In a significant move at the end of August 2023, Visa announced the enforcement of 12 additional data fields in a Visa Secure 3DS authentication request message (AReq). According to Visa, the inclusion of "high-quantity and high-quality data will provide benefits across the entire ecosystem." 

Then, in early January 2024, Visa extended the mandate deadline from February 12 to August 12, 2024. Additionally, the scope of mandatory data fields was reduced, with cardholder billing data no longer being a compulsory field in the request. This raises questions about whether the implementation timeline of this mandate was optimal for the entire ecosystem.

The initial announcement, despite not being part of Visa's semi-annual release, has had a profound impact on the entire ecosystem, starting from the merchant level and their checkout flow. The mandated data fields included browser details, cardholder billing information, phone number, and email address. With the exception of browser information, these are details, that cardholders are required to populate during checkout. The challenge emerges in whether cardholders are willing to share such extensive personal information for every online transaction. For instance, would you be willing to share your phone number when you are purchasing a cinema ticket online? 

The introduction of these mandatory data fields not only adds friction to the checkout process for consumers but will most likely also impact a merchant’s conversion rate. Moreover, while the vision is that the inclusion of high-quality data should lead to benefits across the entire ecosystem, a key question arises: will issuers leverage this data for risk-based decisions or customer profiling?

Considering the nature of the data, it implies that this information will be collected during the checkout process or when the cardholder is inputting payment details. This could be through the merchant's proprietary front end or a solution provided by a third party like a merchant plug-in (MPI), an (external) SDK. Some of these parties might not have their own 3DS server and are integrated with an external 3DS server to process 3DS authentication messages. Regardless of the payment authentication value chain setup, all parties in the ecosystem must support these new mandatory data fields to ensure seamless processing.

Given the short notice from Visa in the initial announcement in August, the timing might not have been ideal. Typically in the last quarter of the year, many payment entities implement an end-of-year code freeze. Fortunately for some acquirers and on behalf of their merchants, there is a concept of a waiver, that one can request at the card schemes when it is non-compliant. Nevertheless, even if this waiver would be granted, the impact on authentication flows, such as an increase in challenge flows, remains a concern. Was it the feedback from the ecosystem that led Visa to postpone the mandate deadline?

What this will mean for the future

Although the mandate has been delayed, it seems to be the direction in which the industry is moving. The EMVco 3DS 2.2 and 2.3 specifications suggest that the mentioned data fields are conditionally required unless there are market or regional restrictions. One can anticipate that Mastercard may follow suit with a similar mandate. In addition to that, in an ideal scenario, the usage of enriched data in the authentication request would result in an increase in frictionless flows, ultimately enhancing the consumer experience and boosting conversion rates.

How Silverflow can help

At Silverflow, we are well-prepared for the future of authentication, even with the delay in Visa's mandate. Our customers can seamlessly send in the soon-to-be mandatory data through our API, and Silverflow’s 3DS server will incorporate this data into the authentication request sent to Visa (DS). Note that this is also supported when applying for an exemption during authentication, to increase frictionless outcomes. This proactive approach allows Silverflow and its clients to analyze and benchmark the data, gaining valuable insights into the potential impact of frictionless versus challenge flows. Armed with this knowledge, we continue to advise our clients on navigating the intersection of compliance, preferred authentication flows, and business optimization.

Interested in learning more about how Silverflow can help with 3DS? Contact us today!

Sharon Ehigiene, Card Scheme Manager

Sharon studied International Business Administration for her bachelor's degree, followed by a master's in Management in Innovation at RSM Erasmus University. The latter led her to start a career in the payments industry and she landed her first job at Underwriters Laboratories (UL) in 2014. Here she gained significant experience in payments, digital enablement, testing and certifications, and working with different wallets and issuers.

After UL, Sharon continued her journey at Adyen in 2018. At Adyen, she joined in the role of Local Payment Methods Manager. She was responsible for various integrations and managing payment methods, local card schemes, and other payment partners. In this role, she gained significant experience on the acceptance side of payments, different payment types in various form factors. Within Adyen, she was promoted to Program Manager Issuing and contributed to Adyen’s Issuing Product, by setting up Card Programs with the schemes, building a framework for standardizing the rollout of Customer Projects, and managing the relationship with the Card Manufacturer. In 2022 she left Adyen and joined Primer as a product manager of workflows, focusing on Payments and Commerce automation.

In 2023 Sharon started at Silverflow and is excited to have full focus on Payments again.

Leveraging the above-mentioned experience, Sharon has joined as a product and card scheme Manager. Allowing her, to focus on building relations with the schemes, develop and strengthen Silverflow’s product proposition, and support client onboarding and our commercial teams.