Visa’s Digital Commerce Authentication Program (DCAP): A Multi-Layered Security Model

 

Key Takeaways

1. Visa's DCAP launches in the US on April 18th, 2026.
2. DCAP aims to enhance transaction authentication by requiring additional fields to be passed, such as Device ID, IP Address, and Email.
3. One way to provide the new required fields to the network is via 3DS data only.
4. Operational preparation (data mapping and capture) should begin now, ahead of the April 2026 launch.

 

What is DCAP?

DCAP is the Digital Commerce Authentication Program by Visa, a new initiative designed to help merchants reduce interchange fees on eligible transactions, without requiring a full 3D Secure (3DS) challenge flow.

Instead of triggering a full 3DS challenge, Data Only authentication sends enriched transaction data to Visa, allowing issuers to assess risk without requiring step-up verification in many cases. This approach helps maintain a streamlined checkout experience while still operating within the 3DS framework.

DCAP will launch in the United States on April 18, 2026.

The main goals of DCAP are to:

• Increase authorization rates
• Reduce frictionless disruption for legitimate customers during the checkout process
• Lower fraud
• Enhance consumer experience
• Cost mitigation in the form of limiting newly introduced fees associated with authorizations

Enhanced data quality can enable optimal authentication more often, as issuers can apply additional data fields to decisions without interrupting shoppers with full 3DS authentication.

 

How Does Data Only Authentication Work?

With traditional 3DS authentication, transactions may involve a challenge step (such as a one-time passcode), which can add friction to the checkout process.

DCAP leverages Visa's Data Only flow to:

1. Send enriched transaction data (e.g., device, behavioral, and purchase information) to Visa
2. Enable issuers to perform risk assessment without initiating a full challenge flow

It's important to note that while Data Only avoids full challenge flows, it is not equivalent to a completely authentication-free transaction. Instead, it represents a more efficient alternative within the 3DS framework.

 

Why does DCAP matter?

When a merchant or service provider experiences a cardholder data breach, DCAP determines whether PCI DSS non-compliance contributed to the incident and can assign liability for fraud losses, card reissuance, and recovery costs. In doing so, it reinforces the importance of continuous compliance and creates strong financial incentives for organizations to properly secure cardholder data before a breach occurs, not after.

 

What are the DCAP costs?

There are two ways to break down DCAP costs.

DCAP Alone:

You receive a 10-basis-point (bps) interchange reduction, but it is offset by a 5-bps scheme fee. A net savings of 5bps per qualifying transaction. To qualify, you must successfully pass the enriched data fields (Device ID, IP, Email, and Billing Address) through the 3DS Data Only flow.

Network Tokens and DCAP:

You combine the 10bps DCAP reduction with the revised 5bps Network Tokenization benefit, minus the 5bps scheme fee. A net savings of ~10bps per qualifying transaction. This approach is the only way for merchants to maintain the double-digit basis-point savings they were accustomed to before the 2026 reclassification.

 

Are the DCAP interchange rates guaranteed?

Not automatically. While a Data Only flow streamlines transaction authentication, it doesn't serve as a universal pass for DCAP interchange rates. Visa maintains strict eligibility criteria, particularly regarding data quality standards.

To secure these savings, your implementation must consistently meet all program guidelines. Incomplete or non-compliant data submissions can result in the loss of interchange incentives or disqualification from the program entirely.

 

What are the DCAP-qualified enhanced data fields?

DCAP offers to support a layered security model by standardizing and financially encouraging the transmission of enhanced, high-quality 3DS data that strengthens risk decisions.

Key DCAP-qualified enhanced data fields include:

• Field 34: Device ID, IP address
• Field 56: Billing address, email address
• Field 111: VDCAP indicator
• 6 in data set ID 56, Tag 89

Visa's position is that these signals will help build a more comprehensive view of trust across devices, identities, and program participation.

 

How can merchants and acquirers prepare to participate?

DCAP may launch in April 2026, but operational work begins earlier, including eCommerce data capture, data mapping, and ensuring that terms, conditions, and privacy remain compliant for these additional data fields, as currently stated.

Here's a practical preparation step-by-step:

1. Audit Data Capture at Checkout

   The "Data Only" flow relies on your ability to pass enriched signals to the issuer. You must validate that your frontend can reliably capture and transmit:

   • Device ID & IP Address (Field 34): These are required to calculate the transaction's "trust score".
   • Full Billing Address & Email (Field 56): Many e-commerce merchants currently only capture a Zip Code for AVS (Address Verification Service). DCAP requirements are more stringent; you may need to update your checkout flow to capture the full physical address (Line 1, City, and State) to satisfy the network mandate.

2. Implement Technical Mapping & Indicators

   Participation requires specific technical handshakes within the 3DS framework. Coordinate with your technical partners to ensure the following are implemented:

   • The VDCAP Indicator (Field 111): This must be mapped correctly to signal to the Visa network that the transaction is intended for the DCAP program.
   • Dataset ID 56 / Tag 89: Ensure your payment stack supports these specific dataset requirements. Without these tags, even "rich" data will not be recognized by the network as DCAP-compliant.

3. Review Terms, Conditions, and Privacy

   Passing enriched data, such as Device IDs and IP addresses, adds a layer of compliance complexity.

   • Privacy Review: Work with your legal or privacy team to ensure your data sharing falls under "Payment Processing" or "Fraud Prevention" exceptions. While most DCAP data transmission is considered essential for the security of the transaction, it is a "best practice" to update your privacy policy to reflect these enhanced security signals.
   • The "Gray Area": If a transaction had gone through without this extra data, some privacy frameworks see the additional data sharing as optional. You must determine whether your current T&Cs cover this "enhanced" sharing for the purposes of cost optimization and security.

4. Operational Check

The bottom line on DCAP

At VGS, we specialize in removing the technical and regulatory hurdles that stand between your current stack and system-ready status.

The VGS team provides a comprehensive evaluation of your existing merchant environment, identifying exactly where your data capture falls short of DCAP requirements, from missing Device IDs to incomplete billing profiles.

By leveraging the VGS platform, you can:

• Route Enhanced Data: Seamlessly capture and pass the required fields without a total checkout redesign.
• Simplify Mapping: Implement necessary VDCAP indicators and tags with minimal changes to your existing infrastructure.
• Offload Technical Friction: Let us handle the heavy lifting of secure data transmission and field enrichment while you focus on your core business.

Let us help you bridge the gap between compliance and optimization, ensuring a seamless, secure, and strategically sound transition.

Contact Us