This episode is a follow-up to our 2024 discussion with Stripe and Entersekt on the use of 3-D Secure (3DS) in markets where strong customer authentication is not mandated, particularly the United States. That earlier conversation was grounded in Stripe’s analysis of US 3DS transactions and explored a counterintuitive but important finding: when 3DS is deployed selectively in unregulated markets, its presence can become correlated with higher-risk transactions, limiting its effectiveness and in some cases negatively impacting authorization outcomes.

Since that episode, several developments have occurred, including new analysis by Stripe examining 3DS usage and performance in markets where authentication is required by regulation, a substantial increase in the use of EMVCo “network” tokenization, and research and messaging developed by Entersekt regarding the continued use of authentication in conjunction with tokenization.

Chris Uriarte is delighted to welcome back Amandeep Batra from Stripe and Dewald Nolte from Entersekt to address these developments and to explore how authentication and tokenization interact in practice across different regulatory environments.

For additional analysis on how 3DS and tokenization are complementary components of authentication, check out our white paper here.

 

 

 

Episode Transcript

Chris Uriarte:

Hi, everyone. I’m Chris Uriarte. In October 2024, my colleague, Bryan Derman, joined me in hosting Payments On Fire episode number 249, which was titled Two Decades of 3-D Secure: Can Strong Customer Authentication Succeed in the US and Unregulated Markets. The genesis of that episode came from some interesting research led by Amandeep Batra at the global PSP, Stripe. We thought it would be a great idea to invite Amandeep on the show, alongside Dewald Nolte, the chief strategy officer and co-founder of Entersekt, an authentication technology company that works with many large global banks to implement their authentication and risk management solutions. What resulted from that combination was a rich discussion focused on the challenges and realities of 3-D Secure for both merchants and issuers in parts of the world where strong customer authentication is not mandated, such as the United States.

Now, fast-forward 18 months, and Amandeep and the team at Stripe have published the results of updated research, this time focused on authentication trends observed in regulated markets such as the EU, UK, and Japan. Again, it sheds important light on how the payments ecosystem uses authentication, this time to satisfying regulatory requirements while simultaneously preserving overall payments conversion and performance rates. So it would’ve been very easy to have another conversation with Amandeep to discuss these updated findings, but a lot has evolved since our first discussions over two years ago. Network tokenization has taken the industry by storm. Agentic commerce wasn’t even a term two years ago, but has occupied a massive amount of payments thought leadership bandwidth over the past 12 months. Visa and Mastercard have implemented comprehensive frameworks to incentivize merchants to increase their use of authentication, and regulation, of course, has continued to evolve, including new countries and enhanced rules for those who have been complying with those existing regulatory regimes for the past decade.

All this said, the topic of payments authentication now goes well beyond 3-D Secure. So we said, Let’s give it another go and invite Amandeep and Dewald back to the podcast to have a more holistic discussion about the modern challenges that the payments world faces when it comes to authentication. I’m happy to have with me today, Amandeep Batra from Stripe, Dewald Nolte from Entersekt. Amandeep, Dewald, welcome back to Payments On Fire. Good to have both of you with me. How are you guys today?

Dewald Nolte:

Doing great. Thanks, Chris. Happy to be here. I’m looking forward to the discussion.

Chris Uriarte:

Yeah. So it’s good to have both of you back with us. I have to note a couple things. You guys are in kind of a bit of a distinguished group. We have had some return guests to the podcast for sure, so that’s one group there as well, so good to have you back. We saw you back about a year and a half, two years ago. But this might be the first time that we’ve actually had two guests from two different companies come back doing two episodes. We’ll have to go back and check with the statisticians back at the Glenbrook head office to validate whether this is the first time that’s happened, but really glad to have you both with us because in this topic today, we’re really going to be focused on some of the really key trends we’re seeing around authentication. I wanted to have you guys back because you’re so articulate and most importantly, you guys have boots on the ground experience with this, dealing with real merchants, real banks, real data, rather than just pontificating about some of this stuff.

I’m really, really excited to get into some of the details of what you guys are seeing out there in the market today, particularly since this is a topic that has continued to evolve fairly significantly, even over the course of the last 18 months or so since we first chatted on this topic. So let’s get into it. I’m not sure that we need to get really, really deep into both of your companies, but it would be good to get a little bit of a background just for everybody. Dewald, maybe get us started with a little bit about your role at Entersekt and what Entersekt does out there.

Dewald Nolte:

Sure. No, thanks, Chris. Chief strategy officer for Entersekt, also one of the co-founders of the company, so been around right from the start for the journey, and we are a transaction authentication company. We really focus on securing digital transactions across all channels, whether it’s access to digital stores of value. Think about bank accounts, think about merchant accounts, any store of value, so authenticating access to that, and then authenticating transactions, or money movements, or value movements from that store of value, whether that’s card or account-based payments, doing authentication of those transactions as well. That’s really where we focus, which is why we refer to ourselves as the financial authentication company. We really focus on that movement of value and securing that.

Chris Uriarte:

Great. And I’ve been tracking you guys over the last several years, and I think you guys have hit some big milestones, just to give our listeners a bit of an idea of scale for you guys. I think last year I read that you guys have crossed the 10 billion transaction process mark per year. Is that right?

Dewald Nolte:

Yeah. No, it’s certainly been an interesting ride. And yeah, I forget how many countries it is now that we cover across the globe, but EMEA, APAC, Europe, LATAM, North America. We’ve got a pretty good footprint across the globe across a number of different markets, and so able to really see the trends. It’s very interesting to also see how you see these patterns. Certain fraud trends always emerging in certain markets and then they progress to others. Certainly interesting to see how these things move across markets.

Chris Uriarte:

Yeah, for sure. And Amandeep, great to have you back with us and with the team at Stripe. I don’t think I need to introduce Stripe as a company. I think most of the folks in the payments industry are very familiar with Stripe. Just for context there with Stripe, I took a look at the Collison’s latest annual letter, $1.9 trillion in total payments value in 2025, pretty significant. To put that into context, they say that that relates to about 1.6% of global GDP running through Stripe. That is pretty incredible for sure. But why don’t you give us a little bit of background as to your role there at Stripe, Amandeep?

Amandeep Batra:

Yeah, absolutely. Chris, Dewald, great to be here and back on this podcast with our favorite topic, 3-D Secure. So yes, Stripe’s main motto is to grow the GDP of the internet and you’ve quoted the numbers from our annual letter from our founders. Specific to my role, I’m Aman, and I lead the payments performance team for the EMEA region. Our team basically focus on building optimization strategies that support some of the largest and most strategic merchants that process on Stripe to help them increase their revenue by helping them optimize their payment acceptance across authentication, authorization, reducing fraud, helping them optimize for the network cost, and also help them in global expansion needs. So yeah, we look at the full-fledged payments funnel across the multiple businesses and help them achieve their revenue targets and the North Stars that they have for them when it comes to payments performance.

