Posted: April 01, 2026
Visa and Mastercard have recently mandated 3D Secure for online transactions. The new mandate coming into effect means that having 3D Secure on your payment portal is not just a “good practice,” but rather a mandatory requirement that you must follow or face penalties for fraudulent transactions. The scale of losses due to fraudulent payments reached $48 billion in the global e-commerce landscape in 2025.
These losses are projected to reach $107 billion by 2029. The numbers are not just staggering statistics; they indicate a deeper problem in today’s payment system. Growing technology has made payments easier, faster, and more accessible, but at the same time, bad practices and online identity theft have also grown in its shadow.
Visa and Mastercard rolled out this new mandate in phases over time to combat online fraud. Visa’s enforcement department is called Visa Secure, and Mastercard has Identity Check – both these enforcers have taken acquirers, i.e., banks that process your payments, on the hook for non-compliance with the 3DS2 method of identity verification. The new mandate gives the acquirer discretion to decline or impose a fine for payments not routed through 3DS2 authentication.
When payments are declined or fines are passed down the chain, who do you think will have to absorb the losses? Inevitably, you, the merchant, will have to absorb these losses because neither the bank nor the payment processor will be willing to cover them. The risk of not using 3DS2 is entirely on you. The new mandate is applicable to all card-not-present (CNP) transactions, which, in simple words, are online sales, a huge volume in the modern business landscape. Risking that amount of money is not a wise decision for any business.
The latest mandate takes into account the latest 3DS2 architecture. The original version, 3DS1, launched in 1999, used static passwords and clunky full-page redirects. This worked fine with desktop websites, but was highly unoptimized for modern apps, which is why the networks are insisting on the upgrade. This is important because you will be most affected by non-compliance across the entire chain of entities involved in processing a payment. As of 2025, U.S. merchants lose $4.61 for every dollar in fraud, a 32% increase since 2022. You must understand how 3DS2 works and how the mandate has changed payment processing for online orders.
The 3DS2 authentication process works with the card issuer or Access Control Server (ACS), prompting the customer to verify their identity through passwords or other verification methods. Most people think that 3DS2 is just a “pop-up that asks the customer to verify their identity.” Many functions are happening under the hood while a 3DS2 verification runs.
Every time a transaction runs, three components interact: your 3DS server, the Directory Server, and the Access Control Server (ACS). This whole exchange happens via JSON messages. The Directory Server is run by Visa or Mastercard, and its function is to route the messages to the ACS. The Access Control Server is run by the card issuer, which makes the risk call.
Let’s go through the exact steps a transaction goes through, from the moment the “Pay” button is clicked to when the funds are deducted from your bank. The first message is an AReq (Authentication Request), which can carry up to 150 data elements. It carries data such as browser ID, type, and many other values — 83 values are mandated by EMVCo for every request.
There is a powerful feature that enables seamless transactions and reduces friction during payments. You can use the “threeDSMethodURL”, an iframe that loads in the background even before the first request goes out, whose function is to collect fingerprint data. Visa mandates that if an issuer supports this feature, the merchant must use it.
Skipping these features increases friction and drops approval rates. This means that data quality can be leveraged to gain more revenue. When many tests are run on the passed data, merchants that send high-quality data get faster, frictionless approvals. On the other hand, passing sparse data, mismatched addresses, or missing device signals results in more rejections and, thus, more failures.
When all the data points transferred in the JSON element are verified as low-risk, the issuer’s system returns a “Yes” status, and the customer never sees a thing. All this process happens within a second; that is the definition of frictionless flow.
You may be thinking about the mandate’s deadlines. The reality is that there is no global deadline. Visa and Mastercard did not declare the mandate globally at once; it was rolled out in waves. Depending on where your business is located, you can determine if you still have time or are already overdue.
Global enforcement is shifting to the Asia-Pacific region, where both Visa and Mastercard announced April 2026 as the critical enforcement and fine-escalation milestone for issuers and acquirers.
The EU’s PSD2 regulation and the European Banking Authority’s (EBA) Regulatory Technical Standards were the first to make it legally mandatory to implement 3DS2 in every card-not-present transaction. They called it Strong Customer Authentication (SCA), which was fully enforced without issuer soft declines in 2021. For Mastercard in Europe, the Identity Check mandate set October 2025 as the hard deadline for all the acquirers in the EEA.
Compliance is not one-size-fits-all. It depends on where your business, card issuers, and acquirers are located, and all these factors determine what deadline you must follow.
At the beginning of the blog, we mentioned that in failed 3DS2 transactions, penalties imposed or payments declined will be passed down the chain. Now, your payment processor will not absorb the loss, nor will the bank, leaving us with only one possibility: the merchant loses money. This is the biggest liability shift the new 3DS2 mandate has caused. If a fraudulent CNP transaction proceeds without 3DS2 authentication and the customer issues a chargeback, you will bear the entire chargeback loss, not the bank.
