{"id":2662,"date":"2026-05-14T10:33:12","date_gmt":"2026-05-14T00:33:12","guid":{"rendered":"https:\/\/www.gpayments.com\/blog\/?p=2662"},"modified":"2026-05-14T10:33:14","modified_gmt":"2026-05-14T00:33:14","slug":"how-3ds2-reduces-card-not-present-fraud-without-hurting-conversion","status":"publish","type":"post","link":"https:\/\/www.gpayments.com\/blog\/article\/how-3ds2-reduces-card-not-present-fraud-without-hurting-conversion\/","title":{"rendered":"How 3DS2 Reduces Card-Not-Present Fraud Without Hurting Conversion"},"content":{"rendered":"\n

Card-not-present (CNP) fraud cost Australian businesses $816 million in 2024<\/strong>, accounting for 90% of all card fraud on Australian-issued cards, according to the Australian Payments Network (AusPayNet). Globally, payment card fraud losses reached $33.41 billion in the same year (Nilson Report, January 2026<\/a>). For payment service providers and merchants, addressing CNP fraud without introducing checkout friction that damages conversion is a core commercial challenge. GPayments\u2019 ActiveServer<\/a>, an EMVCo-certified 3DS<\/a> server, is purpose-built to solve this problem \u2014 enabling risk-based authentication that reduces fraud while preserving the checkout experience merchants depend on for revenue.<\/p>\n

Why CNP Fraud Is So Persistent<\/h2>\n

CNP fraud exploits a fundamental asymmetry in digital commerce: the merchant cannot see the card or verify the cardholder\u2019s identity directly. Unlike point-of-sale fraud, which chip-and-PIN largely solved, CNP transactions rely on data \u2014 card number, expiry, CVV \u2014 that can be stolen at scale through phishing, data breaches, and dark web marketplaces. Once credentials are compromised, a fraudster can attempt thousands of transactions before detection.<\/p>\n

The scale of credential theft is accelerating. In 2024, over 269 million stolen card records were posted on dark web forums, many used directly for CNP fraud. And the problem is not confined to any single market. AusPayNet\u2019s 2025 Australian Payment Fraud Report<\/a> found that overseas CNP fraud on Australian-issued cards rose 25% to $454 million in 2024, occurring at a rate of $12.08 per $1,000 spent \u2014 more than twelve times the domestic rate. While only 3% of Australian card spend occurs overseas, overseas CNP fraud now accounts for 50% of all card fraud.<\/p>\n

Traditional fraud tools such as velocity checks, device fingerprinting, and rule-based engines provide partial coverage, but they lack the issuer-side data needed for a complete risk picture. The issuer knows whether a transaction pattern matches the cardholder\u2019s historical behaviour \u2014 but under legacy protocols, that knowledge was not usable in real time before authentication.<\/p>\n

How 3DS2 Changes the Risk Equation<\/h2>\n

EMV 3DS 2.x addresses this gap by creating a structured data channel between the merchant and the issuer. A compliant 3DS2 authentication request can include up to 150 data elements: device characteristics, browser fingerprint, billing and shipping addresses, transaction history, account creation date, and dozens of other signals. The issuer\u2019s Access Control Server (ACS) receives this data and uses it \u2014 together with its own behavioural analytics \u2014 to assess whether the transaction is consistent with the known cardholder\u2019s profile.<\/p>\n

For transactions assessed as low-risk, the ACS approves without challenge, producing a frictionless flow<\/strong>. For transactions showing anomalies \u2014 unfamiliar device, new shipping address, unusual transaction time \u2014 the ACS can step up to a challenge via push notification, one-time password, or biometric verification. This means 3DS2\u2019s challenge flows are more targeted than 3DS1\u2019s indiscriminate redirects, with higher confidence that the challenged transaction genuinely warrants scrutiny.<\/p>\n

GPayments\u2019 ActiveServer<\/a> implements this protocol as an EMVCo-certified 3DS Server supporting all major card schemes, including Visa Secure, Mastercard Identity Check, American Express SafeKey 2.0, JCB J\/Secure 2.0, and Discover ProtectBuy. ActiveServer is available as a hosted service or for on-premise deployment, with RESTful APIs and full PCI DSS 4.0 readiness.<\/p>\n

