3DS is an authorization tool. Most of the industry just doesn't know it yet

Every card-not-present (CNP) transaction follows the same path. The merchant collects the order. The acquirer formats and forwards an authorization request (the 8583 0100 message for those of you who speak ISO). The card network routes it. The issuer decides.

That decision, approve or decline, happens in under two seconds. And the issuer makes it with almost no context about the transaction itself.

The 0100 message was designed in the 1980s for card-present terminals. It defines up to 128 data elements, but a typical CNP e-commerce authorization populates roughly 20. Strip out the operational plumbing, routing codes, timestamps, processing identifiers, and the fields that carry genuine risk-decisioning context number closer to a dozen: the PAN, transaction amount, currency, expiry date, merchant category code, a truncated merchant descriptor, POS entry mode (which for e-commerce simply signals "card not present"), and whatever CVV or AVS data the acquirer forwards.

That's it. No device intelligence. No account history. No behavioral signals. No shipping context. No indication of whether this cardholder has shopped with this merchant fifty times or never.

Issuer risk models have spent decades getting remarkably good at working with this thin dataset. But being good at working with limited data still means a high false positive rate. When three soft risk signals align, unfamiliar merchant, atypical geography, slightly elevated amount, and no behavioral context exists to offset them, the rational model response is to decline. The customer, meanwhile, is a loyal cardholder on a business trip, booking a hotel. Nobody finds out.

The cost of these false declines is enormous. Checkout.com and Oxford Economics measured $50.7 billion in direct merchant losses from false declines across the US, UK, France, and Germany in 2022. For context, global card fraud losses for the whole of 2024 were $33.41 billion. The industry's defensive architecture costs less than the legitimate revenue it turns away.

Here is where EMV 3-D Secure (3DS) changes the equation. And, where most of the industry misunderstands what the protocol actually does.

Mention 3DS to a merchant and the reaction is predictable. They remember the pop-up windows, the clunky redirects, and the conversion rates cratering by double digits. That was 3DS 1.0.2; a protocol built for desktop browsers in the late 1990s where every transaction triggered a visible authentication challenge.

EMV 3DS is a fundamentally different technology. The latest specification defines 197 unique data elements across the protocol, with 113 available in the Authentication Request (AReq) message alone. These include device fingerprint, cardholder account age, shipping history, transaction context, purchase behavior patterns, and merchant risk assessment; precisely the signals absent from the ISO 8583 0100 authorization message.

Crucially, EMV 3DS authentication runs before the authorization decision. The Access Control Server (ACS) on the issuer side receives and processes those data elements, then returns a transaction status that seeds the issuer's authorization engine with context it would never otherwise have. The cardholder, in a frictionless flow, sees nothing. But the issuer sees everything.

This isn't authentication bolted onto authorization. It's pre-authorization data enrichment delivered through an infrastructure most issuers already operate.

The arithmetic is straightforward. An issuer's risk model receiving a dozen contextual data points from the 0100 message now receives up to 10 times more from the preceding EMV 3DS exchange: device signals, behavioral history, account tenure, merchant risk indicators. The model has what it needs to approve with confidence rather than decline out of caution.

Worldpay's 2025 analysis quantifies what that confidence is worth: for a merchant processing $1 billion in annual transactions, a single percentage point improvement in authorization rate recovers $10 million in revenue. That's not a projection. That's revenue from real customers with valid cards and available funds, turned away by a system that couldn't distinguish them from fraud.

And the benefits compound. When issuers decline fewer legitimate transactions, fewer frustrated cardholders dispute charges or abandon the card entirely. The chargeback-coded-as-fraud feedback loop, where false declines progressively poison the training data that makes models more conservative, gets interrupted at source. Better data in means fewer bad decisions out. Over time, the model itself improves.

A persistent but unhelpful industry framing positions merchants and issuers as adversaries; one side pushing for higher approval rates, the other tightening the screws on fraud. In reality, they share a common consumer and a mutual commercial goal: maximize approval rates at the lowest acceptable fraud exposure.

EMV 3DS provides the mechanism to align those interests. Two features deserve attention.

1. Data-only flows serve merchants who run sophisticated risk engines and are confident in their transaction risk assessments. In a Data Only flow, the merchant shares rich contextual data with the issuer via EMV 3DS, no challenge, guaranteed frictionless checkout, in return for accepting liability where their risk decision proves wrong. The issuer still benefits; they receive the enriched data to inform their authorization decision. The merchant benefits: a frictionless experience, higher completion rates, and their own risk confidence validated by improved approval outcomes.
2. Acquirer Transaction Risk Analysis (TRA) exemptions, available in regulated markets under PSD2, follow a similar logic. Where the acquirer's fraud rate falls below defined thresholds, they can request an exemption from Strong Customer Authentication signaling to the issuer that this transaction has been risk-assessed and found to be low-risk. Issuers retain the right to challenge these transactions, but experience consistently shows they rarely do. The data that flows through the EMV 3DS exchange still reaches the issuer, still informs the authorization decision, and still drives better outcomes for both parties.

In both cases, the pattern is the same: richer data, shared transparently between merchant and issuer through a channel that already exists, producing more accurate decisions and higher approval rates. The relationship stops being adversarial when both sides can see the same signals.

The payments industry built EMV 3DS to prevent fraud. It succeeded, and in doing so, created a data-sharing channel capable of solving an even larger commercial problem.

Our ACS sits at the exact intersection of this opportunity. It is the system that receives those 113 data elements on the issuer side, processes them, and feeds the resulting intelligence into the authorization decision. We are not adjacent to the false decline problem. We are in the decision path.

Every institution running an ACS already has the infrastructure. The question is whether they are using it to rubber-stamp compliance or to drive intelligent authorization decisions that recover revenue, reduce false declines, and align merchant and issuer interests around a shared consumer.

The tools are not missing. The strategy is.