Chris Uriarte:

Well, great to have you with us. I know you get some great exposure to some amazing data out there, so looking forward to your insights. I think we set the stage a little bit for today’s topic, but I want to start with a very, very basic question, because authentication is really the core thing that we’re going to be talking about today. And that word, I think has really morphed into a lot of different definitions to a lot of different people here in the payments industry. I think obviously when we first think about authentication and payments, 3-D Secure comes to mind first, but now there’s a lot of other things, some of which we’re going to get deeper into today. So we have this concept of authenticated tokens, for example. You’ve got the concept of just authentication of tokens into maybe mobile wallets at provisioning. I think most consumers these days are familiar with that.

Some people maybe think of authentication in more of a regulatory context. So you very often hear this term, strong customer authentication within the context of the European Union’s PSD2, soon to be PSD3 and PSR. And we’re seeing just this continued conversation around things like passkeys or things that have been around for a long time like Click to Pay being revived again with some announcements coming from Mastercard, Visa around the elimination of PINs. And those are just some examples there, but that’s a lot to start with. So we’ll talk about a lot of these things today, but maybe the first question, Dewald, I’ll go to you, sounds like this conversation around authentication is getting a lot more complicated. How do you even start to address the realm of authentication and what that really means with your different customers that are out there? It just seems like it’s getting incredibly complex to have this conversation these days.

Dewald Nolte:

It’s certainly evolved a lot, Chris. And I think something that’s quite evident, if you take a step back and you can look at it, there’s been a bit of an evolution that’s driving some of this complexity in the sense that you go back a couple of decades, payments were mostly initiated by an in-person transaction. That was most of where you would see that. And then it came to, okay, the internet started coming up and then it was pretty much a PC, but it was a PC at home. It always stayed at the same place. And then with mobile, now you have this very powerful device in your hand that you can initiate a payment from from anywhere. The amount of places that you can actually initiate a payment from then becomes a lot wider. And then of course, just recently, we decided to make it a little bit easier for ourselves by introducing something called agents that can transact on your behalf.

And so I think the long and the short of it is the points of where transactions can be initiated from has evolved a lot. It’s certainly seen a lot of growth. It’s much more convenient obviously for the consumer, but that means that unfortunately as you’re planning for securing that and authenticating that to make sure that this is the right person making the payment, that does become a bit more complex in making sure you have to really think about all the different use cases and all the different technologies behind it. I’d say the surface area that we have to cover when we think about authenticating payments has certainly evolved and expanded a lot, which does bring with it a little bit of complexity.

But at the same time, it’s not like the tools we have at our exposure has stayed in the stone edge while this was happening. We also have a lot more tools available to us to make sure that we can authenticate these transactions in a secure way and a non-intrusive way. So I’d say yes, it’s getting more complicated because there are more tools to master, but certainly it’s not an unsolvable problem.

Chris Uriarte:

And Amandeep, I have to believe from a service provider perspective working with merchants, that this also really increases the complexity of the stack that you have to offer to these merchants. I think particularly in your role, if I’m in your seat in payments optimization, payments performance, all of a sudden the matrix of all of these and the way that they interact also becomes incredibly more complex. How do you guys view this and how does this change your world, both in the way that you’re servicing your customers and the way that you’re looking at payments performance and optimization?

Amandeep Batra:

Yeah, as Dewald was quoting, a lot has changed and evolved since, let’s say authentication first started on online payments when we had probably only one way to apply these measures to really understand whether the cardholder is who they say are. Ultimately, it is about showing the ID, but while making an online payment in an online context is what authentication is solving for. But there has been a lot of evolutions across the globe. You touched upon strong customer authentication in context to PST2/3 or PSR now. I’d say the evolution has been there on the 3-D Secure rails itself when it comes to what can you do in the realm of authentication, from just being able to authenticate yourself. It has moved on from that to actually passing the real metadata around the transaction so that a security layer can be enabled around it to make sure that it is the right cardholder in the right context making that transaction. This has definitely added complexity.

When it comes to the regulated framework, the framework has really designed itself in a way that it is given how do you move from a monolithic way of authenticating to really defining some parameters, if those exist, around a transaction, then you quote it as a securely authenticated or strongly authenticated transaction. Whereas if it is not there, it’s not a strongly authenticated transaction. Two-factor authentication is another, let’s say name or label that authentication has gotten in this market, whereas in certain markets where it is not yet regulated, you don’t say 2FA, two-factor authenticated, multifactor authentication. You simply say 3DS, does it really mean same thing? Sometimes yes, sometimes no, because it really depends on the factors that come into play.

And to your question on the complexity it has added for us as solution providers. So yeah, I think providing an authentication solution as part of your payments product stack has become a table stake now. It is important that you have it. The PSP model of 2026 is no longer just to be a provider that moves money for businesses from A to B. It is actually that the PSP becomes that intelligent layer around the merchant ecosystem, the issuers, and the card networks, and you are able to make thousands of micro decisions at that stage when the transactions happen, is what the PSP of today is like. That’s what we look at when we talk about payments performance. We look at the holistic lifecycle of a transaction right from when somebody hits the pay button to all that goes behind the scene around the transaction metadata to the issuers this transaction would go to and the scheme rules, et cetera, and be able to intelligently make a decision whether you need an authentication in first place. If you need it, how you should apply it, because the rails have evolved.

It is not just purely asking for a challenge. There is much more that is now available. And then ultimately passing the information in the right way when it comes to authorization decisions. It has all come to totality in a way, when it comes to the payments performance lifecycle. Stripe, what we do is we try to abstract that complexity from a merchant side and do these things for them, be the intelligent layer for that merchant that they don’t have to worry about these micro decisions that are happening behind the scene. Rather Stripe take that, look at our ecosystem, look at our overall portfolio of signals when it comes to different tools available, and then apply it accordingly. Each transaction has become a multi-decision-making process before it could actually be a successful transaction.

Chris Uriarte:

So lots of complexity, lots of decisions that need to be made, but we’ve mentioned 3-D Secure now a number of times, which I guess we’ll consider to be the granddaddy of all payments authentication techniques that continues to evolve. And we see a lot of changes, as you’ve noted, in both the protocol specs and how it is actually used. I’m curious though, as to your view around the current state of play with 3-D Secure from a merchant perspective, let’s start there. Are merchants adopting it more? Are they adopting it less? Are they getting smarter at this? Is all these things that we’re talking about making it more complicated such that 3-D Secure is… Is it easier? Is it more difficult than it used to be? Would love to hear your view on that.

