In this post, Glenbrook provides a solutions review. This is a new type of Glenbrook payments views post that deep dives into a particular market solution.
Once in a while, we run into a few topics and innovations that we think could have a major benefit to the payments industry but aren’t being discussed in detail within our circle of merchants and acquirers. I’ve spent a lot of time over the past couple of months with over 60 of the world’s largest merchants at our Glenbrook Merchants Payments Roundtable in both the US and EU, and it was clear to me that, although Visa announced the Digital Authentication Framework (DAF) more than a year ago, many merchants don’t fully understand what it is – or even know that it exists at all.
And, surprise! – as of April 15, 2023, DAF is now live on the Visa network.
Let’s dig into it a bit more…
What is the Visa DAF?
The DAF is a framework that takes advantage of Visa’s 3D-Secure rails and fully authenticated payment credentials. There are several goals for the DAF, but I’ll try to simplify them into three key points:
- Reduce the amount of friction introduced into transactions that are sent to 3D-Secure for authentication
- Minimize consumer dropout from 3D-Secure-enabled transactions, resulting in increased 3D-Secure conversion
- Allow merchants to achieve the above benefits while keeping a fraud liability shift in place, even for those transactions where 3D-Secure authentication didn’t request step-up authentication from the cardholder
How is this achieved?
The concept is fairly simple. Merchants who enroll in the DAF program must obtain a fully-authenticated payment credential according to Visa’s Issuer Identification & Validation (ID&V) standard. To do so, during the first encounter, the merchant will ask the cardholder to authenticate using an approved ID&V validation method (biometrics, SMS, etc.). From that point forward, subsequent transactions sent to 3D-Secure for that payment credential at the enrolled merchant MUST be approved by the issuer without introducing any friction to the cardholder.
Liability for fraud shifts to the issuer for these transactions, even if the issuer was obligated to approve the 3D-Secure transaction without introducing authentication friction.
It’s important to note that this applies to 3D-Secure *authentication* requests. Issuers still have the right to decline a transaction at the time of *authorization*.
We’ll also stress that the DAF “relationship” exists between a specific merchant and a specific cardholder payment account. In other words, just because a cardholder was authenticated with one DAF-enrolled merchant does not mean that the cardholder will not experience friction from 3D-Secure authentication requests initiated by other DAF-enrolled merchants. A cardholder must perform a successful initial authentication at each DAF-enrolled merchant for DAF benefits to kick in.
Is there a fee for the use of the DAF service?
Related to Visa network fees, there are no additional fees beyond standard transaction processing and 3D-Secure fees. However, PSPs, acquirers, and 3D-Secure server providers may choose to layer on fees for this functionality.
How can we ensure that issuers are adhering to the “no friction” authentication requirement in DAF?
The Visa network identifies DAF-eligible transactions. If subsequent transactions meet DAF criteria, Visa sends a “must approve” notification to the issuer’s Access Control Server (ACS).
What are some of the downsides to DAF?
DAF is new, so we’re not quite sure what the overall performance of the framework will look like. There are a few concerns that have been raised by merchants regarding the framework:
Since issuers can still decline transactions at authorization, won’t issuers just adjust their models and increase authorization declines on DAF-eligible transactions?
Visa’s response is that they will monitor issuer authorization performance for DAF-eligible transactions and assess fines and penalties if issuers lower their authorization rates.
Since issuers essentially only get “one shot” at authenticating DAF-eligible transactions, won’t they tighten the rules around these transactions and decline more transactions during the initial 3D-Secure authentication request?
This is possible, but Visa also notes that they will be monitoring authentication approval metrics, as well.
After successful authentication at a DAF-eligible merchant, how long do the “no friction” benefits last for the cardholder?
We have not seen this documented by Visa, but they have mentioned on several conference calls that the DAF benefits persist for 2 years for the cardholder at a DAF-eligible merchant.
What do I need to do to start using DAF?
You should speak with your acquirer or whoever is providing you merchant 3D-Secure server. As noted earlier, you must enroll in this service. Only enrolled merchants will receive the benefits mentioned above.
It should also be noted that you must be processing under the 3D-Secure protocol version 2.1 or higher. Merchants should be prepared to meet all data requirements outlined in the DAF specification.
What type of merchants are candidates for using DAF?
All types of merchants can benefit from DAF, however, merchants must still decide whether they want to support 3D-Secure or not. For merchants in regulated markets, it’s a no-brainer that DAF should be evaluated, as they and their consumers are already familiar with 3D-Secure authentication.
For unregulated markets, however, merchants must still weigh the benefit of introducing potential friction through the initial 3D-Secure request, which still may be undesirable to their consumers and result in greater drop-off rates at checkout. Nonetheless, this is an interesting solution to help address the overall friction introduced by 3D-Secure, and merchants who are on the fence about enabling authentication should evaluate whether DAF will help address their implementation concerns.
For European-based merchants, how does this work in conjunction with PSD2 SCA requirements?
There hasn’t been a lot said about this, but in their February 2023 network update, Visa notes that:
Transactions in the EU region will require an appropriate SCA exemption, e.g. VDAP, TRA etc
Does DAF apply to only Visa cards? Is it supported by Mastercard or American Express?
DAF is only supported on the Visa network. However, Mastercard is working on a similar framework, details of which are scarce at this time.
Where can I learn more about DAF?
There are a few good resources available to help you better understand DAF:
- Visa Business Update on DAF: https://usa.visa.com/content/dam/VCOM/regional/na/us/support-legal/documents/ecommerce-transactions.pdf
- Entersekt‘s Overview of DAF (and Mastercard’s proposed TAF): https://www.entersekt.com/knowledge-hub/blog/tpost/1u9h7tu1b1-daf-and-taf-what-changes-merchants-and-iVisa general overview of DAF implementation and flows: https://developer.visa.com/pages/visa-3d-secure/DigitalAuthenticationFramework
- CardinalCommerce, A Visa Solution webinar on DAF: https://event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&eventid=4114725&sessionid=1&key=65F16B20A68549085D97067B59677B99&groupId=4507782&partnerref=LinkedIn&sourcepage=registerHITRUST‘s Overview of DAF: https://www.hitrust.com/daf.html
- The MRC | Merchant Risk Council‘s webinar on Visa Card Network Changes (requires MRC membership to view): https://merchantriskcouncil.org/learning/resource-center/operational-resources/card-schemes/card-network-changes-forum-visa-february-2023#.ZFQ_GuzMKtA
- Arcot‘s perspective on issuer implementation in their ACS: https://docs.arcot.com/afi/docs/arcot-acs-visa-digital-authentication-framework-implementation