Mastering 3D-Secure: Minimizing chargebacks and fraud rates for payment gateways, PSPs and PayFacs

If you're a payment service provider working with high-risk merchants, April 1st, 2025 marked the beginning of a big change in how Visa calculates fraud rates. The changes to Visa's Acquirer Monitoring Program (VAMP) mean that even disputes resolved through Rapid Dispute Resolution (RDR) or Cardholder Dispute Resolution Network (CDRN) now count toward your overall fraud rate. This change renders traditional chargeback management strategies insufficient.

For context, many high-risk merchants have relied on Rapid Dispute Resolution (RDR) to automatically resolve 90%+ of their disputes, keeping them safely under fraud thresholds. That safety net is disappearing. Here's what you need to know about navigating these changes and how tools like 3D-Secure (when implemented effectively!) can solve these problems and provide several other advantages, like full liability shift for chargebacks with fraud reason codes.

How VAMP changes the fraud calculation game, and why 3D-Secure is a powerful tool

The new math behind fraud rates

Enrollment in VAMP has a minimum monthly threshold of 1,000 fraudulent/disputed transactions. However, VAMP's updated methodology fundamentally changes how fraud rates are calculated. Previously, disputes resolved through RDR (which processes TC40 data, reports sent by the issuing bank to Visa to notify them of fraudulent transactions) or Cardholder Dispute Resolution Network (CDRN) didn't count toward your fraud metrics. Under the new rules, they do.

The technical mechanics work like this: when a cardholder initiates a dispute, the issuing bank generates a TC40 record. RDR uses this data to automatically resolve disputes before they become formal chargebacks. Previously, these resolved disputes were invisible to VAMP's fraud rate calculations. Now, they're included in the numerator:

VAMP Ratio Calculation

This means merchants who previously appeared to have low fraud rates may suddenly find themselves above the threshold. While there's an advisory period from April 1 to September 30, 2025, where fines won't be imposed, come October, the penalties become real.

Separately, VAMP tracks a ratio known as the enumeration ratio, which is used to measure the relative proportion of enumerated transactions (card testing fraud, as measured by Visa Account Attack Intelligence) in relation to the total number of settled transactions. Enumeration transactions are fraudulent transactions used to validate/verify stolen card numbers. Merchants with fewer than 300,000 enumerated transactions will be exempted from these calculations, assuming that 300,000 represents less than 20% of your total transaction volume. This enumeration ratio limit will remain unchanged in 2026.

Enumeration Ratio Calculation

Fraud thresholds create a compliance crisis for high-risk merchants

Acquirer Portfolio Thresholds

Excessive Merchant Thresholds

Significant fines for exceeding VAMP and Enumeration Ratios

RDR and CDRN integration reduces protection mechanisms

Major policy change (March 2025): TC40 fraud alerts resolved through RDR (Rapid Dispute Resolution) and CDRN (Cardholder Dispute Resolution Network) no longer exclude TC40 reports from VAMP calculations. Only Compelling Evidence 3.0 (CE3.0) can now exclude TC40 fraud reports.

Remaining exclusions from VAMP calculations:

• TC15 non-fraud disputes resolved through RDR and CDRN
• TC40 fraud qualified for Compelling Evidence 3.0
• Disputes resolved through pre-dispute solutions (same-month timing required)

Advisory period provides an implementation runway

Extended advisory period (April 1 - September 30, 2025):

• No penalties for threshold violations
• 3-month grace period for first-time identifications
• All monitoring calculations active but enforcement fees waived
• Enforcement begins October 1, 2025 for excessive violations

For this blog post, we’ll primarily focus on how 3D-Secure can help minimize TC40 (fraud) disputes.

Service providers serving high-risk merchants hit hardest

High-risk merchants—those in gambling, gaming, digital goods, telehealth, and crypto—face unique challenges. These businesses inherently have higher dispute rates due to the nature of their products and customer base. They're also more difficult for PSPs to underwrite, meaning you're already operating with tighter margins and higher scrutiny.

