In July 2025, Cash App expanded its use of EMV 3-D Secure (3DS) with a Data‑Only approach – a mode designed to share rich contextual data with issuers without triggering a step‑up challenge. As a result, our clients saw a 27% month‑over‑month reduction in fraudulent transactions on Cash App traffic.

While results will vary by portfolio, these early outcomes reflect how always‑on 3DS data and selective friction can improve both fraud control and member experience simultaneously.

3-D Secure: The Basics

3-D Secure is a foundational protocol for authenticating card‑not‑present transactions, mandated in countries throughout Europe, as well as India, Japan and parts of Asia and Latin America. While 3DS is optional in the U.S. and Canada, its adoption is climbing, because shopping is increasingly borderless and fraud is undeniably global.

Managed by EMVCo, 3DS facilitates risk‑based authentication across three “domains”:

Issuer (the issuer of the card)
Acquirer (the merchant’s processor)
Network (Visa, Mastercard, Amex, Discover, JCB, UnionPay)

Modern 3DS leverages real‑time data sharing across participants to classify risk – responding within milliseconds. Depending on risk, a transaction typically follows one of three paths:

Frictionless (Silent) Authentication: Approved without cardholder interaction.
Challenge Authentication: Step‑up (One-Time Passcode) if risk indicators warrant it.
Decline: If signals indicate high likelihood of fraud.

3DS is most effective as part of a multi‑layered strategy that combines analytics, device intelligence, machine learning and human fraud expertise.

What’s Different About Cash App’s Methodology

Historically, many issuers saw only the riskiest sliver of traffic in 3DS, which biased models and sometimes over‑rotated to declines or step‑ups. Data‑Only mode broadens visibility for a truer distribution of cardholder behavior – making it easier to separate normal from risky and deploy step‑ups only where they are most effective. Cash App’s approach, therefore, is particularly noteworthy: By leaning into 3DS Data‑Only broadly – not just for high‑risk traffic – they’ve created an ecosystem that:

Shares rich, contextual data with issuers on most or all ecommerce transactions (vs. sending only a small, pre‑filtered risky subset)
Avoids challenge flows unless truly necessary – ensuring no added friction and lower latency
Retains fraud liability, so issuers can use the signals without absorbing extra risk.
Builds issuer trust by providing broader visibility into cardholder digital behavior
Ensures most 3DS traffic that does require challenge is meaningfully risk‑concentrated, improving fraud targeting precision

For issuers, Data-Only mode offers better visibility into cardholder digital behavior with no customer effort required, and no extra risk burden, because liability stays with the merchant on Data‑Only flows. For merchants, Data-Only typically yields higher approval rates and lower false positives, because issuers can more accurately target the truly risky edge (since the 3DS stream isn’t only the “scariest 2%”), for an easy, friction-free checkout experience. The result is a virtuous cycle:

Bottom Line: When merchants and issuers use enriched data, the system works better for everyone – delivering higher approvals, lower fraud and better member experiences.

How to Maximize 3DS Data (Practical Playbook)

So, what can credit unions do with the enriched data from Data-Only mode?

Fraud Investigation & Analysis:

Device and location clues: These are particularly helpful for differentiating between consumer-engaged fraud and foreign attacks.
Feedback loop: Mark confirmed fraud within the 3-D Secure portal to help strengthen the Smart Ruleset and 3DS Fraud Score.
Accelerate tagging: Use device info, IP/location, merchant‑provided contact details (email, phone) to speed and standardize classifications.

Chargeback Processing:

Cross‑event consistency checks: When evaluating disputes, compare 3DS data on the disputed transaction to other cardholder transactions; strong consistency may indicate confusion or friendly fraud rather than third‑party compromise.
Improve the ecosystem: If you do issue a chargeback to Cash App, include specifics of the cardholder’s claim and context across their other transactions – this helps Cash App refine prevention controls and benefits all parties.

Final Take

Cash App’s expanded 3DS adoption – paired with extensive Data‑Only signals and merchant-retained liability – is a pragmatic blueprint for balancing safety and experience. As more merchants follow this pattern, we expect continued approval rate gains, fraud reductions, and a smoother cardholder experience.