Amandeep Batra:

Yeah, sure. So I would say overall, if we compare to when we last spoke a few years ago to now, the usage of 3-D Secure has gone up definitely, and that’s gone up globally. And there are multiple different factors depending upon the context of the market you refer to. But overall, we see so many things that have changed purely from a need of the regulation perspective or let’s say the evolution that the networks have brought in. So if I start with the context of regulated markets, in regulated markets like Europe, we have SCA as the underlying, let’s say, framework. But then you see certain countries such as France, they have tightened the rules beyond what the SCA needs were to really request 3-D Secure or need for an authentication on almost 100% of traffic when it comes to cardholder-initiated payments. They even mentioned that they really want to see proper chaining of transaction when it comes to subscription-based payments, that the first transaction has to be fully authenticated, and the transaction IDs should be chained well to those merchant initiated transactions.

So that has really played a factor in markets which are regulated, to have the usage of authentication protocols go on up. 3-D Secure, as you said, as the granddaddy, is the main, let’s say, protocol even today. EMV 3DS, as we call it, is the main rail or a vehicle to apply that, so we see usage going up in those markets as a result of a change to the lay of the land of the rules. And then we also saw new markets that have become mandated since we last spoke. We saw Japan mandating 3-D Secure only in April 2025. So there has been a high volume of 3-D Secure in the APAC region purely because more markets are money.

And lastly, I would say when it comes to markets that are not yet regulated, where 3DS still is seen as, “Hey, 3DS kills friction, 3DS equals friction, let’s avoid it or let’s not use it until it is definitely required,” in those markets, we have seen an evolution from the schemes now that there are more ways that you can use 3-D Secure without having a friction added to the cardholder’s journey. The reference of 3DS data-only protocol or information-only message, we have seen an uptick of that as well globally as a result of some network programs that have evolved. All of that in totality has really played its role in making sure we are seeing more 3-D Secure, and more 3-D Secure means more data associated to a transaction. Overall, good for an ecosystem perspective that you’re seeing more rich data, because 3DS from a rails perspective and design perspective can hold more metadata pointers as compared to, quote, unquote, “The authorization rails,” of today. With 3DS, the richer information is flowing to the system and like we see the uptake going up across the region.

Chris Uriarte:

Yeah, we’re going to get deeper into some of this nuance throughout the show today, but I think that’s a great perspective in regard to the drivers that are doing this. So overall, general uptick in the use of 3DS. Dewald, one thing I think in our intro that we didn’t hit upon that’s probably worth to remind our users is you and the team at Entersekt historically have worked very closely on the institution side, on the FI side, providing authentication solutions to banks and to other financial institutions. You also work on the merchant side as well, important to note. But I think from the issuing side, what is the view that you’re seeing from financial institutions? How are they looking at this evolution on the other side of the transaction? We’ve seen this growth, as Amandeep has given us some color about from the merchant perspective, have they continued to evolve? How are they keeping up with it?

Dewald Nolte:

Yeah, and I think it’s encouraging to start to see more uptake also from the merchant side, so a willingness to send through some of the data to the issuer, because I think that that’s the part that I get a little excited about when I see what’s happening in the industry, is that 3-D Secure used to be… Even if you listen to how we’ve spoken about it here, it used to be the cardholder authentication program or protocol in the sense that it was only used to challenge mostly. If you think about the first version of that that was rolled out through Secure 1. And because of that, because it was always a challenge, it was perceived to be this thing that introduces friction to the cardholder, to the journey.

What’s starting to happen now, which is what really excites me, is that because of the evolution of how the merchant platforms are starting to use this with things like that, info-only, we’ll get to that a bit later, and with the amount of data that the latest version of 3-D Secure actually has that comes through from the merchant all the way to the issuer, you now get the point where the issuer is able to actually make a decision on a transaction without having to actually challenge the cardholder. There is enough data many times in the transaction, especially the transaction as… The data that’s actually sent by the merchant is good quality, that enables the issuer to actually make a decision frictionlessly. You look at, “Hey, this is a returning user, seen them many times, everything is good, let’s go, no challenge required,” but it is authenticated.

That’s a very important thing. It’s that these transactions are still authenticated, but they’re done so silently. What that means is that now for the first time, really we’re starting to see that realization from both the merchant side and the issuing side that, “Hey, wait a minute, this isn’t just a challenge mechanism. This is now a mechanism to actually optimize our authorization strategy.” If you send us the right data, from our side, we can frictionlessly approve, so there’s no risk there if you send us the right data. And because we’ve seen this data and we’ve approved it, when it hits the authorization leg and there’s a cryptogram that says, “Hey, the issuer’s seen this, everything is hunky-dory,” you see an uplift and authorization rates. That’s the part where I think we’re starting to see a realization slowly in the industry, but wait a minute, this has the ability to actually make more transactions become successful.

Certainly what that means is it’s this chicken and egg slow process there, where the more transactions that merchants send through to the issuers, the issuer starts to invest more in their authentications. There’s more transactions coming through, so they invest more, and so the benefit bolds and we’re starting to seeing really, really good results there. So I think from an issuer perspective, there’s excitement about the fact that more data is coming through. I certainly am seeing a lot of investment in that area of how do we optimize? How do we use this as a way to improve cardholder authentication rates? How do we make sure that we can use all the data that comes in here to understand our customers better and make their journeys… If they’re returning users, good users, how do we use it to make their checkout experiences better? And so I’d say that, for me, is really exciting, because that means now more people can make more transactions without the frustration of either the client or a challenge transaction. You get to the sweet spot.

Chris Uriarte:

Yeah. So I think this chicken and egg issue we’ve talked about before, but I think it’s really important to highlight. I think historically we’ve heard from merchants basically saying in these unregulated markets in particular, “I don’t want to use 3-D Secure,” or, “I don’t want to expand my 3-D Secure strategy because I’m not getting good quality results from issuers,” or, “I’m getting inconsistent results.” And then when we speak to issuers about it in these unregulated markets, we say, “Well, what are you doing to improve your results?” And at the end of the day, we basically hear that maybe they’re not investing at the level they should be investing because merchants are not using 3-D Secure to the level that they hope they would be. That sort of situation.

But I think you make the very good point that… I talked about 3-D Secure being the granddaddy of payment authentication, this is sort of not your grandfather’s 3-D Secure anymore. This is not 3-D Secure V1. This is not the initial 3-D Secure V2. We’re at a point that we’ve basically created a much more robust channel enhanced data to be sent to the issuer to make a much more informed decision in which they have perhaps the actual fallback to step up authentication still available to them, but it’s not the default anymore. I think that’s really where we are. Is that right?

Dewald Nolte:

Absolutely. And you touch on a couple of really important points here. So just to answer your direct question first, absolutely. It has evolved so much. Even if you look at some of the guidelines provided by some of the schemes, you’ll see that there’s a push towards a certain authentication rate that they would like to see for best practices to say, “Hey, we’d like to see at least 80% of transactions frictionlessly approved.” And so I think those are things that you can really point to to say it’s not just a cardholder challenge protocol anymore. It has really become a real-time rich data sharing protocol and when implemented correctly, can really help you to optimize that authorization strategy.

