3-D Secure for Australian Merchants: What You Need to Know in 2026
Card-not-present (CNP) fraud on Australian-issued cards reached $913 million in 2024, a 20% increase year-on-year, according to the Australian Payments Network’s (AusPayNet) 2025 Australian Payment Fraud Report. CNP fraud now accounts for 90% of all card fraud on Australian cards. With Visa’s Digital Commerce Authentication Program (DCAP) taking effect for the Asia-Pacific region from 18 April 2026 and Mastercard tightening its Identity Check requirements on a parallel timeline, the commercial pressure on Australian merchants to support 3-D Secure 2.x (3DS2) authentication has moved from “good practice” to “operational necessity”.
GPayments, an Australian company specialising in 3-D Secure since 1999, works with acquirers, payment service providers, and merchants across 33 countries to implement EMVCo-certified authentication infrastructure. This article sets out what Australian merchants need to understand about 3DS2 adoption, fraud liability, and checkout performance in 2026.
Card Scheme Mandates and Compliance Pressure in Australia
Australia does not have a legislative SCA mandate equivalent to Europe’s PSD2 — the Reserve Bank of Australia has not prescribed strong authentication in the same way. However, the regulatory and commercial environment is tightening from multiple directions.
AusPayNet’s CNP Fraud Mitigation Framework
AusPayNet’s CNP Fraud Mitigation Framework, in effect since July 2019, requires merchants and issuers who consistently exceed agreed fraud thresholds to strengthen customer authentication. The current thresholds are set at a fraud rate of 15 basis points for issuers and 20 basis points (with a fraud value of $50,000 per quarter) for merchants. Breaches can trigger mandatory SCA requirements for all CNP transactions and potential fines. AusPayNet monitors compliance through quarterly reporting from acquirers.
Visa’s DCAP and VAMP Programs
Visa’s Digital Commerce Authentication Program (DCAP), published in the October 2025 Visa Core Rules update, takes effect for the Asia-Pacific region (including Australia) from 18 April 2026. Separately, Visa’s Acquirer Monitoring Program (VAMP), which replaced the legacy VDMP and VFMP programs in April 2025, introduced a critical change: fraud reports (TC40s) now count toward the VAMP ratio, not just chargebacks. The merchant threshold under VAMP dropped to 1.5% from April 2026 across the US, Canada, EU, and Asia-Pacific. Acquirers are setting their own internal limits — often at 1.0% or lower — to keep their portfolio average below 0.5%.
The practical consequence: merchants who do not authenticate transactions through 3DS2 cannot claim liability shift for fraudulent chargebacks, and their fraud reports still count toward acquirer monitoring ratios. For merchants in high-fraud categories — fashion, electronics, travel — this exposure is material.
What Australian Merchants Need to Set Up
The implementation path for 3DS2 depends on a merchant’s technical integration model. Merchants using a hosted payment page from an acquiring bank or payment gateway typically receive 3DS2 support as part of that service — they need to ensure it is enabled and configured correctly rather than building it themselves. Merchants with direct API integrations to an acquirer, or those using a payment facilitator, need to implement a certified 3DS Server or ensure their PSP’s 3DS Server is certified and correctly configured.
A compliant 3DS Server must be registered with the relevant card scheme directory servers, support protocol version 2.2 at minimum (with 2.3 strongly recommended for new implementations), pass the required data elements in authentication requests, and handle both frictionless and challenge response codes correctly. GPayments’ ActiveServer is an EMVCo-certified 3DS Server supporting all major card schemes, available as a hosted service or for on-premise deployment. The hosted service includes PCI DSS certification and card scheme compliance managed by GPayments, removing the need for merchants to certify independently with each scheme.
The Authorisation Rate Impact
Australian merchants often ask whether adding 3DS2 will hurt their authorisation rates. Done correctly, no — and in some cases it improves them. Australian issuers have invested in Access Control Server (ACS) infrastructure capable of frictionless risk assessment. For well-configured merchants that supply rich data elements, a high proportion of transactions will authenticate frictionlessly, with no visible impact on the cardholder.
Where authorisation rates can suffer is when 3DS2 is poorly configured — limited data elements sent to the issuer, incorrect handling of challenge responses, or aggressive exemption attempts that trigger issuer overrides. Ongoing monitoring of authentication rates, frictionless rates, and challenge completion rates is essential for maintaining performance. GPayments’ TestLabs provides an end-to-end testing environment with fully developed Directory Server and ACS components for validating 3DS2 implementations before go-live.
