com/glossary/issuer) _behind the scenes_,
before a decision to challenge the user is ever made. Instead of challenging every
transaction with a password, the system uses this rich data to perform a sophisticated
risk analysis in real-time. This allows the majority of legitimate transactions to be
approved without any interaction from the cardholder, creating what is known as the
**frictionless 3-D Secure** flow. The eventual sunsetting of the 3DS 1.0 protocol in
October 2022 cemented this shift, compelling the entire [payments](https://www.corbado.com/passkeys-for-payment)
ecosystem to upgrade and fully embrace this more intelligent and user-centric approach.

## 3. Core pillars of the program

The **Visa authentication program** is more than just a technical protocol; it is an
economic framework built on three interdependent pillars. These pillars work in concert to
create a system of shared trust, aligned incentives, and mutual benefit that underpins
billions of secure transactions globally.

- **Global rules:** The first pillar is the establishment of a standardized set of rules
  and a common technical language—EMV 3DS—that enables thousands of different
  [merchants](https://www.corbado.com/glossary/merchant), [acquirers](https://www.corbado.com/glossary/acquirer) (merchant banks), and
  [issuers](https://www.corbado.com/glossary/issuer) (cardholder banks) to communicate securely and predictably.
  Visa acts as the central governor of this system, ensuring the integrity of the network
  and providing the infrastructure for global interoperability. This common framework
  means that a small online shop in one country can securely authenticate a customer from
  another, using the same trusted process as a multinational corporation.

- **Data-rich risk assessment:** The second and most technologically significant pillar is
  the principle of data-driven risk assessment. The entire program is predicated on the
  idea that more contextual data leads to more accurate risk decisions. The EMV 3DS
  protocol is the channel through which this data flows, allowing
  [merchants](https://www.corbado.com/glossary/merchant) to send more than 100 different data elements to the
  [issuer](https://www.corbado.com/glossary/issuer) with each transaction request. This includes not only basic
  transaction details but also information about the customer's device, browser, location,
  and even their historical behavior with the [merchant](https://www.corbado.com/glossary/merchant). Visa has a
  long history in this domain, having pioneered the use of artificial intelligence in
  [payments](https://www.corbado.com/passkeys-for-payment) since 1993 to detect fraud, and this deep expertise in
  responsible data use and AI forms the bedrock of the program's risk assessment
  capabilities.

- **Issuer liability shift:** The third pillar provides the primary business incentive for
  merchants to participate in the program: the liability shift. In the world of online
  commerce, merchants are typically held financially responsible for fraudulent
  transactions that result in a chargeback. The liability shift rule fundamentally alters
  this dynamic. When a transaction is successfully authenticated using **Visa Secure**,
  the liability for certain types of fraudulent chargebacks (such as those claimed due to
  a lost or stolen card) shifts from the merchant to the card [issuer](https://www.corbado.com/glossary/issuer).
  This is a powerful form of financial protection that directly safeguards a
  [merchant's](https://www.corbado.com/glossary/merchant) revenue. However, this protection is not automatic; it
  is earned. It is the reward for participating fully in the data exchange. By providing
  the rich data required for an accurate risk assessment, merchants enable the issuer to
  make a confident authentication decision, and in return, the issuer assumes the risk.

## 4. Visa Payment Authentication Service

To execute this complex dance of data exchange and risk assessment, Visa has built a
sophisticated, multi-layered service architecture. The Visa Payer Authentication Service
functions as a robust, high-uptime network that links tens of thousands of merchants with
thousands of [issuers](https://www.corbado.com/glossary/issuer), operating on a federated, hub-and-spoke model.
The [merchant's](https://www.corbado.com/glossary/merchant) 3DS Server sends an authentication request to
[Visa's](https://www.corbado.com/blog/visa-passkeys) Directory Server (the hub), which then intelligently routes
the message to the correct [issuer's](https://www.corbado.com/glossary/issuer) Access Control Server, or
[ACS](https://www.corbado.com/glossary/acs) (the spoke), based on the card number. This federated model greatly
simplifies connectivity, as merchants and issuers only need to connect to Visa, rather
than establishing direct links with every other party in the network.