Consider these real-world scenarios:

• Gaming merchants dealing with disputed in-app purchases from minors using parents' cards
• Gambling operators facing fraud rates of 7.6% in 2023, up from 4.2% in 2022
• Telehealth providers confronting $1.2 billion in alleged fraudulent schemes
• Crypto exchanges processing $46.1 billion in illicit cryptocurrency volume

The common thread: these merchants generate disputes that, while often successfully resolved through RDR, will now count against fraud rate calculations. As a service provider, these ratios will now heavily factor into your ability to serve these merchants without penalty.

Given that RDR is no longer enough to keep VAMP ratios low, blocking chargebacks outright should be a core goal. Thankfully, 3D-Secure is a powerful and underutilized tool (especially outside of the EU) that can help block chargebacks/fraud disputes at the source.

Understanding 3D-Secure authentication

What is 3D-Secure?

At its core, 3D-Secure (3DS) is a security protocol designed to provide an additional layer of protection for online credit and debit card transactions. Think of it as an extra security check between a customer initiating an online payment and the transaction being authorized. Its primary goal is to verify the cardholder's identity, thereby reducing the risk of fraud in "card-not-present" (CNP) transactions, where the physical card isn't present, like online purchases.

Initially introduced as 3D Secure 1.0, the protocol has evolved significantly with 3D-Secure 2.0 (also known as EMV 3-D Secure). The newer version is designed to be much more seamless for customers, often working behind the scenes without requiring them to enter a password or leave the merchant's website.

How it works (at a high level):

3DS Authentication Flow

When a customer makes an online purchase, the 3D Secure process initiates a communication channel (i.e. a set of API calls) between the merchant (or the payment gateway), the card network (like Visa or Mastercard), and the customer's bank (the issuer).

1. Information Exchange: The merchant's system collects various data points about the transaction and the customer (e.g., device information, shipping address, past purchase history).
2. Risk Assessment: Using a 3D-Secure Server, this data is sent to the card issuer's Access Control System (ACS) via the card network’s Directory Server (DS), which performs a real-time risk assessment.
3. Frictionless Flow or Challenge: If the transaction is deemed low-risk, the authentication happens silently in the background, and the customer experiences no interruption—the transaction simply proceeds. This is the ideal scenario for user experience (Frictionless). However, if the transaction is deemed high-risk or the issuer requires additional verification, the customer will be prompted to verify their identity. This might involve a one-time passcode (OTP) sent to their phone, a biometric scan (like a fingerprint), or a push notification to their banking app (Step-up Challenge).
4. Authentication Outcome: The transaction is either authenticated or declined based on the risk assessment and any challenge response.

The crucial benefit of successful 3D-Secure authentication is the liability shift. This means that if a transaction is authenticated through 3D-Secure and later results in a dispute due to fraud, the financial responsibility for that chargeback often shifts from the merchant to the card-issuing bank. This significantly protects merchants from fraudulent disputes, and importantly (in the context of VAMP), it minimizes the number of TC-40 reports filed by the issuer.

Technical flow and architecture

It’s important to note that 3D-Secure (authentication) is an entirely separate system from payment authorization. In most cases, issuing banks purchase off-the-shelf Access Control System software (from providers like CardinalCommerce, Entersekt, or Apata). As a result, the communication between the authentication and authorization systems is somewhat fragmented and doesn’t offer much flexibility to optimize performance. At a high level, a 3D-Secure authentication request (AReq) only accepts a limited number of fields, so there isn’t a huge amount of performance gains to optimize for using AI/ML or custom logic. An AReq payload looks something like:

1// Simplified AReq structure
2{
3  "threeDSServerTransID": "8558c931-277b-4240-adfc-443cbd61a2c0",
4  "acctNumber": "4000000000001234",
5  "purchaseAmount": "10000",
6  "purchaseCurrency": "840",
7  "deviceChannel": "02",
8  "challengeIndicator": "02"  // Preference for challenge
9}

The process involves:

1. Authentication Request (AReq) sent by the 3D-Secure Server to the card issuer's Access Control Server (ACS) via the card network’s Directory Server.
2. Risk assessment by the ACS using 100+ data elements (vs. <10 in legacy 3DS 1.0)
3. Either frictionless approval or step-up challenge (SMS OTP, biometric, push notification)
4. Authentication Response (ARes) with liability shift determination

The key advantage: successful 3D Secure authentication provides liability shift, meaning chargebacks for fraud become the issuer's responsibility rather than yours.

