Visa now requires cardholder email or phone number in every 3D Secure authentication request. The mandate, detailed in the Visa Secure Program Guide, took effect August 12, 2024. Non-compliant requests are rejected at the Directory Server before reaching the issuer, which means no authentication, no liability shift, and increased fraud exposure.
This article covers the specific Visa 3DS data requirements, format specifications, and enforcement behavior. The focus is on what compliance teams need to validate vendor readiness and document approval rationale, not implementation code.
What Visa now requires for 3DS authentication
The Visa Secure Program Guide, which supplements the Visa Rules, mandates three data elements in browser-based 3DS authentication requests (AReq messages):
- Cardholder name
- Cardholder email address OR phone number (at least one)
- Browser IP address
For app-based transactions, the third element is Common Device Identification, which 3DS SDKs collect automatically.
The requirement originated in August 2023, when Visa announced enforcement of 12 additional data fields. After ecosystem feedback, Visa reduced the scope to 5 fields in January 2024, then to the current 3 mandatory fields. The enforcement date moved from February 12, 2024 to August 12, 2024 to allow implementation time (Silverflow).
The rationale: Visa states that PII data helps issuers make more accurate risk decisions, reducing unnecessary challenges while improving fraud detection.
Required data fields and format specifications
Each field has specific format requirements. Compliance teams should verify that their 3DS provider handles these correctly.
| Field | Format | Max length | Notes |
|---|---|---|---|
| Cardholder name | First name + last name | 50 characters each | Must match card registration |
| Email address | Valid email format | 128-255 characters | Standard RFC 5322 validation |
| Phone number | International format with country code | 30 characters | E.g., +33612345678 |
| Browser IP | IPv4 or IPv6 | Standard format | Collected from browser |
The phone number format requirement causes the most implementation issues. Local formats without country prefix (e.g., “0612345678”) are rejected. The number must include the international dialing code (e.g., “+33612345678” for France).
If both email and phone are available, Visa recommends providing both for optimal issuer risk assessment. However, only one is required for compliance.
Enforcement timeline and rejection behavior
The Directory Server enforces these requirements before the authentication request reaches the issuer. The enforcement mechanism is binary: compliant requests proceed; non-compliant requests are rejected.
Enforcement Date: August 12, 2024
Visa began rejecting non-compliant 3DS authentication requests at the Directory Server level on this date. Requests missing required fields do not reach the issuer.
Timeline:
- August 2023: Visa announces 12 required fields
- January 2024: Scope reduced to 5 fields; deadline extended to August 12, 2024
- August 12, 2024: Enforcement begins
Rejection consequences:
- Authentication request rejected at Directory Server
- Transaction may proceed without 3DS protection
- Merchant loses liability shift for fraud chargebacks
- Card issuer will not assume fraud liability
Some payment providers implement fallback behavior, substituting placeholder data when merchant-provided data is missing. This satisfies the technical requirement but may harm authentication outcomes. According to Praxis Tech, inaccurate data may trigger increased challenge rates and failed authentications.
Card network scope: This mandate applies only to Visa cards. Mastercard mandated EMV 3DS v2.2 in Europe (October 2022) and is expected to follow with similar data quality requirements, but has not yet enforced equivalent PII mandates. American Express supports EMV 3DS but has announced no equivalent requirement.
Impact on authentication and approval rates
Visa provides aggregate performance data for merchants submitting compliant authentication requests:
Visa-reported performance lift with compliant data:
| Metric | Improvement | |—————————|————-| | Authentication success rate | +4% | | Approval rate | +6% | | Frictionless rate | +57% | | Fraud detection rate (issuer) | +65% |
Source: Trust Payments
These figures are Visa-reported aggregates; actual results vary by merchant, card mix, and geography. The directional impact is consistent: accurate PII data improves issuer risk models, which improves outcomes for legitimate transactions.