The liability shift is embedded in the new Visa and Mastercard mandate. Before the 3DS2 mandate, the chargebacks from CNP fraud generally fell upon the issuing bank. Now, when a merchant uses 3DS2, and the issuer authenticates a transaction, only then does the chargeback loss fall upon the issuer. Otherwise, if 3DS2 is not implemented, you bear the risk. The liability risk is amplified by the numbers.
Chargeback volume is projected to reach 337 million by 2026, which is a 41% increase from 2023. Another statistic is that false declines cost retailers $443 billion per year globally, which is 9 times the cost of actual fraud. You must understand the scale of liabilities that will arise in the near future, as well as the potential losses from non-compliance with the new mandate.
To implement 3DS2 in your business, you must check which software you currently use. Most likely, using a hosted service like Stripe Checkout means the 3DS2 option is already enabled on your website, so you do not need to do anything extra. In your tech stack, if you use customized payment portals, you might want to check 3DS2 compatibility and status.
Enable background verification. Make sure your checkout page supports a pre-call method so you can store and verify fingerprint data in the background before the customer sends a payment request. This will help you both ways: the transaction will be faster, and the abandonment rate will be reduced. You must pay attention to the latest “decoupled authentication” feature, which was not available in earlier versions.
Confirm with your provider that you get the latest 3DS version 2.2 or higher, because it supports all the latest features. You will need to send cleaner, higher-quality data to achieve a higher authentication rate. 3DS2 is just a data sharing protocol, so the better your data is, the more transactions are authorized.
Review your exemption strategy to save money in the long term. Not having a clear, explicit distinction between low-value and high-value recurring transactions is a surefire way to overpay on every payment your business makes. PSPs do not tell you this on their own; they just keep charging inflated rates until you explicitly set your policies.
Suppose a customer entered a card and it was declined, or, let’s say, they were redirected to an OTP window and closed the tab in both cases. You can treat it as a permanent revenue loss, or give yourself one last chance to recoup lost revenue by setting up simple exception handling, such as an email follow-up or a “try another card” message. Your payment portal must have these backups, because they save lost revenue most of the time.
Before going live, it is best to stress test your payment portal in a virtual sandbox. The payment portal must handle all edge cases and address all failure points in the payment architecture.
3DS2 is a very fast and frictionless technology. Most people believe that 3DS2 makes their site slower or leads to higher abandonment rates, but this is a myth. The myth stems from the previous 3DS1 version. The old version used redirects and static passwords for verification, which frustrated customers and led them to abandon their carts at checkout. The 3DS2 system offers frictionless data flow, enabling up to 95% of transactions to be verified in the background using device data.
It is no surprise that issuers place greater trust in 3DS2-authenticated traffic, as it verifies every transaction at the biometric and device levels, making it highly secure and reliable. You must have made payments on your mobiles where, before entering your PIN or password, you are asked to verify using Face ID or fingerprint. That sort of one-tap security is very fast and user-friendly.
The 3DS2 system has many advantages in terms of security, but it also has flaws, such as sometimes requiring customers to undergo OTP verification, which increases hassle during checkout. Another thing is that many providers charge separately for the feature. It is an operational cost, not necessarily a disadvantage, as it can be avoided by switching to a better processor.
Synthetic identity document fraud surged 311% between Q1 2024 and Q1 2025. The importance of secure transactions online is only going to increase in the future. The new mandate on the 3DS2 technology by Visa and Mastercard is aimed at preventing fraud in online CNP transactions. We need to understand that the new technology is better than its predecessor, which was clunky and slow.
3DS2 is way faster, more secure, and far more efficient than 3DS1. You should understand that stronger security on your payment portal enhances customer trust and credibility. If the mandate’s rules are followed, the risk of fraudulent transaction-based chargebacks remains with the issuer.
A clean implementation today prepares your business for the next revolution, including decoupled authentication for IoT and going online without a technical overhaul.
Digital wallets typically feature built-in biometric authentication that already meets established security standards. However, you must confirm if your provider meets the requirements.
The transaction must be stopped, and a clear message stating the failure must be displayed to the customer. Prompting them to try another card is a safer option, as attempting to bypass security on the same card is flagged as fraud.
Soft decline means that the transaction can be approved by the bank, but is rejected because 3DS2 authentication was not used.
For 95% of customers, 3DS2 technology speeds up checkout. For the remaining customers, you can implement background biometric authentication to speed up transactions.
Yes, 3DS2 is required, but only for the first payment. Once the first transaction is authenticated, subsequent fixed charges are usually exempt.