To just quickly address the point that you made earlier in terms of some of the unregulated markets, because I do think it’s very important to perhaps just talk about that for a while, it was interesting in the sense that from a merchant perspective, you were in a difficult position when 3-D Secure 1 was around, because at that stage, it was mostly a cardholder challenge mechanism. And what merchants at that stage experienced was if you implement it, okay, you get liability shift, which was something that the merchants enjoyed. But the problem was that because it was always challenged, they saw some card abandonment, and the card abandonment of the consumers was at that point so severe that they had to make a trade-off to say, “Okay, should I send all of my transactions here?” And it effectively became this thing where they would only send high risk transactions via this rail to the issuer.

Now, let’s take the viewpoint of the issuer then, and then the issuer starts to see, oh, if a transaction comes on 3-D Secure, it’s always high risk. And so it became almost this thing where because of the way that 3-D Secure was implemented at the time, that the issuer at that stage was looking at 3-D Secure almost as a risk signal. If someone’s sending a 3-D Secure transaction is because it was risky, and then they would implement it appropriately and keep it with a charge.

So the biggest change now that we’re starting to see here is having to reverse that. And that’s the challenge that we have, that perception of, “Oh, 3-D Secure is always challenged,” or, “You should only send high risk,” towards something to say, “Hey, actually this is something where if I send the right data, it can be a glide path for me and it’s not necessarily going to be a challenge.” And there’s even some programs like the data only programs where the issuer doesn’t even have the ability to challenge. And so I think from that perspective, some of the evolution of the protocol has really addressed some of that older, let’s say, challenges that we’ve had as an industry to be like, “Okay, as a merchant, I have to choose between whether I want to use this or not because it really hit their conversion rates,” towards now something that can actually help them improve the conversion rate.

Chris Uriarte:

So this issue that you bring up, particularly in the unregulated markets of 3-D Secure being looked at as a risk signal versus what I would call a trust signal, is really a big issue. And Amandeep, I think this is one of the themes that came out of your initial research that first sparked our conversation a couple years ago. You did some very interesting research looking at how issuers were treating transactions in both the step-up and the frictionless flows. Would love to just get a little bit of a recap for our audience as to what you found in the unregulated market as part of that research. Could you just bring us through that a little bit for our listeners that maybe didn’t initially read it or didn’t hear our first episode?

Amandeep Batra:

Yeah, sure. So basically what we did back in ’24 was we did a pilot where we started requesting 3-D Secure on a set of transactions for select merchants. And what we identified at the time was when 3-D Secure was being applied on a transaction, almost all of those transactions were not being challenged, meaning they were going through the frictionless journey from a cardholder’s perspective. So authentication successes were there, but the issuers were declining the authorization on those transactions at a higher rate. So ultimately there was no friction added. When people think about 3-D Secure, they say, “Oh, 3DS is friction. We shouldn’t be using it as a merchant because it kills conversion.” But in this case, there wasn’t any friction added at the first place, but still there were a drop in the authorization rates.

Now, I know that analysis was few months back now, but things have definitely evolved, and I can touch on what we are seeing now. But back in those days, when we last spoke, we saw a conversion drop on transactions when 3-D Secure was associated to a transaction in comparison to the ones where there was no 3-D Secure and they were going directly to authorization. That is almost like a paradox it created, right?

Chris Uriarte:

Yeah.

Amandeep Batra:

On that the world is touching, that A, 3DS usage is already low in that market. Merchants have been selective in choosing when to use 3-D Secure, when not to. The protocol which was originally designed to authenticate and prevent fraud was being used by issuers as a signal whether a fraud can be associated to a transaction, meaning it was perceived as high risk transaction if 3-D Secure was associated with it. That created that paradox almost, that high risk transactions coming in, there wasn’t many mechanisms at that time, if I can say, for issuers to have a better user experience given to their cardholders that when they challenge them, can they challenge beyond one-time passwords? I don’t think many issuers in the market at the time had invested in improving the user experience, so there were not many challenges anyways coming in. There was more frictionless transactions going through. But then the liability would have shifted to the merchant for those transactions, is why the transactions were being declined. That was the hypothesis of the time and is what was happening.

So yeah, that’s the recap. That’s what we did in 2024. But if I refresh on some of what we are seeing now, we definitely see the authorization rates going up even in the non-regulated markets for when 3-D Secure is applied on a transaction. And I think there is a lot of attributions which are replaying its role to why probably a slight shift is happening even in unregulated markets. We touched parts of that. Dewald says the invisible authentication exists now, which is the data-only or information-only flow, and the acceptance of that coming in with network programs now across the globe, especially in the unregulated markets, we are seeing that more 3-D Secure data is being passed to the issuers and issuers are honoring that. There is also, I think, more investments done by issuers in those unregulated markets to build in some biometrics-based authentications, for example. Right now the protocol has evolved, it supports app-to-app redirect. The redirect almost looks invisible from a cardholder’s perspective when you even go through a challenge journey. There are more, let’s say issuers who have those type of technologies now available within their own banking apps that is playing its role.

We are seeing the uptick as compared to how things were in the past, but the usage is pretty low. The dataset is still small. So I think there is more work to be done by the ecosystem in those markets ultimately, is how we would see it, but it’s probably trending in a good direction.

Chris Uriarte:

So let me recap this evolution that we’ve been talking about and some of the behaviors that you’ve seen, which I think speaks directly to the point that Dewald made. I’m an issuer in an unregulated market. I’ve had this 3DS system, this authentication system, which we call an ACS, an access control system, sitting in the background. Just sitting around twiddling its thumbs, waiting for transactions to come in, rather small use across the U.S. market. I think what we’re saying, sub-3% now or something along those lines gets sent via 3DS. Is that kind of what you guys are seeing?

So small universe of transactions that are actually being sent to the issuer. When the issuer does see a transaction, it’s most likely the most risky type of transaction because the logic on the merchant side has been, “I’m not really sure about this transaction. This, for whatever reason, looks very risky, so now I’m going to send it down the 3DS path because I get a liability shift associated with that and I’ll let the issuer deal with the authentication.” And thus as a result, the issuer is only seeing a very small universe of transactions and that universe of transactions that they are seeing are kind of dirty transactions. They’re fairly risky transactions. But as you said, over the last couple years, we’ve seen a little bit of an evolution in this unregulated market whereby I think as you’ve both rightly noted, the protocol itself and the technology behind it has enabled better and more robust transfer of data, more seamless user experience based on the footprint, et cetera. So I think that’s a really interesting story.

I think what’s also interesting is you decided this past year to continue your research and shift the focus onto regulated markets and to look at some of the behaviors there. There are some really interesting findings, I think, that you found there. So why don’t you take us through that? Because I think it’s a really interesting compare and contrast scenario.

