Card-not-present (CNP) fraud cost Australian businesses $816 million in 2024, accounting for 90% of all card fraud on Australian-issued cards, according to the Australian Payments Network (AusPayNet). Globally, payment card fraud losses reached $33.41 billion in the same year (Nilson Report, January 2026). For payment service providers and merchants, addressing CNP fraud without introducing checkout friction that damages conversion is a core commercial challenge. GPayments’ ActiveServer, an EMVCo-certified 3DS server, is purpose-built to solve this problem — enabling risk-based authentication that reduces fraud while preserving the checkout experience merchants depend on for revenue.
Why CNP Fraud Is So Persistent
CNP fraud exploits a fundamental asymmetry in digital commerce: the merchant cannot see the card or verify the cardholder’s identity directly. Unlike point-of-sale fraud, which chip-and-PIN largely solved, CNP transactions rely on data — card number, expiry, CVV — that can be stolen at scale through phishing, data breaches, and dark web marketplaces. Once credentials are compromised, a fraudster can attempt thousands of transactions before detection.
The scale of credential theft is accelerating. In 2024, over 269 million stolen card records were posted on dark web forums, many used directly for CNP fraud. And the problem is not confined to any single market. AusPayNet’s 2025 Australian Payment Fraud Report found that overseas CNP fraud on Australian-issued cards rose 25% to $454 million in 2024, occurring at a rate of $12.08 per $1,000 spent — more than twelve times the domestic rate. While only 3% of Australian card spend occurs overseas, overseas CNP fraud now accounts for 50% of all card fraud.
Traditional fraud tools such as velocity checks, device fingerprinting, and rule-based engines provide partial coverage, but they lack the issuer-side data needed for a complete risk picture. The issuer knows whether a transaction pattern matches the cardholder’s historical behaviour — but under legacy protocols, that knowledge was not usable in real time before authentication.
How 3DS2 Changes the Risk Equation
EMV 3DS 2.x addresses this gap by creating a structured data channel between the merchant and the issuer. A compliant 3DS2 authentication request can include up to 150 data elements: device characteristics, browser fingerprint, billing and shipping addresses, transaction history, account creation date, and dozens of other signals. The issuer’s Access Control Server (ACS) receives this data and uses it — together with its own behavioural analytics — to assess whether the transaction is consistent with the known cardholder’s profile.
For transactions assessed as low-risk, the ACS approves without challenge, producing a frictionless flow. For transactions showing anomalies — unfamiliar device, new shipping address, unusual transaction time — the ACS can step up to a challenge via push notification, one-time password, or biometric verification. This means 3DS2’s challenge flows are more targeted than 3DS1’s indiscriminate redirects, with higher confidence that the challenged transaction genuinely warrants scrutiny.
GPayments’ ActiveServer implements this protocol as an EMVCo-certified 3DS Server supporting all major card schemes, including Visa Secure, Mastercard Identity Check, American Express SafeKey 2.0, JCB J/Secure 2.0, and Discover ProtectBuy. ActiveServer is available as a hosted service or for on-premise deployment, with RESTful APIs and full PCI DSS 4.0 readiness.
The Liability Shift Mechanism
A core commercial benefit of 3DS2 authentication is liability shift. When a transaction is authenticated through 3DS — whether frictionlessly or via challenge — liability for fraudulent chargebacks shifts from the merchant to the issuer. This does not mean fraud disappears; it means the merchant is protected from bearing the financial cost of fraud they could not reasonably prevent.
Card scheme rules (Visa Secure, Mastercard Identity Check) govern liability shift specifics, and there are important nuances. A liability shift applies when authentication is complete, but it may not apply if authentication data is incomplete, if incorrect authentication result codes are submitted, or if the transaction was processed without authentication entirely. For high-volume merchants with significant chargeback exposure, getting these details right has direct financial consequences.
Deployment Evidence: Fraud Rates After 3DS2 Rollout
The evidence from markets that have mandated or widely adopted 3DS2 is compelling:
European Economic Area (EEA): The joint EBA/ECB 2025 Report on Payment Fraud, published December 2025, confirmed that SCA-authenticated transactions have materially lower fraud rates than non-SCA transactions, particularly for card payments. The report found that card payment fraud was 17 times higher when the payee was located outside the EEA, where SCA is not legally required. An earlier EBA analysis (2022) found that the share of fraud in total volume was five times higher for payments authenticated without SCA compared to those authenticated with SCA.
