Global card networks, including Mastercard and Visa, are rolling out mandates to improve 3D Secure (3DS) authentication by feeding more reliable data signals into the risk engines of issuers such as banks. The move is intended to address the data stalemate between stakeholders within the financial services sector.
According to banking and payment authentication specialist Entersekt, Mastercard has introduced a new Essential Data Requirement mandate for its version of 3DS, called Identity Check, which came into effect on 1 April. Meanwhile, Visa has a similar mandate for Verified by Visa, which will reach full compliance on 24 October.
Entersekt adds that an upgraded version of 3DS – 3DS 2.2 (within the 3DS 2 framework) – is now widely used.
However, Gerhard Oosthuizen, CTO at Entersekt, says many issuers are still hovering at authentication success rates of around 80%, adding that in many markets, most transactions are still challenged by default, with higher-than-expected failure rates.
“E-commerce links thousands of merchants with thousands of issuers, and each side must play well together to achieve the promised improvement. However, merchants have not really seen a benefit in sending the additional fields through to the issuer. Similarly, issuers have seen large inaccuracies in the data, with some fields set to hardcoded values. This means issuers have not been able to use the merchant signals to reduce friction, resulting in a stalemate that is ultimately hurting e-commerce and driving merchants to look for alternatives,” says Oosthuizen.
ITWeb Security Summit 2026
Cyber security professionals can join hundreds of industry peers at ITWeb Security Summit Cape Town 2026 and ITWeb Security Summit 2026 in Johannesburg, where expert speakers will explore how organisations can stay resilient in the face of AI-driven attacks and an increasingly complex threat landscape.
He adds that South African merchants continue to resist 3DS authentication protocol because they link the current version with the older version’s intrusive 'pop‑up' challenges on almost every transaction, which slowed checkout and hurt conversion.
“Historically, poor issuer implementations have led to failed approvals and higher cart abandonment, so merchants see 3DS as a conversion killer, not an enabler. Many have not yet seen tangible benefits from sharing richer data – because issuers often did not trust or use that data – so they perceive the extra work as ‘all pain, no gain’,” says Oosthuizen.
He argues that this ongoing resistance cuts merchants off from billions of rands in potential revenue, as stakeholders look to feed more reliable data signals into the risk engines at issuers.
“In many markets, most transactions are still challenged, with higher-than-expected failure rates. This is due to a 'chicken and egg' situation – merchants are not submitting enough additional data fields to issuers, leaving issuers unable to train their risk engines on the data to fully trust the signals, so the friction continues. And because merchants have not really seen a benefit in sending additional fields through to the issuer, they don’t submit the full range of fields that are needed, so the situation continues.”
Card-not-present fraud
Oosthuizen adds that merchants also face significant risk because transactions are not run through 3DS – a cause for concern given the increasing level of card-not-present (CNP) fraud.
He cites research by SABRIC, according to which CNP fraud contributed to 85.6% of gross fraud losses on locally issued credit cards. With fewer transactions benefiting from the added security offered by 3DS, local merchants face significant risk without the safety of the liability shift.
Step-up challenges significantly increase user friction and lead to cart abandonment, Entersekt claims. The company states that while the global cart abandonment rate is around 70%, SA’s stands at about 84%.
A major driver is the skills shortage, with many companies lacking the teams to manage traditional security stacks. This is accelerating demand for automation, managed services and simplified platforms that improve outcomes.
Many companies are also leapfrogging traditional security maturity models by moving directly into connected, cloud-driven environments, increasing the need for scalable, adaptive security designed for lean teams.
With all the 3DS 2 rails and standards in place, Oosthuizen says it is realistic to bring challenge rates down towards 50% or lower in many segments and to aim for around 90% transaction success rates, without compromising fraud.
“Early results of our work at a very large merchant show more than 60% of customers can now go through frictionlessly, with no reported surge in fraud. We believe that codifying these kinds of numbers as ‘what good looks like’ gives CISOs and product owners a concrete business case,” he says.
A compliance step
Arthur Goldstuck, CEO of World Wide Worx, suggests it is not a case of resistance on the part of South African merchants, but rather that 3DS isn’t being used properly.
“The systems from Visa and Mastercard are designed to reduce friction, but only if merchants send good, detailed transaction data to banks. Right now, many merchants treat it as a compliance step and send poor or generic data,” says Goldstuck. “That means banks cannot judge risk properly, so they default to extra authentication. The result is more friction for customers and lower conversion rates for merchants.”
This means merchants tend not to invest in better data because they do not see the benefit, and banks cannot reduce friction because the data is "missing in action", adds Goldstuck.
“This could shift as bigger merchants start optimising their data and see better approval rates. Over time, I would hope the system moves closer to the original goal of less friction for low-risk transactions,” he explains.
Looking ahead, Oosthuizen says merchants must understand that 3DS 2 is no longer a blunt instrument that must always hurt conversion.
“Entersekt is engaging with large merchants, payment service providers and issuers to help create momentum and start changing our ecosystem. I’m confident we can make a dramatic change to the e-commerce experience in South Africa. We can and should do better,” he says.
Share