Amandeep Batra:

Yeah, sure. So the last blog that we released in 2025, we shifted our research to regulated markets. There were a few factors that were driving that. One of the key factor was that more markets were becoming mandated. It was interesting to see, okay, what might happen when 3-D Secure becomes mainstream in those markets? So I’ll start with Japan first. When we rolled it out, there was a lot of pre-work that was done by the ecosystem. So it wasn’t that one fine day, we flicked in to started using 3-D Secure. I think the whole ecosystem worked together when it comes to merchant community, the issuers in there, the service providers, and the card schemes, to actually lay the groundwork around what will happen come April 2025 and the regulation will kick in or the mandate will kick in. The results we saw from that mandate were promising.

What we saw was the usage of 3DS almost quadrupled in that market after the mandate came in. There were fears around whether it will hurt conversion because initially there are hiccups. We have seen that in Europe and UK as well when initially SCA was rolled out over here. But yeah, those learnings were there with the participants when we were preparing for that. So leveraging onto that, we saw, yes, after the mandate was applied, the conversion rates still stayed healthy in those markets when 3-D Secure was being applied to that. And ultimately why 3-D Secure was mandated, it is all about combating fraud. I think every party in the ecosystem wants to see the fraud go down, is why some of these mandates also exist when it comes to authentication. What we saw in our data back when we did the research was we saw actually the dispute rates have started to go down significantly on those transactions where we were normally seeing disputes to fraud. It went down by 30%. It is still somewhere around that. Very promising kind of outcome which we saw.

The ultimate message was that when the participating is universal, the results are promising. It’s not always about, “Hey, there is some additional friction coming into the play.” It is about how conversion can be maintained in a healthy manner across, let’s say, the authentication aspects, the authorization aspects, and the fraud aspect. I think in totality, we saw healthy conversion on 3DS transactions in that market and disputes went down. That was one of the themes. We also, I think, double clicked on the usage of 3-D Secure in markets like Europe while we were doing the research or publishing that blog. One interesting thing that was happening or taking place in France in particular was the Central Bank of France has mandated the stricter laws around usage of 3-D Secure, so wanted almost 100% of transactions to go to 3-D Secure.

And for those who are familiar with strong customer authentication, it gives the ability to request exemptions. Exemptions mean that you can say that the transaction is either below a certain amount value or it’s definitely low risk because every party in the ecosystem actually do some risk analysis on transactions, that it is low risk transaction. We don’t think a 3-D Secure challenge would be required on that transactions. Prior to that mandate, large proportion of those transactions where an exemption was available were going directly to authorization. They started to use 3-D Secure as a protocol to request those exemptions because 3DS version 2.2 onwards, this is an option available, so you could request different flavors of 3-D Secure. That started to evolve in that market. We saw the uptake in the 3DS usage in France, but the conversions still stayed healthy because the…

Chris Uriarte:

Still held, yeah.

Amandeep Batra:

Yeah. Exemptions were being honored basically by issuers. So ultimately a mandate forces the need of doing certain things certain ways, and that plays a part in the regulated markets.

Chris Uriarte:

Yeah, and I think you’ve also seen some really, really good performance in the UK market, as well in your analysis, which is a significant market to look at. I think you’ve also had some very good alignment between regulators and between issuers as well. I think Dewald, this all really just supports everything that we’ve been talking about around the… Basically, the one thing that sticks out to me, and tell me if I’m wrong here, is this consistent use of 3DS in these markets. Of course it’s being done by mandate, of course it’s being done by regulation, but nonetheless, there is this consistent use of 3DS. And as a result, even though you have a very, very, very high number of transactions that are being pushed through the system through 3DS, conversion is still maintained in these scenarios. It sounds to me that this really supports everything that we’re seeing. From the issuer side, are you seeing issuers in the regulated markets just getting smarter at this?

Dewald Nolte:

Yeah. Look, I think what’s interesting about the point that you make is… So just as a quick contrast between the unregulated versus regulated. In the regulated market, you typically see a very high number of transactions going through 3-D Secure because it’s mandated. And so the thing about that is that as an issuer, you start to see a lot of interactions with your cardholders. I start to get a very good idea of, “Oh, yeah, this is Chris. I’ve seen him a lot. This is normal for him.” I start to get a sense of what’s normal for Chris. And then when I see something that’s out of the ordinary for Chris, that’s easy to spot because I’ve got a lot of examples of what is good for Chris. In an unregulated market, what we saw there from an issuer’s perspective is if you’re only sending bad transactions my way, it’s very difficult to distinguish, okay, but my models are trained that this is always bad. I never see good examples of data coming through.

And so if you’re sending more transactions through that rail, the issuer has more data to actually train the models on and you actually then get rewarded for it. Because if the majority of the transactions that you send are good, guess what? The issuer starts to see, “Yeah, this is a good action,” so they start responding well because the model learns that, “Hey, this is mostly good stuff coming through.” But if you’re only sending bad, guess what?

Chris Uriarte:

The signal-to-noise ratio changes here most definitely, right?

Dewald Nolte:

Exactly. And we’ve seen it in so many examples, that kind of approach of only sending high risk transactions. A recent one in the tokenization world also starts to trend that, where there’s this kind of thinking that, hey, you should only, when you issue the token the first time, do authentication after that, you never have to authenticate again. Guess what? That means it’s only a high risk coming through and you never see any transactions or any good data after. What do you think is going to happen? And so I think the point being that because in the regulated markets, you are forced by the regulator to actually send more transactions, your signal-to-noise ratio is forced by the regulator to have more good transactions, and then you see the results. And so that’s why I think there’s such an interesting opportunity in the unregulated markets where the protocol does have the ability to have a really good outcome, but that means we have to get the usage up.

Chris Uriarte:

Yeah. So you mentioned tokenization. I think that’s a great segue to that topic, which is increasingly playing an important part in authentication and risk decisions as well. I think just for our listeners here, our regular listeners to the podcast know we talk a lot about tokenization here. Just to put us in context as to where we are now, Visa, Mastercard love to talk about tokenization in their quarterly earnings reports. Last one that we’ve heard from Visa, Visa’s now issued over 17 and a half billion tokens. They’re saying that 50% of their network transactions are now tokenized and more than three times as many tokens have been issued as cards have been issued as well. Mastercard, on the other hand, saying that over 30% of their transactions are tokenized. Both networks continue to really stress the importance of tokenization from a security perspective, but also the benefits from an authorization uplift perspective, quoting anywhere from, say, 3 to 6% authorization uplift, and then all the good stuff that comes along with tokenization related to lifecycle management as well.

So this continues to be a really, really hot topic for merchants. I’ll say that also one of our most listened to podcasts of all times is still one that gets downloaded every day from four years ago, which is called We Can’t Stop Talking About Tokenization. Merchants can’t stop talking about it either. It’s sort of a tokenized world and we’re just living in it, it seems sometimes from a merchant perspective. But Dewald, I think getting deeper into it in the context of authentication, maybe talk us through where tokenization fits into this conversation.

