{"id":2667,"date":"2026-04-30T11:07:52","date_gmt":"2026-04-30T01:07:52","guid":{"rendered":"https:\/\/www.gpayments.com\/blog\/?p=2667"},"modified":"2026-05-14T11:49:25","modified_gmt":"2026-05-14T01:49:25","slug":"3-d-secure-for-australian-merchants-what-you-need-to-know-in-2026","status":"publish","type":"post","link":"https:\/\/www.gpayments.com\/blog\/article\/3-d-secure-for-australian-merchants-what-you-need-to-know-in-2026\/","title":{"rendered":"3-D Secure for Australian Merchants: What You Need to Know in 2026"},"content":{"rendered":"\n

Card-not-present (CNP) fraud on Australian-issued cards reached $913 million in 2024<\/strong>, a 20% increase year-on-year, according to the Australian Payments Network\u2019s (AusPayNet)<\/a> 2025 Australian Payment Fraud Report. CNP fraud now accounts for 90% of all card fraud on Australian cards. With Visa\u2019s Digital Commerce Authentication Program (DCAP) taking effect for the Asia-Pacific region from 18 April 2026 and Mastercard tightening its Identity Check requirements on a parallel timeline, the commercial pressure on Australian merchants to support 3-D Secure 2.x (3DS2) authentication has moved from \u201cgood practice\u201d to \u201coperational necessity”.<\/p>\n

GPayments<\/a>, an Australian company specialising in 3-D Secure since 1999, works with acquirers, payment service providers, and merchants across 33 countries to implement EMVCo-certified authentication infrastructure. This article sets out what Australian merchants need to understand about 3DS2 adoption, fraud liability, and checkout performance in 2026.<\/p>\n

Card Scheme Mandates and Compliance Pressure in Australia<\/h2>\n

Australia does not have a legislative SCA mandate equivalent to Europe\u2019s PSD2 \u2014 the Reserve Bank of Australia has not prescribed strong authentication in the same way. However, the regulatory and commercial environment is tightening from multiple directions.<\/p>\n

AusPayNet\u2019s CNP Fraud Mitigation Framework<\/h3>\n

AusPayNet\u2019s CNP Fraud Mitigation Framework<\/a>, in effect since July 2019, requires merchants and issuers who consistently exceed agreed fraud thresholds to strengthen customer authentication. The current thresholds are set at a fraud rate of 15 basis points for issuers and 20 basis points (with a fraud value of $50,000 per quarter) for merchants. Breaches can trigger mandatory SCA requirements for all CNP transactions and potential fines. AusPayNet monitors compliance through quarterly reporting from acquirers.<\/p>\n

Visa\u2019s DCAP and VAMP Programs<\/h3>\n

Visa\u2019s Digital Commerce Authentication Program (DCAP), published in the October 2025 Visa Core Rules update, takes effect for the Asia-Pacific region (including Australia) from 18 April 2026. Separately, Visa\u2019s Acquirer Monitoring Program (VAMP), which replaced the legacy VDMP and VFMP programs in April 2025, introduced a critical change: fraud reports (TC40s) now count toward the VAMP ratio, not just chargebacks. The merchant threshold under VAMP<\/a> dropped to 1.5% from April 2026 across the US, Canada, EU, and Asia-Pacific. Acquirers are setting their own internal limits \u2014 often at 1.0% or lower \u2014 to keep their portfolio average below 0.5%.<\/p>\n

The practical consequence: merchants who do not authenticate transactions through 3DS2 cannot claim liability shift for fraudulent chargebacks, and their fraud reports still count toward acquirer monitoring ratios. For merchants in high-fraud categories \u2014 fashion, electronics, travel \u2014 this exposure is material.<\/p>\n

What Australian Merchants Need to Set Up<\/h2>\n

The implementation path for 3DS2 depends on a merchant\u2019s technical integration model. Merchants using a hosted payment page from an acquiring bank or payment gateway typically receive 3DS2 support as part of that service \u2014 they need to ensure it is enabled and configured correctly rather than building it themselves. Merchants with direct API integrations to an acquirer, or those using a payment facilitator, need to implement a certified 3DS Server or ensure their PSP\u2019s 3DS Server is certified and correctly configured.<\/p>\n

