Visa Secure
What is Visa Secure?
Visa Secure is Visa's implementation of the 2.0 authentication protocol, the security layer that confirms a cardholder's identity during online checkout. It replaced the earlier "Verified by Visa" system and its static-password model.
The protocol shares richer transaction and device data between the merchant, the , and Visa, so the issuer can score risk in the background. Low-risk payments clear without any extra step, while higher-risk ones trigger a verification prompt. That risk-based handling is what separates Visa Secure from the password-every-time experience it replaced.
Key facts
- Also known as: the successor to Verified by Visa (VbV)
- Built on: 2.0 (EMV 3DS)
- Verification methods: one-time passcodes by SMS or email, (fingerprint or face), in-app approval from a mobile banking app, or device recognition
- Applies to: card-not-present transactions on Visa-branded cards
- Mastercard equivalent:
How it works
- Checkout submission – The cardholder enters card details and submits the payment on the merchant's site or app.
- Authentication request – The merchant's gateway sends transaction and device data to Visa's directory server, which routes it to the issuer. EMV 3DS passes far more of this data than the original 3-D Secure 1.0 did, which lets the issuer judge risk before involving the cardholder.
- Risk assessment – The issuer evaluates that data and decides whether the payment can proceed silently (frictionless flow) or needs an extra check (challenge flow). In a frictionless flow the cardholder sees nothing beyond the normal checkout.
- Cardholder challenge – When a challenge is required, the cardholder confirms identity through a one-time passcode, biometrics, or a banking-app approval.
- Authentication result – The issuer returns an authenticated result and the transaction continues to authorization, with the applied.
Why it matters
Visa Secure targets that relies on stolen card numbers alone. Because completing a payment can require access to the cardholder's registered device, phone number, or biometrics, a fraudster who holds only the card credentials usually can't finish authentication. It also blunts account-takeover attempts, where an attacker uses a legitimate cardholder's saved credentials, by demanding a live verification step the attacker can't satisfy.
For merchants, an authenticated Visa Secure transaction moves liability for fraud disputes from the merchant to the issuing bank. In the European Economic Area, it also helps merchants meet (SCA) requirements under PSD2. The frictionless flow keeps that protection from dragging on approval rates, since trusted payments can clear without ever showing a prompt.
Common issues
- Challenge friction: When the issuer triggers a step-up, a slow or confusing prompt can cause cart abandonment, especially if the one-time passcode is delayed.
- Enrollment gaps: Cards whose issuers haven't fully adopted 3DS 2.0 can fall back to a result without full liability protection.
- Device and channel limits: Older browsers, in-app webviews, or out-of-date banking apps can break biometric or app-based verification and force a less reliable fallback method.
- Misconfigured exemptions: Requesting an authentication exemption incorrectly can forfeit the liability shift even when the payment clears.


