$900 Billion in Declined Payments by 2026
Almost $900 billion will be lost to payment declines globally by 2026, and the majority of those are failed transactions from good customers. The core problem: issuers receive incomplete data in the standard authorization message, which creates higher risk profiles and more conservative decline decisions.
Jeremy Bellino from Worldpay and Julie Ransom from Ancestry.com broke down how 3DS Data Only addresses this at the 2025 PaymentsEd Annual Forum. The concept is straightforward: use existing 3DS infrastructure to share enhanced customer data with issuers, but skip the consumer-facing challenge entirely. No pop-up, no redirect, no friction.
The ISO8583 Data Problem
The standard authorization message (ISO8583) supports minimal cardholder-identifying data: billing address, ZIP code, phone number, and cardholder name. That’s it. Meanwhile, ecommerce merchants have access to far richer customer data: shipping addresses, email addresses, browser and device IP addresses, device IDs, user account details, and customer IDs.
Issuers want that data. Their AI models value it highly for making better risk decisions. But the standard authorization pipe doesn’t carry it. Some large issuers have built their own APIs for merchants to share enhanced order data pre-authorization, but there are over 8,600 issuing banks in the U.S. alone. No merchant wants to maintain 8,600 API integrations.
3DS Data Only solves this by using the existing 3DS rails as the delivery mechanism. The merchant sends enhanced data through their 3DS MPI (Merchant Plug-In), the network processes it, and the issuer receives it alongside the authorization request. The consumer never sees a challenge.
The Numbers
The authorization rate improvements are concrete. A Square and Visa North America case study showed an average approval rate lift of 220 basis points over non-Data Only CNP authorizations, with 460 basis points of uplift on medium-to-high-risk transactions.
Visa’s pilot data across U.S. merchants shows the impact most clearly in the medium-risk band, which accounts for over 50% of suspected fraud declines. With enhanced data sharing through Data Only, approval rates in that band improved by 4.2% while fraud rates dropped 4 basis points. Over 15 million transactions have run through these enhanced data flows.
Mastercard’s Identity Check Insights shows approximately 2% approval lift across the top 15 U.S. issuers. Their approach generates a Digital Transaction Insights (DTI) score that influences the issuer’s authorization decision, with approval rates in the low-risk DTI band (0-3) running at 95-96%.
Visa vs. Mastercard: Similar but Different
Both networks offer Data Only, but the implementations differ in ways that matter for integration. Visa Data Only sends the authentication request data to the Access Control Server (ACS) and passes risk score, IP address, IP velocity, and device ID velocity to the issuer via existing authorization data elements. It uses ECI 07 with a CAVV u3 v7.
Mastercard Identity Check Insights does not send authentication request data to the ACS. Instead, it generates a DTI score and reason codes that get passed to the issuer via SLI 214 in the authorization message, using a unique ECI of 04.
Both provide a frictionless experience with minimal latency and increased approvals. Both leave fraud liability with the merchant (no liability shift). The integration requirements differ, and Jeremy walked through the specific technical requirements for each network.
An “All or Nothing” Strategy Won’t Work
An important caveat: sending Data Only on every transaction won’t produce strong results. Issuer support for Data Only varies. Though Visa has mandated all U.S. issuers support it, actual adoption and usage rates differ by issuer and region.
The merchants, seeing the best results, take a data-driven approach: look up issuer support before routing, understand individual issuer preferences relative to 3DS authentication, and use optimization logic to decide whether a given transaction should go through Data Only, full 3DS, or a direct-to-authorization path.
Jeremy outlined the decision framework: for issuers that support Data Only, route through the Data Only path. For issuers that are 3DS-averse, fall back to issuer-specific data-sharing APIs when available. For non-participating issuers, use standard e-commerce authorization. The optimization layer that makes these routing decisions in real time is where the real value gets unlocked.
Considerations Before Adopting
The tradeoffs are worth noting. Data only costs roughly the same as a full 3DS request, but without the fraud liability shift benefit. It requires a full 3DS MPI integration (the same development effort as full 3DS). And the Compelling Evidence 3.0 qualification is coming: effective October 17, 2025, Visa will automatically qualify transactions for CE3.0 through Visa Secure, including Visa Data Only.
For merchants already running 3DS, enabling Data Only requires changing just one to three parameters in the MPI integration request. For merchants not yet on 3DS, the integration effort is the same either way, which means Data Only becomes a natural starting point.
This session was presented by Jeremy Bellino, Senior Product Manager at Worldpay and Julie Ransom, Senior Payment Operations Manager at Ancestry.com at the 2025 PaymentsEd Annual Forum.
If 3DS Data Only is on your evaluation list, the 2026 PaymentsEd Forum is where merchants and providers compare implementation results. Registration is open.