Liability shift coverage and limitations

Protected by 3D-Secure:

• Card-not-present fraud (Visa 10.4, Mastercard 4837)
• Friendly fraud ("I didn't authorize this" when they actually did)
• Stolen card number transactions
• Account takeover attempts
• EMV liability shift chargebacks

Not Protected:

• Service disputes ("I didn't receive what I paid for")
• Subscription billing disputes
• Processing errors

For high-risk merchants, 3D Secure solves the most critical part of the VAMP equation—actual fraud—but needs to be combined with other measures for comprehensive protection.

Chargeback reason codes and dispute resolution integration

Modern chargeback management (unfortunately!) requires a comprehensive understanding of updated reason code structures. Visa's 2017 Claims Resolution initiative consolidated legacy reason codes into four categories: Fraud (10.x), Authorization (11.x), Processing Errors (12.x), and Consumer Disputes (13.x). The April 2024 merger of codes 12.1 (Late Presentment) and 11.3 (No Authorization) streamlines dispute categorization but creates implementation complexity for systems tracking historical reason code patterns.

3DS liability shift applies exclusively to fraud-related chargebacks—reason codes 10.1 through 10.5 for Visa, 4837/4840/4849/4871 for Mastercard, and F-series codes for American Express. Non-fraud disputes receive no liability protection, emphasizing the importance of proper transaction classification and evidence collection beyond authentication.

TC40 fraud reporting creates monitoring complexity distinct from chargeback management. Only 64% of TC40 reports result in actual chargebacks, but all TC40 alerts count toward VAMP ratio calculations. Merchants must implement comprehensive fraud monitoring systems that track dispute outcomes and TC40 generation patterns, as issuer fraud reporting behavior varies significantly across BIN ranges.

Rapid Dispute Resolution (RDR) provides pre-dispute automation for Visa transactions, offering 97% US coverage and 83% global reach. RDR rule configuration enables automatic resolution of disputes matching specific criteria—transaction amounts, merchant categories, or risk scores. Properly configured RDR systems can prevent 90% of eligible Visa chargebacks, though automatic refund approvals require careful cost-benefit analysis for high-risk merchants.

Tools like RDR are great for chargeback management, but no longer help with fraud rate thresholds.

Building your 3DS infrastructure

In our view, implementing 3D-Secure is one of the only practical solutions (and certainly the best!) ways to comply with the new VAMP requirements without totally remodeling your payment acceptance.

Implementation approaches

We’ve written extensively in the past about the history of 3D-Secure and how it works, but for service providers looking to roll out 3D-Secure for their merchants, you have three options:

1. Build Your Own 3D Secure Server (sometimes referred MPI—a throwback to 3DS Version 1.0)

• Timeline: 18+ months for certifications
• Requirements: PCI 3DS compliance, testing lab certification, EMVCo validation, network certifications, and integrations
• Cost: Typically $500k - $1 million in development and certification
• Verdict: Only viable for the largest processors

2. Partner with a 3D Secure Provider (Recommended)

• Timeline: 2-3 weeks for integration
• Benefits: Pre-certified, maintained, updated for new specifications
• Providers: Direct-to-scheme options like Evervault offer better control, full data access. and complete observability for all 3DS authentications—regardless of the underlying processor/acquirer
• Best for: most service providers who want to offer a great experience with minimal engineering effort
• Cost: Transaction-based pricing, typically <$0.03 per authentication

3. White-Label from Your Acquirer

• Timeline: 2-3 weeks for integration
• Limitations: Less control, potential vendor lock-in
• Best for: Smaller service providers with limited technical resources
• Cost: Transaction-based pricing, typically <$0.05 per authentication

Integration best practices

When implementing 3D-Secure, the key is abstracting complexity from your merchants. Don't make them configure the 3DS payload—it's a support nightmare waiting to happen.