The frictionless rate improvement matters for conversion. Industry data shows challenge flows reduce conversion by 10-18% on average compared to frictionless flows (Payrails). A +57% frictionless rate lift translates directly to reduced checkout abandonment.
Privacy exemptions and GDPR considerations
Visa includes a privacy exemption: “In cases where local data privacy regulations protect the sharing of specific data fields, the minimum data prerequisites do not apply.”
This applies to:
- GDPR-protected scenarios where explicit consent for data sharing has not been obtained
- Local data privacy laws with similar restrictions on PII transmission
For compliance documentation, record which privacy exemption applies if not sending required fields. The exemption exists, but invoking it means forgoing the benefits of compliant data submission and potentially accepting higher challenge rates.
Note that this Visa mandate does not expand PCI scope. The data elements are transmitted in authentication requests, not stored. Compliance officers do not need to reassess Cardholder Data Environment boundaries based on this mandate. If you use a payment orchestration provider that handles PCI compliance outsourcing, confirm they’re passing the required fields in their 3DS implementation.
Implementation checklist for compliance teams
For compliance officers validating vendor readiness or documenting approval rationale:
Vendor validation questions:
- Does the 3DS provider include required Visa fields automatically, or must the merchant provide them?
- How does the provider handle phone number formatting (international prefix)?
- What fallback behavior exists if data is missing?
- Can the merchant override fallback behavior to ensure accurate data is used?
Documentation requirements:
| Requirement | Evidence |
|---|---|
| Visa mandate effective date | August 12, 2024 (Visa Secure Program Guide) |
| Required fields | Cardholder name, email OR phone, browser IP |
| Enforcement mechanism | Directory Server rejection |
| Liability impact | Loss of liability shift for fraud chargebacks |
| Privacy exemption | GDPR/local privacy laws may exempt specific fields |
| Provider compliance | Attestation from 3DS provider |
Liability shift verification:
With successful 3DS authentication, fraud chargeback liability shifts from the merchant to the card issuer. Non-compliance that causes authentication rejection eliminates this protection. For transactions where the merchant bears fraud liability, the cost exposure from non-compliance is direct and quantifiable.
Orchestra’s 3DS implementation handles the required Visa fields through our library, including proper phone number formatting. The library passes cardholder data collected during checkout to the authentication request automatically.
Frequently asked questions
What PII does Visa require for 3DS authentication?
Visa requires cardholder email address or phone number (at least one), cardholder name, and browser/device data including IP address and screen dimensions. For browser transactions, these three elements must be present in the authentication request (AReq) message. App-based transactions substitute Common Device Identification for browser IP, which 3DS SDKs collect automatically.
What happens if required 3DS data fields are missing?
Authentication requests are rejected at the Directory Server level before reaching the issuer. The transaction may still proceed without 3DS protection, but the merchant loses liability shift for fraud chargebacks. The card issuer will not assume fraud liability for unauthenticated transactions.
Does this requirement apply to all card brands?
The August 2024 mandate applies specifically to Visa cards. Mastercard, American Express, and other networks have their own 3DS data requirements, which may differ. Mastercard enforced EMV 3DS v2.2 in Europe in October 2022 but has not announced equivalent PII field mandates.
How does sending PII affect 3DS challenge rates?
Visa data shows accurate PII achieves +57% frictionless rate lift and +4% authentication success rate. Complete, accurate data helps issuers make confident risk decisions without triggering manual review. Inaccurate or placeholder data may increase challenge rates, as issuers default to conservative decisions when data quality is poor.
What phone number format does Visa require?
International format with country code prefix is required. A French mobile number must be formatted as +33612345678, not 0612345678. Phone numbers in local format without the country prefix are rejected by the Directory Server.
Does GDPR affect Visa’s 3DS data requirements?
Yes. Visa explicitly exempts transactions where local data privacy regulations protect sharing specific data fields. If GDPR constraints prevent transmitting cardholder email or phone without explicit consent, the minimum data prerequisites do not apply. Document which exemption applies if invoking this provision.