Enrolment in these secure services happens at various touchpoints. Cardholders can be
enrolled by their issuing bank when they receive their card, sometimes automatically.
Enrollment can also occur during an online checkout, where a merchant's systems,
integrated with Visa's services, can check if a card is enrolled and initiate the process.
Modern [banking](https://www.corbado.com/passkeys-for-banking) apps are another key touchpoint, allowing users to
manage their card services, including security features like Visa Secure, directly from
their mobile devices.

A cornerstone of this service is robust device recognition. The system leverages a wide
array of data to recognize a legitimate user's device, including technical fingerprints
like IP address, device ID, and browser settings. This is enhanced by services like the
Visa Consumer Authentication Service (VCAS), which uses AI to analyze transaction details,
geo-location, and device information to generate a real-time risk score. The evolution of
this is the Visa [Payment](https://www.corbado.com/passkeys-for-payment) Passkey Service, which is built on FIDO
standards. This service binds the payment credential to a specific device, using its
built-in biometrics (like a fingerprint or face scan) for authentication. This creates a
strong, [phishing](https://www.corbado.com/glossary/phishing)-resistant link between the user, their device, and
the transaction, representing the future of secure device recognition.

## 5. Rich-data exchange & frictionless approvals

The "magic" of a modern online checkout—where a purchase is approved instantly with no
extra steps—is the result of a highly efficient, data-driven process called **frictionless
3-D Secure**. This process, which successfully authenticates the vast majority of
transactions, hinges on the quality of the data exchanged between the merchant and the
issuer.

When a user clicks "Pay," the merchant's 3DS Server compiles a rich data packet containing
over 100 potential data points. These include device and behavioral signals such as the
user's IP address, device ID, browser language, and
[screen resolution](https://testsigma.com/free-tools/screen-resolution-checker). It also
includes contextual data from the merchant about the customer's account, such as its age,
purchase history, and whether the shipping and billing addresses match.

The [issuer's](https://www.corbado.com/glossary/issuer) Access Control Server (ACS) ingests this data and feeds
it into a sophisticated Risk-Based Authentication (RBA) engine. These engines use AI to
calculate a risk score in real-time. Based on the [issuer's](https://www.corbado.com/glossary/issuer) predefined
RBA thresholds, a decision is made. If the risk score is low, the transaction is approved
silently via the "frictionless flow," with no cardholder interaction needed. This is the
ideal path for about 95% of transactions. If the score is high, a "challenge flow" is
initiated, requiring the user to provide additional verification, such as a one-time
passcode or a biometric confirmation. This real-time decisioning, fueled by rich data,
allows issuers to confidently approve more legitimate transactions, directly reducing
[cart abandonment](https://www.corbado.com/blog/ecommerce-authentication) and increasing
[sales](https://dealhub.io/glossary/sales/) for merchants.

## 6. Upcoming pilots & innovations

Visa is actively investing in and piloting the next wave of technologies, all of which
point toward a future dominated by cryptographic, FIDO-based standards. Two innovations
stand out as particularly transformative:
[Secure Payment Confirmation](https://www.corbado.com/blog/dynamic-linking-passkeys-spc) (SPC) and Delegated
Authentication.

Secure Payment Confirmation (SPC) is a web standard designed to revolutionize the
"challenge" flow. Instead of redirecting the user or relying on phishable OTPs,
[SPC](https://www.corbado.com/blog/dynamic-linking-passkeys-spc) invokes a secure, browser-native interface that
displays transaction details and prompts the user for biometric confirmation. This
provides a vastly superior user experience and is inherently resistant to
[phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed). While a definitive public **SPC pilot
timeline** is not available, confidential Visa presentations confirm active pilots with
partners like Netcetera and Modirum. These pilots are being conducted in phases, starting
with internal teams and moving to limited production environments, with the goal of
gathering feedback to scale the technology globally. However, it remains uncertain whether
[SPC](https://www.corbado.com/blog/dynamic-linking-passkeys-spc) will achieve widespread adoption, primarily due
to Apple's lack of support. Without backing from major platforms like Apple,
[SPC](https://www.corbado.com/blog/dynamic-linking-passkeys-spc) faces substantial barriers to mainstream
implementation.