Critical configuration elements you should handle:

• Acquirer BIN: Must match your processing credentials
• Merchant Category Code: Affects risk scoring algorithms
• Device fingerprinting: Browser data collection for risk assessment
• Transaction context: Recurring indicator, payment type, channel

Example of proper merchant abstraction:

1// What merchants should see
2const result = await psp.authenticate({
3  amount: 10000,
4  currency: 'USD',
5  card: cardToken
6});
7
8// What you handle behind the scenes
9const areq = {
10  acquirerBIN: getMerchantAcquirerBIN(merchantId),
11  acquirerMerchantID: merchantConfig.mid,
12  mcc: merchantConfig.mcc,
13  merchantName: merchantConfig.dbaName,
14  // ... 50+ other fields
15};

Pre-authentication optimization

While you can't change how 3D-Secure itself works (aside from deciding when and where to trigger it), you can significantly impact outcomes through intelligent pre-authentication:

1. Data Enrichment (Worth the Cost for High-Value Transactions)

• AVS (Address Verification): ~$0.25 per check
• ANI (Account Name Inquiry): ~$0.30 per check
• Enhanced BIN data: Identifies gambling-restricted and high-risk cards, like prepaid cards or known-risky banks
• ROI: Positive for transactions >$100

2. 3DS Data-Only Flows

• Gather risk intelligence without customer friction
• No liability shift, but valuable for decisioning
• Use case: Pre-qualify high-risk transactions before full authentication

3. Smart Challenge Strategies

• EU: Always complete challenges (regulatory requirement)
• US: Consider "fail on challenge" for low-value, high-volume merchants
• High-risk: Always attempt frictionless first, complete challenges for transactions >$50

Geographic performance variations

In 2024, Stripe published research revealing a critical insight for US implementations of 3D-Secure:

• Pre-3DS authorization rate: 87%
• Post-3DS with challenge: 87% (no change)
• Post-3DS frictionless: 82% (5% decrease)

This counterintuitive result occurs because US issuers haven't adapted their risk models to treat 3DS-authenticated transactions favorably. In contrast, EU issuers show a positive correlation between authentication and authorization.

US issuers, however, have a much higher percentage of 3DS frictionless authentications—including one major issuer which routes 100% of authentications down the frictionless pathway.

Practical implications:

• Budget for a 3-5% authorization rate decrease in the US
• Use different conversion vs. fraud rate models for US cardholders/transactions
• Consider transaction value thresholds for 3DS application

Practical insights from production deployments

After implementing 3D-Secure across hundreds of high-risk merchants, at Evervault we’ve noticed some noteworthy patterns that are relevant for service providers who plan on offering 3DS to their merchants:

1. ACS Behavior is Wildly Inconsistent

Major issuers use different ACS providers (CardinalCommerce, Entersekt, Apata), each with unique quirks. Don't try to optimize for individual banks—focus on aggregate performance. In many cases, support tickets are oriented around questions about why an individual 3D-Secure authentication failed. Unless there’s some kind of legitimate technical implementation detail, 3DS can fail for any number of reasons—remember that every single issuing bank implements and handles 3DS authentications entirely differently.

2. Transaction Value Matters More Than You Think

• <$50: Maximize frictionless, accept some level of fraud
• $50-500: Balance authentication and conversion
• $500+: Always authenticate, even with friction
• $5,000+: Consider additional verification beyond 3DS. Issuer behaviour (especially in the US) is much more unpredictable for transactions of this size.

3. Merchant Education is Half the Battle

Frame 3D-Secure as a fraud cost-saving, not added friction. Provide clear conversion impact data (typically 2-5% in challenge scenarios) and emphasize the alternative: high chargeback rates (and associated payouts) and VAMP penalties that could terminate their processing.

From an implementation perspective, we’d highly recommend either going all in on offering 3DS as a native platform feature or totally outsourcing the responsibility for merchant 3DS implementation to a third-party like Evervault. The middleground leads to a support and maintenance nightmare.

Conclusion

Visa's VAMP changes represent a fundamental shift from managing chargebacks to preventing them entirely. 3D-Secure implementation isn't optional for PSPs serving high-risk merchants—it's existential.

The technical implementation with the right partner is straightforward, but success depends on thoughtful deployment, merchant education, and continuous optimization. The merchants who thrive will be those whose PSPs provide sophisticated authentication tools while abstracting away complexity.

Remember: the goal isn't zero fraud—it's staying under the 0.3% threshold while maintaining acceptable conversion rates. This balance is delicate but achievable for high-risk merchants with proper 3D-Secure implementation.

Start now, test thoroughly, and remember that in the new VAMP world, an ounce of prevention is worth a pound of dispute resolution.