The Liability Shift Mechanism<\/h2>\n

A core commercial benefit of 3DS2 authentication is liability shift<\/strong>. When a transaction is authenticated through 3DS \u2014 whether frictionlessly or via challenge \u2014 liability for fraudulent chargebacks shifts from the merchant to the issuer. This does not mean fraud disappears; it means the merchant is protected from bearing the financial cost of fraud they could not reasonably prevent.<\/p>\n

Card scheme rules (Visa Secure, Mastercard Identity Check) govern liability shift<\/a> specifics, and there are important nuances. A liability shift applies when authentication is complete, but it may not apply if authentication data is incomplete, if incorrect authentication result codes are submitted, or if the transaction was processed without authentication entirely. For high-volume merchants with significant chargeback exposure, getting these details right has direct financial consequences.<\/p>\n

\u00a0<\/p>\n

Deployment Evidence: Fraud Rates After 3DS2 Rollout<\/h2>\n

The evidence from markets that have mandated or widely adopted 3DS2 is compelling:<\/p>\n

European Economic Area (EEA): <\/strong>The joint EBA\/ECB 2025 Report<\/a> on Payment Fraud, published December 2025, confirmed that SCA-authenticated transactions have materially lower fraud rates than non-SCA transactions, particularly for card payments. The report found that card payment fraud was 17 times higher when the payee was located outside the EEA, where SCA is not legally required. An earlier EBA analysis (2022) found that the share of fraud in total volume was five times higher for payments authenticated without SCA compared to those authenticated with SCA.<\/p>\n

Australia: <\/strong>AusPayNet\u2019s CNP Fraud Mitigation Framework, introduced in 2019 to promote strong customer authentication, has had a measurable stabilising effect on domestic CNP fraud. The domestic CNP fraud rate declined to a record low of 97 cents per $1,000 spent in 2024, even as total domestic card spending grew 21%. AusPayNet attributes this<\/a> to the framework’s promotion of SCA and greater use of multi-factor authentication and tokenisation. However, overseas transactions \u2014 where SCA is not enforced \u2014 saw fraud rates climb to $12.08 per $1,000 spent.<\/p>\n

The key variable is implementation quality. A poorly implemented 3DS solution that sends minimal data to the issuer, applies exemptions indiscriminately, or handles challenge flows poorly will not achieve these outcomes. Investment in a well-maintained 3DS server, regular data element optimisation, and monitoring of authentication results is required to realise the fraud reduction potential of the protocol. GPayments\u2019 TestLabs<\/a> provides an end-to-end testing platform with fully developed directory server and ACS components \u2014 not basic simulators \u2014 enabling merchants and PSPs to validate their 3DS2 implementation before going live.<\/p>\n

Frequently Asked Questions<\/h2>\n

What is card-not-present fraud?<\/h3>\n

Card-not-present (CNP) fraud occurs when stolen card credentials \u2014 card number, expiry date, and CVV \u2014 are used to make purchases in online or phone-based transactions where the physical card is not presented. Because the merchant cannot verify the cardholder directly, CNP fraud is harder to detect at the point of transaction. In Australia, CNP fraud accounted for 90% of all card fraud in 2024, totalling $816 million (AusPayNet, 2025 Australian Payment Fraud Report).<\/p>\n

How does 3DS2 reduce CNP fraud?<\/h3>\n

3DS2 reduces CNP fraud by enabling the issuer to assess transaction risk using up to 150 data elements provided by the merchant, including device characteristics, behavioural signals, and transaction history. The issuer\u2019s Access Control Server determines whether to approve without challenge (frictionless) or request step-up authentication. The joint EBA\/ECB 2025 Report confirmed that SCA-authenticated card transactions exhibit materially lower fraud rates than unauthenticated ones.<\/p>\n