Conversely, [Delegated Authentication](https://www.corbado.com/blog/delegated-sca-psd3-passkeys) offers a more
promising and scalable model. This approach allows card issuers to delegate the
responsibility of performing [Strong Customer Authentication](https://www.corbado.com/faq/sca-psd2-importance)
(SCA) directly to trusted merchants. To qualify, merchants need a robust, FIDO-based
authentication system—typically one employing passkeys—for their customer logins. By
authenticating users securely at the point of login, merchants effectively satisfy the SCA
requirements for payments as well, creating a seamless, truly "one-click"
[biometric checkout](https://www.corbado.com/blog/ecommerce-authentication) experience. Given its compatibility
with widely supported FIDO and passkey technologies,
[Delegated Authentication](https://www.corbado.com/blog/delegated-sca-psd3-passkeys) holds significantly greater
potential for broad market adoption compared to SPC.

## 7. Integration checklist for issuers

For a card issuer, joining the **Visa Secure** ecosystem is a complex but essential
undertaking. The first and most crucial step is selecting and onboarding a **certified ACS
vendors**. Most issuers license a solution from a third-party vendor whose products are
certified compliant with EMVCo and Visa standards, including the
[PCI](https://www.corbado.com/blog/pci-dss-4-0-authentication-passkeys) 3DS Core Security Standard. Issuers can
find a list of all approved and compliant vendors on the official Visa Global Registry of
Service Providers.

Once an [ACS](https://www.corbado.com/glossary/acs) is in place, the next step is **BIN activation**. A Bank
Identification Number (BIN) is the first six to eight digits of a card number that
identifies the issuing institution. BIN activation is the technical process where an
issuer registers their specific BINs with the Visa Directory Server. This registration
"flips the switch," telling the Visa network that cards under that BIN are enabled for 3DS
authentication and providing the network endpoint for the issuer's [ACS](https://www.corbado.com/glossary/acs).

Finally, to manage the program, issuers can leverage a comprehensive suite of reporting
and management APIs provided by Visa. These APIs allow issuers to integrate core functions
directly into their own systems for monitoring, fraud management, and card lifecycle
administration.

| **API Suite**                           | **Primary Function**                                                           | **Relevance to Visa Secure Program**                                                                                                                     | **Key APIs Included (Examples)**                                                 |
| --------------------------------------- | ------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
| **VisaNet Connect - Issuing**           | Core payment processing (authorize, clear, settle) via modern RESTful APIs.    | Provides the fundamental interface for an issuer to approve/decline payment requests that have been authenticated via 3DS.                               | Authorizations API, Completions API, Advices API, Card Services API              |
| **Visa Card Program Management (VCPM)** | Digital card enrollment and lifecycle management.                              | Enables instant digital issuance and near real-time updates to card programs, ensuring new cards are correctly configured for services like Visa Secure. | Visa Card Program Enrollment (VCPE) API, Visa Credential Data Inquiry (VCDI) API |
| **Visa Transaction Controls (VTC)**     | Allows issuers and cardholders to set rules and receive alerts for card usage. | Provides granular control and reporting that complements the security of 3DS by allowing rules based on merchant type, location, transaction type, etc.  | Customer Rules API, Authorization Decision API, Alert History API                |
| **Visa Risk Manager (VRM)**             | A tool for issuers to create and manage fraud prevention rules and strategies. | Works hand-in-hand with the ACS to define the risk logic that drives the frictionless vs. challenge decision.                                            | (Restricted Access API)                                                          |

## 8. Merchant & acquirer advantages

For merchants and their acquiring banks, adopting **Visa Secure** is a strategic
investment with a clear and quantifiable return. One of the most compelling advantages is
the documented increase in successful transactions. A case study of Best Buy Canada's
implementation of EMV 3DS revealed that transactions processed through **Visa Secure**
achieved an **86% approval rate**, compared to just 62% for non-3DS transactions. This
lift in **higher authorisation rates** translates directly into increased revenue.