A compliant 3DS Server must be registered with the relevant card scheme directory servers, support protocol version 2.2 at minimum (with 2.3 strongly recommended for new implementations), pass the required data elements in authentication requests, and handle both frictionless and challenge response codes correctly. GPayments\u2019 ActiveServer<\/a> is an EMVCo-certified 3DS Server<\/a> supporting all major card schemes, available as a hosted service or for on-premise deployment. The hosted service includes PCI DSS certification and card scheme compliance managed by GPayments, removing the need for merchants to certify independently with each scheme.\u00a0<\/p>\n

The Authorisation Rate Impact<\/h2>\n

Australian merchants often ask whether adding 3DS2 will hurt their authorisation rates. Done correctly, no \u2014 and in some cases it improves them. Australian issuers have invested in Access Control Server (ACS) infrastructure capable of frictionless risk assessment. For well-configured merchants that supply rich data elements, a high proportion of transactions will authenticate frictionlessly, with no visible impact on the cardholder.<\/p>\n

Where authorisation rates can suffer is when 3DS2 is poorly configured \u2014 limited data elements sent to the issuer, incorrect handling of challenge responses, or aggressive exemption attempts that trigger issuer overrides. Ongoing monitoring of authentication rates, frictionless rates, and challenge completion rates is essential for maintaining performance. GPayments\u2019 TestLabs<\/a> provides an end-to-end testing environment with fully developed Directory Server and ACS components for validating 3DS2 implementations before go-live.\u00a0<\/p>\n

Buy Now Pay Later and Wallets: Special Considerations<\/h2>\n

Australia\u2019s payments landscape includes significant transaction volumes through digital wallets (Apple Pay, Google Pay) and Buy Now Pay Later (BNPL) services. Authentication requirements for these vary. Wallet-based transactions use their own authentication mechanisms (device-level biometric or PIN) that may satisfy scheme authentication requirements independently. BNPL transactions are typically structured as merchant-initiated transactions after initial customer identity verification, which has distinct implications for 3DS application.<\/p>\n

Merchants offering multiple payment methods need to ensure their 3DS implementation logic correctly handles these payment types \u2014 applying 3DS2 where required, recognising when a wallet or BNPL flow already provides equivalent authentication, and avoiding unnecessary authentication attempts that degrade the checkout experience. ActiveServer\u2019s protocol router and multi-requestor<\/a> support help merchants manage this complexity across payment methods.<\/p>\n

Frequently Asked Questions<\/h2>\n

Is 3DS2 mandatory for Australian merchants?<\/h3>\n

Australian law does not impose a direct SCA mandate equivalent to Europe\u2019s PSD2. However, Visa\u2019s Digital Commerce Authentication Program (DCAP), effective 18 April 2026 for the Asia-Pacific region, and Mastercard\u2019s Identity Check requirements create strong commercial incentives to adopt 3DS2. AusPayNet\u2019s CNP Fraud Mitigation Framework also requires merchants exceeding fraud thresholds to strengthen authentication. Merchants who do not authenticate transactions cannot benefit from chargeback liability shift under card scheme rules.<\/p>\n

What happens to fraud liability if I don\u2019t use 3DS?<\/h3>\n

Without 3DS authentication, liability for fraudulent CNP chargebacks typically rests with the merchant or acquirer. Card scheme rules (Visa Secure, Mastercard Identity Check) provide liability shift only for transactions that have been properly authenticated. Under Visa\u2019s VAMP framework, fraud reports (TC40s) now count toward monitoring ratios regardless of whether chargebacks are prevented through other tools. Merchants in high-fraud categories face the greatest exposure from not authenticating transactions.<\/p>\n