Australia: AusPayNet’s CNP Fraud Mitigation Framework, introduced in 2019 to promote strong customer authentication, has had a measurable stabilising effect on domestic CNP fraud. The domestic CNP fraud rate declined to a record low of 97 cents per $1,000 spent in 2024, even as total domestic card spending grew 21%. AusPayNet attributes this to the framework’s promotion of SCA and greater use of multi-factor authentication and tokenisation. However, overseas transactions — where SCA is not enforced — saw fraud rates climb to $12.08 per $1,000 spent.
The key variable is implementation quality. A poorly implemented 3DS solution that sends minimal data to the issuer, applies exemptions indiscriminately, or handles challenge flows poorly will not achieve these outcomes. Investment in a well-maintained 3DS server, regular data element optimisation, and monitoring of authentication results is required to realise the fraud reduction potential of the protocol. GPayments’ TestLabs provides an end-to-end testing platform with fully developed directory server and ACS components — not basic simulators — enabling merchants and PSPs to validate their 3DS2 implementation before going live.
Frequently Asked Questions
What is card-not-present fraud?
Card-not-present (CNP) fraud occurs when stolen card credentials — card number, expiry date, and CVV — are used to make purchases in online or phone-based transactions where the physical card is not presented. Because the merchant cannot verify the cardholder directly, CNP fraud is harder to detect at the point of transaction. In Australia, CNP fraud accounted for 90% of all card fraud in 2024, totalling $816 million (AusPayNet, 2025 Australian Payment Fraud Report).
How does 3DS2 reduce CNP fraud?
3DS2 reduces CNP fraud by enabling the issuer to assess transaction risk using up to 150 data elements provided by the merchant, including device characteristics, behavioural signals, and transaction history. The issuer’s Access Control Server determines whether to approve without challenge (frictionless) or request step-up authentication. The joint EBA/ECB 2025 Report confirmed that SCA-authenticated card transactions exhibit materially lower fraud rates than unauthenticated ones.
Does 3DS2 affect checkout conversion?
3DS2’s frictionless flow means that most low-risk transactions complete without any visible step for the cardholder, preserving conversion rates. Challenge flows — where a cardholder must confirm identity via push notification, one-time password, or biometric — are targeted at higher-risk transactions only. This results in fewer unnecessary friction events compared to the legacy 3DS1 protocol, which applied indiscriminate redirects to all transactions.
What is liability shift in 3DS?
Liability shift means that when a transaction is authenticated through 3-D Secure and later proves fraudulent, the financial liability for the chargeback moves from the merchant to the issuing bank. The exact terms are governed by card scheme rules (Visa Secure, Mastercard Identity Check). Liability shift applies to properly authenticated transactions and does not cover all fraud scenarios — incomplete authentication data or incorrect result codes can void the shift.
Do I need 3DS2 for my Australian e-commerce business?
Australian merchants are not currently subject to a regulatory SCA mandate equivalent to PSD2. However, AusPayNet’s CNP Fraud Mitigation Framework requires merchants exceeding agreed fraud thresholds to strengthen customer authentication. Card schemes including Visa and Mastercard have issued mandates for 3DS2 support, and merchants processing unauthenticated transactions face liability exposure for fraudulent chargebacks. Implementing 3DS2 is increasingly a prudential and commercial necessity, not just a regulatory one.
How does GPayments’ ActiveServer help with 3DS2 implementation?
GPayments’ ActiveServer is an EMVCo-certified 3DS Server supporting all major global card schemes. It is available as a hosted service (with PCI DSS certification and card scheme compliance managed by GPayments) or for on-premise deployment. ActiveServer uses RESTful APIs for straightforward integration, includes a protocol router for backwards compatibility with 3DS1, and provides access to TestLabs for end-to-end integration testing before go-live.
Reducing CNP Fraud Starts with the Right 3DS2 Implementation
3DS2 is not a silver bullet for CNP fraud — no single technology is. But the evidence from Europe and Australia is clear: when implemented with a focus on data quality, exemption strategy, and challenge flow optimisation, 3DS2 provides a meaningful reduction in fraud rates while protecting the checkout experience merchants depend on for revenue.
The difference between a 3DS2 deployment that delivers results and one that does not comes down to implementation quality: the richness of data sent to issuers, the precision of exemption strategies, and the reliability of the 3DS Server infrastructure. GPayments has specialised in 3-D Secure for over two decades and supports clients worldwide — from payment service providers and acquiring banks to merchants and fintechs.
|
Ready to Reduce CNP Fraud? Talk to GPayments about implementing ActiveServer for your payment platform. Whether you need a hosted service or on-premise deployment, our team of 3DS2 specialists can help you reduce chargebacks, protect checkout conversion, and meet card scheme requirements. Contact our team: gpayments.com/contact |