Visa Will Discontinue Support of 3-D Secure 1.0.2 in 2022

Effective 15 October 2022, Visa will discontinue support of 3-D Secure 1.0.2 and related technology. Effective 16 October 2021, Visa will continue to support 3DS 1.0.2 transaction processing, including the 3DS 1.0.2 Directory Server (DS), but will stop support of 3DS 1.0.2 Attempts Server.

Visa Secure is designed to make online payments more secure by enabling an issuer to authenticate its cardholders, thus ensuring payments are made by the legitimate owner of the account. 3-D Secure (3DS) is the specification that defines the messages and data that enable the authentication to occur. 3DS 1.0.2 is the original version of the specification that was introduced over 15 years ago. An updated version of the specification, EMV 3DS, was published in October 2016, and provides for a seamless user experience, enhanced data exchange for better fraud management and authorization decision making, and support across multiple payment channels and devices.

Visa is committed to supporting the industry’s transition from 3DS 1.0.2 to EMV 3DS; therefore, effective 15 October 2022, Visa will discontinue support for 3DS 1.0.2 and all related technology.

To give clients more time to prepare for the full sunset of 3DS 1.0.2, Visa has decided to revise the rule change that was announced in the 16 April 2020 edition of the Visa Business News to remove merchant fraud liability protection on 3DS 1.0.2 transactions.

Effective 16 October 2021, Visa will continue to support 3DS 1.0.2 transaction processing, including the 3DS 1.0.2 Directory Server (DS), but will stop support of 3DS 1.0.2 Attempts Server for non participating issuers. After 15 October 2021, Visa will respond with a Verify Enrollment Response (VERes) = N to all authentication requests when the issuer does not support 3DS 1.0.2 (e.g. BIN range does not have an access control server [ACS] URL listed in the DS).

If an issuer continues to support 3DS 1.0.2 after 15 October 2021, it will be able to respond to merchants with a fully authenticated response and Cardholder Authentication Verification Value (CAVV), and merchants will obtain fraud liability protection. These transactions will be blocked from fraud-related disputes in Visa Resolve Online. Issuers wishing to stop support of 3DS 1.0.2 must request that their Bank Identification Number (BIN) ranges be removed from the Visa Secure DS.

Re-enabling the 3DS 1.0.2 Card Range Message Pair

For merchants to determine which issuers continue to support 3DS 1.0.2 after 15 October 2021, Visa is re-enable the Card Range Request (CRReq) and Card Range Response (CRRes) messages for 3DS 1.0.2 that had been previously disabled.

Action being taken by Endeavour

Endeavour will be re-enabling its card range cache and will maintain a list of all issuer BIN ranges participating in 3DS 1.0.2 . Upon receiving the enrollment request, Endeavour will automatically check if the card is enrolled.

Endeavour advises merchants to fail over to 3DS 2.0 when a card is not enrolled for 3DS 1.0. This way the liability shift can be obtained. In addition, where SCA is required such as with PSD2 in EU/EEA, merchants are still required to use 3DS even if the pan comes back as not enrolled under Version 1; failure to do so will lead to soft declines.

MasterCard has also made a similar announcement regarding the discontinuation of their Attempts Server. MasterCard will decommissioned their Attempts server on October 5th, 2021.

Therefore this change will affect all transactions and not just Visa.