Dewald Nolte:

Yeah, it’s an interesting one from the perspective that tokenization in and of itself… Right from the start, where it has a lot of, let’s say, benefit when it comes to authentication is when you issue the token, first of all, there’s the opportunity many times to do authentication at the point of issuing. And so that’s not always the case, but let’s just say that that is an option. And many times, that is the approach where before a card is tokenized into a wallet or something like that, that the card holder actually authenticates that action. So there’s some security in terms of where these tokens actually end up. And then the other thing that’s very interesting about that is that with tokenization, you achieve a couple of things from a security perspective in that you can limit the scope of where that token can be used. You can limit the amount, which merchants it can be used for. So you can really make sure that when these tokens are issued, first of all, let’s say the blast radius of when something goes wrong is limited. That’s a big benefit of that.

And then the other side of it is if that token is compromised, so your storage, let’s say, requirements around that is not as strict because it’s not the actual PAN, it’s just a token that’s linked to that card in and of itself, and so what that means is that from a storage perspective, if you’re holding onto a token, let’s say there’s less risk for you in terms of someone gets ahold of that token. And so there’s a lot of benefits around that. I think at the end of the day, when a transaction comes through and it’s tokenized, and you can look at the mandate, you can look at the scope of the token, those are all signals that help inform the risk of the transaction as you’re evaluating it from the issuer’s perspective in terms of making a decision of, “Hey, is this high risk? Is this not?”

And so from that perspective, a very, very useful, let’s say, tool when it comes to securing online transactions. But a thing that I have to call out here is tokenization secures the credential. So we’ve spoken about the fact that the credential itself that’s being used to initiate the transaction can be secured with tokenization, but 3-D Secure still plays a very important role in actually authenticating the transactions that are then initiated using that token. And so you can see that tokenization and 3-D Secure are two complementing technologies, the one securing the credential, making that more secure, and then the other one, making sure that the transaction that is being performed with that token is secured. And I think many times there is a question in the market, are these two opposing forces [inaudible 00:50:49], and that’s not true. It’s actually they are focused on two very different things. One is about making the thing that’s used to initiate the payment a bit more secure, and the other one’s making sure that the person using that token to actually initiate the transaction, they’re the actual owner of it.

Chris Uriarte:

So there’s so many interesting things to dig into here. I just want to recap and maybe add a little color to a few things. I think one thing that you’ve pointed out is not all tokens are created equal, is we have two flavors of tokens when it comes to an authentication perspective. You can have a fully unauthenticated token where just a merchant requests a token associated with a PAN. There’s no authentication steps there. There’s no way of authenticating that the person who has presented you the PAN is actually the owner of the account. So I think that’s an important distinction to start with. And the other, as we’ve been talking about, is some forms of authenticated tokens where at token provisioning, and I think that’s the key that you’re hitting on here, there is an authentication that takes place. But that is this one-time authentication provisioning, and you can go a week, a month, a year using that token, and perhaps it’s still good behavior, good cardholder, good owner of the account.

And then all of a sudden that same token or the use of that token in the wallet, card on file, or something along those lines could effectively go bad. There could be a bad actor that takes over a device, an account, or something along those lines. So I think the point that you’re making is that’s where 3-D Secure comes in, is we’re still authenticating on the transaction level beyond just the token issuance, and thus these two have to work together in a layered approach, right?

Dewald Nolte:

There’s a story there, Chris. I have a card that… Let’s say it’s my main card that I use for my online purchases, subscriptions all of that. And the one day I get the call, “Hey, suspected fraudulent transactions.” Sure enough, I look at it, I’m like, “I don’t recognize these transactions.” “Okay, we are going to reissue a card.” And I remember I was like, where I stand in my office, I can see the mailbox for my home office, and I see the mailman come, and I know, oh, yeah, that’s delivering my card, because you get the notification, it’s two stops away.

And just as I’m walking up, that new card is still in the envelope. I haven’t even opened it yet. I think to myself, “Let’s just check.” And so I opened the banking app, I look, and sure enough, some more transactions that I don’t recognize. I’m like, “That’s strange.” And so I call them again, I go, “Hey, I see some more transactions. Can you tell me, is that on the new card or the old card?” And they’re like, “No, that’s on the new card.” And I’m like, “Well, I haven’t even opened the card. How’s that working?” And they’re like, “No, we’ll cancel this new card.” And I said, “No, no, no, no, no, wait, wait, wait. Where did those transactions come from?” “Oh, there’s this wallet. There’s this wallet where it’s being initiated from.” I was like, “Ah, so what you’re going to do is that token that you’ve got in that wallet, can you disconnect that and then reissue my card?”

So we were very conveniently reissuing the token to a wallet that was compromised and it was a wallet that was an unauthenticated token. And so this shows you that not all tokens operate equal. And the thing is, you still have to have the ability to, on a transaction, look at it and go, “Hey, this looks weird, this is strange,” and be able to authenticate when that happens. But yeah, that was a very interesting experience, especially standing with this brand new card in your hand unopened and this were already again on that same card.

Chris Uriarte:

That’s a great story. I want us to transition a little bit to this topic of data-only rails that we’ve mentioned several times before. It’s a bit of a topic that folks in various circles have been very engaged with, known nothing about, are kind of whispering about, they’ve heard a little bit about it. I think this story is not exactly clear here. So I think I’d first like to take a look at what exactly are we talking about when we’re mentioning data-only rails? And perhaps Dewald, you could bring us through that first. And then Amandeep, I would love your perspective as well as to how you guys are thinking about this.

Dewald Nolte:

Sure. And so I think data only is a version of a 3-D Secure transaction where the merchant can initiate a transaction which goes via the three secure rails, but it’s flagged as data only or information only. What that means is the merchant is telling the issuer, “Hey, here’s all the data that I would typically send you in a 3-D Secure transaction, but I don’t want you to challenge, I don’t want to shift liability to you. I just want to give you the data so that you can look at it and take it into a consideration for authorization without introducing the challenge.” And so what happens in this case is the merchant is able to share the data to the issuer. The issuer can look at it, evaluated risk score, and all that, and then without the merchant having the risk of a challenge, which then impacts the card abandonment risk that they have so they can manage that risk.

And then when they submit the transaction, when it gets to the authorization side, they can show with this data-only transaction that, “Hey, this is a transaction that we’ve actually sent your way. There is proof that we’ve actually sent it your way in the form of a cryptogram,” which is something new that some of the programs are rolling out now. So you’re able to effectively get the benefit of 3-D Secure without the risk of card management from a merchant perspective when it comes to this. So you’re sharing the data, informing the issuer, and have proof of the fact that you’ve shared it with the issuer on the authorization side. The nuance here is that because you did not allow the issuer the ability to actually challenge, for those transactions, there’s not a liability shift to the issuer because you’re just [inaudible 00:57:43] with data only. So you’re saying, “Here’s the data,” and your benefit that you get as the merchant is that you get the authorization reward in that you’ve already given them the transaction data and context on that.