Buy Now Pay Later and Wallets: Special Considerations
Australia’s payments landscape includes significant transaction volumes through digital wallets (Apple Pay, Google Pay) and Buy Now Pay Later (BNPL) services. Authentication requirements for these vary. Wallet-based transactions use their own authentication mechanisms (device-level biometric or PIN) that may satisfy scheme authentication requirements independently. BNPL transactions are typically structured as merchant-initiated transactions after initial customer identity verification, which has distinct implications for 3DS application.
Merchants offering multiple payment methods need to ensure their 3DS implementation logic correctly handles these payment types — applying 3DS2 where required, recognising when a wallet or BNPL flow already provides equivalent authentication, and avoiding unnecessary authentication attempts that degrade the checkout experience. ActiveServer’s protocol router and multi-requestor support help merchants manage this complexity across payment methods.
Frequently Asked Questions
Is 3DS2 mandatory for Australian merchants?
Australian law does not impose a direct SCA mandate equivalent to Europe’s PSD2. However, Visa’s Digital Commerce Authentication Program (DCAP), effective 18 April 2026 for the Asia-Pacific region, and Mastercard’s Identity Check requirements create strong commercial incentives to adopt 3DS2. AusPayNet’s CNP Fraud Mitigation Framework also requires merchants exceeding fraud thresholds to strengthen authentication. Merchants who do not authenticate transactions cannot benefit from chargeback liability shift under card scheme rules.
What happens to fraud liability if I don’t use 3DS?
Without 3DS authentication, liability for fraudulent CNP chargebacks typically rests with the merchant or acquirer. Card scheme rules (Visa Secure, Mastercard Identity Check) provide liability shift only for transactions that have been properly authenticated. Under Visa’s VAMP framework, fraud reports (TC40s) now count toward monitoring ratios regardless of whether chargebacks are prevented through other tools. Merchants in high-fraud categories face the greatest exposure from not authenticating transactions.
Will 3DS2 affect my checkout conversion rate?
A well-implemented 3DS2 solution should have minimal negative impact on conversion for low-risk transactions, as these authenticate frictionlessly with no visible step for the cardholder. Challenge flows affect only the subset of transactions where the issuer requires step-up authentication. Legacy 3DS1 had higher friction due to indiscriminate redirects — 3DS2’s risk-based challenge approach is designed to reduce unnecessary friction while maintaining security.
How do I enable 3DS2 as an Australian merchant?
If you use a hosted payment page or payment gateway, contact your provider to confirm 3DS2 is enabled on your account. For direct API integrations, you will need to implement a certified 3DS Server or use your payment service provider’s. Ensure you are supplying the full recommended data set in authentication requests (up to 150 data elements) and monitoring your frictionless rate, challenge completion rate, and authentication success rate on an ongoing basis.
Do digital wallets like Apple Pay need 3DS?
Wallet-based transactions such as Apple Pay and Google Pay use device-based authentication (biometric or device PIN) that card schemes typically recognise as equivalent to strong customer authentication. These transactions may not require a separate 3DS flow. Specific treatment varies by card scheme and acquirer configuration — merchants should confirm the requirements with their acquirer for each wallet type they accept.
How does GPayments’ ActiveServer support Australian merchants?
GPayments’ ActiveServer is an EMVCo-certified 3DS Server supporting all major global card schemes. For Australian merchants, it is available as a hosted service (with PCI DSS certification and card scheme compliance managed by GPayments) or for on-premise deployment. ActiveServer includes a protocol router for backwards compatibility with 3DS1, RESTful APIs for straightforward integration, and access to GPayments’ TestLabs for end-to-end integration testing.
Building a Baseline for 2026
Australian merchants are operating in an environment where CNP fraud pressure is rising and card scheme expectations around authentication are tightening on a defined timeline. The domestic CNP fraud rate may have declined to a record low of 97 cents per $1,000 spent in 2024 (AusPayNet), but total fraud value is still growing — and overseas CNP fraud on Australian cards rose 25% to $454 million in the same year.
Building a solid 3DS2 implementation is no longer a differentiator — it is the baseline for protecting revenue, managing fraud liability, and maintaining acquirer relationships. The practical next step for most merchants is to confirm with their acquirer or PSP whether 3DS2 is enabled, review their authentication success and frictionless rates, and assess whether their current data element coverage is sufficient for issuers to make accurate risk decisions.
|
Need Help with 3DS2 Implementation? GPayments is an Australian company specialising in 3-D Secure since 1999. Whether you need a hosted ActiveServer service or on-premise deployment, our team can help you implement 3DS2 correctly, meet card scheme requirements, and protect your checkout conversion. Contact our team: gpayments.com/contact |