Does 3DS2 affect checkout conversion?<\/h3>\n

3DS2\u2019s frictionless flow means that most low-risk transactions complete without any visible step for the cardholder, preserving conversion rates. Challenge flows \u2014 where a cardholder must confirm identity via push notification, one-time password, or biometric \u2014 are targeted at higher-risk transactions only. This results in fewer unnecessary friction events compared to the legacy 3DS1 protocol, which applied indiscriminate redirects to all transactions.<\/p>\n

What is liability shift in 3DS?<\/h3>\n

Liability shift means that when a transaction is authenticated through 3-D Secure and later proves fraudulent, the financial liability for the chargeback moves from the merchant to the issuing bank. The exact terms are governed by card scheme rules (Visa Secure, Mastercard Identity Check). Liability shift applies to properly authenticated transactions and does not cover all fraud scenarios \u2014 incomplete authentication data or incorrect result codes can void the shift.<\/p>\n

Do I need 3DS2 for my Australian e-commerce business?<\/h3>\n

Australian merchants are not currently subject to a regulatory SCA mandate equivalent to PSD2. However, AusPayNet\u2019s CNP Fraud Mitigation Framework requires merchants exceeding agreed fraud thresholds to strengthen customer authentication. Card schemes including Visa and Mastercard have issued mandates for 3DS2 support, and merchants processing unauthenticated transactions face liability exposure for fraudulent chargebacks. Implementing 3DS2 is increasingly a prudential and commercial necessity, not just a regulatory one.<\/p>\n

How does GPayments\u2019 ActiveServer help with 3DS2 implementation?<\/h3>\n

GPayments\u2019 ActiveServer is an EMVCo-certified 3DS Server supporting all major global card schemes. It is available as a hosted service (with PCI DSS certification and card scheme compliance managed by GPayments) or for on-premise deployment. ActiveServer uses RESTful APIs for straightforward integration, includes a protocol router for backwards compatibility with 3DS1, and provides access to TestLabs for end-to-end integration testing before go-live.<\/p>\n

Reducing CNP Fraud Starts with the Right 3DS2 Implementation<\/h2>\n

3DS2 is not a silver bullet for CNP fraud \u2014 no single technology is. But the evidence from Europe and Australia is clear: when implemented with a focus on data quality, exemption strategy, and challenge flow optimisation, 3DS2 provides a meaningful reduction in fraud rates while protecting the checkout experience merchants depend on for revenue.<\/p>\n

The difference between a 3DS2 deployment that delivers results and one that does not comes down to implementation quality: the richness of data sent to issuers, the precision of exemption strategies, and the reliability of the 3DS Server infrastructure. GPayments has specialised in 3-D Secure for over two decades and supports clients worldwide \u2014 from payment service providers and acquiring banks to merchants and fintechs.<\/p>\n\n\n\n
\n

Ready to Reduce CNP Fraud?<\/strong><\/p>\n

Talk to GPayments about implementing ActiveServer for your payment platform. Whether you need a hosted service or on-premise deployment, our team of 3DS2 specialists can help you reduce chargebacks, protect checkout conversion, and meet card scheme requirements.<\/p>\nContact our team: gpayments.com\/contact<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u00a0<\/p>\n\n\n\n\n\n\n","protected":false},"excerpt":{"rendered":"

Card-not-present (CNP) fraud cost Australian businesses $816 million in 2024, accounting for 90% of all card fraud on Australian-issued cards, according to the Australian Payments Network (AusPayNet). Globally, payment card fraud losses reached $33.41 billion in the same year (Nilson Report, January 2026). For payment service providers and merchants, addressing CNP fraud without introducing checkout […]<\/p>\n","protected":false},"author":11,"featured_media":2666,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[2],"tags":[38,11,90],"class_list":["post-2662","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-article","tag-access-control-server","tag-cnp-fraud","tag-fraud-prevention"],"aioseo_notices":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts\/2662","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/comments?post=2662"}],"version-history":[{"count":3,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts\/2662\/revisions"}],"predecessor-version":[{"id":2665,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts\/2662\/revisions\/2665"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/media\/2666"}],"wp:attachment":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/media?parent=2662"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/categories?post=2662"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/tags?post=2662"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}