It’s kind of this golden midway of, “Here’s the data.” I can get the benefit of 3-D Secure without the bad side of 3-D Secure. And I say bad side in terms of the poor issuer authentication implementations. As a merchant, I can actually now manage that risk to say, “Hey, this transaction is probably low risk, but instead of not sending it by 3-D Secure, I’m going to give good examples over to the issuer to teach the issuer that I’m a good merchant without actually the risk of having challenge and card abandonment.” So it’s that golden midway that the networks have come up with to get the data to be shared and that authorization benefit to then take shape in unregulated markets.

Chris Uriarte:

So Amandeep, I know that Stripe and a number of other service providers out there ranging from acquirers to fraud service providers have worked over the course of the last several years to improve merchant issuer data sharing through proprietary, more bilateral type arrangements. But I think the difference here is that this is actually using these standardized 3DS rails. How are you at Stripe supporting this from a customer perspective and what observations have you seen thus far in the use of these data-only rails?

Amandeep Batra:

Yeah, so I think you have rightly outlined the big benefit that 3-D Secure in the data-only rails brings is that it standardizes the way in which the information exchange can happen. There is nothing net new that has to be implemented by anybody in the ecosystem in order to support this, because version 2 of the protocol, since it existed, I’d say it started to be mainstream from version 2.1, but 2.2 actually brought it to the proper mainstream, is when you have the ability to flag a 3-D Secure transaction as an information-only transaction. Was a specific version of this data-only insights that existed in the market specifically by Mastercard? So Mastercard had its own program called, I think Identity Check Insights, if I’m not wrong, back in the day. It was built on the same framework, that you have a specific pipe of data that you have built where you are only passing the information to the issuers for their informational use or read-only use. They cannot challenge the cardholder, they cannot disrupt the checkout experience that the cardholder is going through.

So that’s what it has become now. But in the mainstream, meaning the main protocol has a specific challenge indicator that we can refer that this is a data-only transaction. So it’s being now, I think, supported by all schemes, especially the major ones, and they have the usage going up from their side in terms of the issuers that are onboarding onto adopting this. We have seen that shift happening from where things were, I’d say in 2023, ’24, to where things are right now. And as it becomes a invisible authentication mechanism, it kind of is like the golden passage, as Dewald said, or a best of both worlds when it comes to we know the transaction and we know the risk associated to a transaction. A merchant does its own assessment, the service provider does its own assessment. And based on that assessment, we know whether this transaction actually is a high risk or not a high risk transaction. Then you can decide what sort of 3DS type that you want to request from the issuer on these transactions.

Certainly if there is any risk signal associated to it, as a PSP, we would go through requesting a challenge and not use information only in those cases. But in instances where we know the risk levels are low, the transaction has the data around it, which is healthy, we would request this and issuers actually get additional richer information because one thing which 3-D Secure is good at is the protocol supports multimillion fields, I would say, hundreds of different fields. There is much more data that is pumped in through these rails as compared to authorization, so there is more information that goes into the issuer. The issuers can also assess the transaction and the associated authorization when they see that in a better manner and make a decision on it. Yes, issuers can still decline the authorization.

Chris Uriarte:

Sure, of course.

Amandeep Batra:

but at least from a cardholder perspective, there isn’t an additional step that will come in the way from a 3-D Secure perspective.

Chris Uriarte:

Yeah. And I got to believe that, like everything else in this 3DS world though, your performance, your mileage may vary based on the issuer that the card is associated with. I think one of the questions we often get from merchants and everybody else is what good is sending this data through the network if nobody’s there to catch it and to look at it? So I think we’re still at a point where everything else in 3-D Secure world and just general risk management altogether, issuer strategies, issuer sophistication, issuer models, et cetera, vary greatly from issuer to issuer. I have to assume, Amandeep, that you have seen variations in issuer performance, some issuers that are probably using this data in quite a sophisticated manner and others that are probably not using it at all, right?

Amandeep Batra:

Yes. No, that definitely exists today. There is variance that comes into play depending on who the issuer is. And we have been working very closely with the card networks as well, sharing what we see and the performance numbers that we get from using the data-only rails. And as a result, we have seen that the card schemes have brought in newer programs that have brought in issuers into the mix for adopting these rails and making the benefit that they claim that it comes with it, which is more data. So network programs have also evolved across the evolution of this, rail has become mainstream, so we have now specific programs. I’m sure we would touch on the digital commerce authentication program-

Chris Uriarte:

Yeah, let’s talk about that. I think this is a good segue to talk about this program that’s been introduced by Visa, which is actually going into force this month here, at least in the United States, but it is a proposed global program, which is called the DCAP, Visa DCAP, the Visa Digital Commerce Activation Program. Of course, we know the card networks love these acronyms for these programs. My understanding of it is that it’s a new program to essentially incentivize merchants to send enhanced data directly to the networks using these data-only rails. We have some incentives through interchange savings there. And of course, the broader incentive that we’ve talked about is merchants should see better authorization performance as a result of it, but would love to hear your take on the program and any work that you’ve been doing with it thus far.

Amandeep Batra:

Yes. I think it is a continuation to our previous point about data only. So I think with Visa’s DCAP, Digital Commerce Authentication program, they’re actually trying to build a layer of incentives for the ecosystem so that more usage of 3-D Secure on data-only rails can happen. And if that happens, there are some benefits that they can pass to the ecosystem. So DCAP is bringing in some additional fields which are optional or conditional when you regularly use 3-D Secure into the mix. And if those fields are passed with the transaction over data-only rails, these incentives will start to apply on those transactions. So things like device ID, IP address, cardholder’s email address, phone numbers in some markets, I think not in United States, but in markets like Canada, et cetera, and billing address, they are the core fields which currently are optional or conditional in the protocol.

Those fields, if they are passed to the transaction and sent via the information-only rails, will get the benefit of lower interchange. So five bips of interchange is the incentive that DCAP is bringing in as a result of this program. I think in the core of it, because Visa have done a few other programs as well before this DCAP come into the market… And it’s timely we are talking about it. I think it’s next week it’s going to be applicable in the U.S., 18th of April, I believe. So effectively, Visa initially, I think a couple of years ago, brought in the data-only program and made it a mandate for issuers to adopt it. Once they see the adoption is going up, the next thing is that a merchant starts to pass more information onto those rails, and that’s what is probably going to happen using now this mechanism. So just one last point to reference on DCAP is it will continue to apply to only cardholder initiation rates.