The program also protects the bottom line by slashing fraud and the cost of **reduced
chargebacks**. The same Best Buy Canada case study reported a **61% reduction in their CNP
fraud rate** and a 17 basis point decrease in chargebacks after implementation. This is
bolstered by the liability shift, which protects merchants from the financial cost of
certain types of fraudulent chargebacks for authenticated transactions.

Beyond the hard numbers, **Visa Secure** enhances the merchant's brand by building
customer confidence. The program's **global acceptance** allows merchants to securely
accept payments from customers around the world, facilitating international growth.
Furthermore, by enabling businesses to meet critical regulatory mandates like the Payment
Services Directive 2 (PSD2) in Europe, it ensures compliance and avoids potential
penalties.

## 9. Conclusion

The evolution of Visa Secure reflects a broader shift in payment authentication - from
rigid, password-based systems to intelligent, seamless, and data-driven experiences. What
began as Verified by Visa has matured into a global program rooted in EMV 3DS standards,
offering merchants and issuers a common language for secure transactions and a framework
where trust is built through shared data.

This trust is operationalized through real-time risk scoring and frictionless flows,
powered by over a hundred data points exchanged behind the scenes. When authentication
becomes invisible yet reliable, it no longer interrupts the user journey - it enhances it.
That’s the balance Visa has struck: strong security paired with minimal friction.

Visa’s forward-looking approach is especially evident in its support for Secure Payment
Confirmation and passkey infrastructure. These technologies reduce dependency on
vulnerable credentials like OTPs or passwords and embrace the biometric capabilities of
modern devices, setting a new bar for authentication across web and mobile.

For businesses, this translates to fewer abandoned carts, higher approval rates, and a
significant reduction in fraud-related losses. The integration process - while technically
involved - is well supported by Visa’s certified vendor ecosystem and reporting APIs,
making it possible to build authentication into the core of the user experience, not
bolted on at the margins.

In a world where digital trust is a competitive edge, Visa Secure is no longer just a
security protocol - it’s a strategic advantage. And with passkeys and device-based
credentials at the center of its roadmap, it’s clear where the future of secure commerce
is heading.

## Frequently Asked Questions

### How does the Visa Secure frictionless flow decide when to challenge a cardholder?

The issuer's Access Control Server feeds over 100 data points, including device ID, IP
address, purchase history and billing/shipping address match, into a Risk-Based
Authentication engine that calculates a real-time risk score. If the score falls below the
issuer's predefined threshold, the transaction is approved silently with no cardholder
interaction. High-risk scores trigger a challenge flow requiring OTP or biometric
confirmation.

### How does the Visa Secure liability shift protect merchants from chargebacks?

When a transaction is successfully authenticated via Visa Secure, financial responsibility
for certain fraudulent chargebacks, such as those claimed due to a lost or stolen card,
shifts from the merchant to the card issuer. This protection is conditional: merchants
must provide the rich data required for accurate risk assessment to earn it. Without 3DS
authentication, merchants bear the chargeback cost directly.

### What results did Best Buy Canada see after implementing EMV 3DS through Visa Secure?

Best Buy Canada achieved an 86% approval rate for transactions processed through Visa
Secure, compared to just 62% for non-3DS transactions. The implementation also produced a
61% reduction in card-not-present fraud rate and a 17 basis point decrease in chargebacks,
demonstrating a direct revenue and fraud-reduction impact.

### Why is Delegated Authentication considered more viable than Secure Payment Confirmation in Visa's roadmap?

Delegated Authentication allows issuers to delegate Strong Customer Authentication to
merchants who use FIDO-based passkey systems at login, aligning with widely supported
standards. Secure Payment Confirmation, despite offering a phishing-resistant
browser-native challenge interface, lacks Apple platform support, creating substantial
barriers to mainstream adoption. Delegated Authentication's compatibility with passkeys
makes it the more scalable path.