Will 3DS2 affect my checkout conversion rate?<\/h3>\n

A well-implemented 3DS2 solution should have minimal negative impact on conversion for low-risk transactions, as these authenticate frictionlessly with no visible step for the cardholder. Challenge flows affect only the subset of transactions where the issuer requires step-up authentication. Legacy 3DS1 had higher friction due to indiscriminate redirects \u2014 3DS2\u2019s risk-based challenge approach is designed to reduce unnecessary friction while maintaining security.<\/p>\n

How do I enable 3DS2 as an Australian merchant?<\/h3>\n

If you use a hosted payment page or payment gateway, contact your provider to confirm 3DS2 is enabled on your account. For direct API integrations, you will need to implement a certified 3DS Server or use your payment service provider\u2019s. Ensure you are supplying the full recommended data set in authentication requests (up to 150 data elements) and monitoring your frictionless rate, challenge completion rate, and authentication success rate on an ongoing basis.<\/p>\n

Do digital wallets like Apple Pay need 3DS?<\/h3>\n

Wallet-based transactions such as Apple Pay and Google Pay use device-based authentication (biometric or device PIN) that card schemes typically recognise as equivalent to strong customer authentication. These transactions may not require a separate 3DS flow. Specific treatment varies by card scheme and acquirer configuration \u2014 merchants should confirm the requirements with their acquirer for each wallet type they accept.<\/p>\n

How does GPayments\u2019 ActiveServer support Australian merchants?<\/h3>\n

GPayments\u2019 ActiveServer is an EMVCo-certified 3DS Server supporting all major global card schemes. For Australian merchants, it is available as a hosted service (with PCI DSS certification and card scheme compliance managed by GPayments) or for on-premise deployment. ActiveServer includes a protocol router for backwards compatibility with 3DS1, RESTful APIs for straightforward integration, and access to GPayments\u2019 TestLabs for end-to-end integration testing.<\/p>\n

Building a Baseline for 2026<\/h2>\n

Australian merchants are operating in an environment where CNP fraud pressure is rising and card scheme expectations around authentication are tightening on a defined timeline. The domestic CNP fraud rate may have declined to a record low of 97 cents per $1,000 spent in 2024 (AusPayNet), but total fraud value is still growing \u2014 and overseas CNP fraud on Australian cards rose 25% to $454 million in the same year.<\/p>\n

Building a solid 3DS2 implementation is no longer a differentiator \u2014 it is the baseline for protecting revenue, managing fraud liability, and maintaining acquirer relationships. The practical next step for most merchants is to confirm with their acquirer or PSP whether 3DS2 is enabled, review their authentication success and frictionless rates, and assess whether their current data element coverage is sufficient for issuers to make accurate risk decisions.<\/p>\n\n\n\n
\n

Need Help with 3DS2 Implementation?<\/strong><\/p>\n

GPayments is an Australian company specialising in 3-D Secure since 1999. Whether you need a hosted ActiveServer service or on-premise deployment, our team can help you implement 3DS2 correctly, meet card scheme requirements, and protect your checkout conversion.<\/p>\nContact our team: gpayments.com\/contact<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n\n\n\n\n\n\n","protected":false},"excerpt":{"rendered":"

Card-not-present (CNP) fraud on Australian-issued cards reached $913 million in 2024, a 20% increase year-on-year, according to the Australian Payments Network\u2019s (AusPayNet) 2025 Australian Payment Fraud Report. CNP fraud now accounts for 90% of all card fraud on Australian cards. With Visa\u2019s Digital Commerce Authentication Program (DCAP) taking effect for the Asia-Pacific region from 18 […]<\/p>\n","protected":false},"author":11,"featured_media":2678,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[2],"tags":[13,46,16],"class_list":["post-2667","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-article","tag-3ds2","tag-activeserver","tag-online-fraud-prevention"],"aioseo_notices":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts\/2667","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/comments?post=2667"}],"version-history":[{"count":9,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts\/2667\/revisions"}],"predecessor-version":[{"id":2676,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts\/2667\/revisions\/2676"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/media\/2678"}],"wp:attachment":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/media?parent=2667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/categories?post=2667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/tags?post=2667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}