Chris Uriarte:

That’s what I was going to jump in and say, is there’s a lot of caveats to this program. And I think the topic of DCAP probably requires an hour conversation in and of itself, but it’s important for merchants, I think, that are exploring this to speak to Visa, speak to their PSPs and their acquirers around this because number one, there’s some important rules around the program, as you’ve said, CIT transactions only. The other thing is it has some important economic implications here in regards to it does provide a cost savings of 10 bips for eligible transactions, but there is also a program fee of five bips, so it brings you to a five-bip cost savings net. But then as we were talking about before, Aman, this also is coupled with a reduction in the U.S. and interchange savings that have been traditionally associated with the use of tokenization, where that tokenization savings is being reduced from 10 bips to five bips.

So if you look at the five bips of tokenization savings if you use tokenization, and five bips on DCAP eligible transactions, that kind of brings you back to a 10-bip savings. There’s a lot to digest there, folks, so take a look at that. It will definitely be a topic that we’re going to be exploring.

Amandeep Batra:

It’s just the nuance that comes with many programs that drop in at different places, is that this network tokenization incentive reduction from 10 bips to five bips purely using just the network tokens is not directly within the DCAP program by Visa. It’s a separate announcement.

Chris Uriarte:

It’s a separate initiative. That’s a great point, yeah.

Amandeep Batra:

Yeah. But when you combine these two together, then you as a merchant will see, “Okay, what’s my net savings by using this and that?” I would’ve loved for Visa to probably combine these things together and see what’s the totality saving for merchants.

Chris Uriarte:

Yes.

Amandeep Batra:

That would’ve made our life easier as well. But yeah, overall, I believe for listeners, I think when you look at DCAP, you should also look at the network tokenization-based interchange reductions that they have announced they combined together to give you the overall benefits, in case it will apply.

Chris Uriarte:

That’s a really good point. I want us to wrap up today on a couple quick hits here. A lot of things coming in the future, these regulatory changes we’ve been talking about, programs like this that are being implemented by the card networks. But we’ve got the big forces that are working either with us or against us depending on how you’re looking at it, what seat you’re sitting in. Agentic is one of them here. This, again, a really, really big topic. You mentioned it before, Dewald. What’s some just high level quick hit considerations when we’re thinking about authentication and agentic that we should be thinking about?

Dewald Nolte:

Yes. So I think when it comes to agentic, one of the things that I come across a lot is that not a lot of people really understand what that is. And so it’s kind of being made up into this boogeyman, agentic commerce, and then everyone’s afraid, but nobody really knows why they’re afraid. And I think one of the things that is important when we talk about agentic commerce is to actually define what it is. There’s the very well-defined framework that agentic commerce will follow. And so I think we should probably be honest and just remove the agentic fraud, where you use an agent that uses a normal card to do a transaction from agentic commerce, which is where there’s a very well-defined program where merchants enable agents to act on behalf of consumers for different types of transactions. There are two main ones that I think we perhaps need to call out.

There’s what they call an intent mandate. This is where you’re giving one of your agents a mandate based on an intent. So something like, “Hey, there’s a concert coming up that I want to attend and it’s going to be in two weeks from now. I want you to bid for a ticket and you can buy it as long as it’s in this section and it is lower than $150.” So there’s a mandate and an intent that I’m giving to this agent, and then the agent can go negotiate and figure out how to get a ticket for $150. But that transaction happens in the future. But at the point of actually creating that mandate, there is cardholder authentication that happens to say, “Okay, I’m authenticating and proving that this is the mandate that I’m giving this agent,” and there’s typically a token associated with that that the agent can then use that has limitations around it.

And then the other one is a cart mandate, which is one where as I’m shopping, so I’m actually doing shopping, but the agent is actually helping me to put a cart of things together, like shoes from here, whatever the case might be, these are the items. So a cart is being put together, but as the card holder, I’m still involved in actually then approving the contents of the cart at the end when I checkout. And so those are the two mandates there that when it comes to agentic commerce, that’s probably important to know about. And I think it’s important to also know that there’s a whole framework that’s been developed by…

I know players such as Stripe, I know you guys have been very involved with some of the schemes and with the W3C in terms of actually defining what that framework looks like. And so I think it’s very important to know that agentic commerce, the framework for it is actually very well thought out and there’s very good tools to control that. It shouldn’t be confused with something like rogue agents using a card to do a transaction. Those are two very different things.

Chris Uriarte:

I appreciate that you’re talking about this high level and generally because there are so many different frameworks out there, there’s a lot of proposed standards, there’s a lot of different ways in which they were. But I think the punchline here is you mentioned authentication has to occur at some point within all these different flows. So certainly the authentication conversation is going to continue as we talk about agentic. Aman, I know you guys, as Dewald has said, have been working closely with a number of ecosystem players on agentic. Anything to add on this?

Amandeep Batra:

Yeah, if you would’ve noticed our annual letter, you would’ve seen a section dedicated to a lot that Stripe has been working in building around agentic commerce, and now we have a working solution around it. So we have the agentic commerce suite that provides the tooling for businesses to sell across multiple AI interfaces now. And as you rightly said, the protocols, this is not the only protocol, there are other protocols that exist as well. We’ve been working in making sure that we lay the foundation of agentic in such a way that it becomes a system to be leveraged irrespective of what the protocol is around it. We also launched shared payment tokens as we talked about tokens quite a bit. That payments primitive lets the agent initiate payments without exposing credentials, slightly different from the network tokens that we spoke about. Ultimately, when you look at agentic and we talk about it, I think we are now in that AI-powered world where everyone’s doing the discovery using some form of a AI-powered surface layer.

The regular Google search on things probably was the thing of the past. It is now very much heavily reliant on those services that are AI powered. And we are not far from the time where the world will be that the commerce becomes… It’s already becoming semi-autonomous, that it’ll become fully, fully autonomous. That’s what is being referenced in our annual letter as well. And when it comes to authentication, I guess my thoughts on this is authentication will become much more important than ever before with the advent of the agentic commerce, because you would ultimately need some form of human approval attached to the transaction that will be coming through any agentic channel. I believe there is a layer that exists within the current frameworks, even within 3-D Secure, which could become mainstream as a result with all that is happening in the agentic world, especially decoupled authentication.

It exists from quite a while, but the use case has not yet become mainstream. This could well make it mainstream when it comes to different forms of authentication. And yeah, they will refer to the consents and intents. They all have to be some form of multifactor authenticated at some stage. And I know passkeys are being seen as one possible vehicle in which all of this may work out. So we are working very closely with all of the card schemes actually who are building their specific programs on the agentic layer to see what the heart of the possible is in the future.

Chris Uriarte:

Yeah. So guys, we’ve got a lot more to talk about in follow-up episodes. I think obviously there’s going to be no shortage of topics around agentic for sure. DCAP, we’ve talked about the evolution of tokenization, data-only rails. We might have to come back in another 12 months just to revisit where we’ve been, but I appreciate you guys coming back on the show today. It’s been a great discussion. Amandeep Batra from Stripe, Dewald Nolte from Entersekt. Great to have you again. And to all our listeners, thanks very much for joining us today. Do good work and have a great day.