Visa’s Digital Commerce Authentication Program (DCAP): A Multi-Layered Security Model

 

Key Takeaways

1. Visa's DCAP launches in the US, EU, Asia Pacific (AP), and Argentina (within the LAC region) on April 18th, 2026.
2. DCAP aims to enhance transaction authentication by requiring additional fields to be passed, such as Device ID, IP Address, and Email.
3. DCAP can lead to higher authorization rates and lower fees.
4. Operational preparation (data mapping and capture) should begin now, ahead of the April 2026 launch.

 

What is DCAP?

DCAP is Visa's Digital Commerce Authentication Program, a new initiative designed to help merchants reduce interchange fees on eligible transactions.

DCAP is designed to encourage high-quality, enhanced data sharing and consistency at the network level. DCAP helps improve ecommerce performance through Visa's Intelligent Data Exchange solutions, supporting richer, more reliable transaction data being shared across the Visa network to help improve authorization rates and reduce fraud rates, without adding friction for customers.

DCAP will launch in the US, EU, Asia Pacific (AP), and Argentina (within the LAC region) on April 18, 2026.

The main goals of DCAP are to:

• Increase authorization rates
• Reduce frictionless disruption for legitimate customers during the checkout process
• Lower fraud
• Enhance consumer experience
• Cost mitigation in the form of limiting newly introduced fees associated with authorizations

Enhanced data quality can enable optimal authentication more often, as issuers can apply additional data fields to decisions without interrupting shoppers with full 3DS authentication.

The requirements and program benefits of the DCAP vary by region. While the core goals of improving authorization rates and reducing fraud remain consistent globally, Visa has tailored specific technical requirements, supported channels, and economic benefits to different regions.

While the overarching benefits of participating in DCAP, such as higher approval rates, reduced false declines, and lower fraud, apply to all participants, the specific economic benefits vary by region.

 

Why does DCAP matter?

DCAP improves e-commerce transaction performance by securely sharing enhanced data to increase authorization approval rates and reduce fraud. It also creates strong financial incentives for organizations to properly secure cardholder data before a breach occurs, not after.

 

What are the DCAP costs?

There are two ways to break down DCAP costs. Fees can vary from merchant to merchant; be sure to check with your acquirer for exact pricing.

DCAP Alone:

You receive an up to 10-basis-point (bps) interchange reduction, but it is offset by an up to 5-bps scheme fee. A net savings of up to 5bps per qualifying transaction. To qualify, you must successfully pass the enriched data fields (Device ID, IP, Email, and Billing Address) through the 3DS Data Only flow.

Network Tokens and DCAP:

You combine the up to 10bps DCAP reduction with the revised up to 5bps Network Tokenization benefit, minus the 5bps scheme fee. A net savings of up to ~10bps per qualifying transaction. This approach is the only way for merchants to maintain the up to double-digit Network Tokenization basis-point savings they were accustomed to before the 2026 reclassification.

*fees can vary merchant to merchant

 

Are the DCAP interchange rates guaranteed?

Not automatically. It will depend on your acquirer. Visa maintains strict eligibility criteria, particularly regarding data quality standards.

To secure savings, your implementation must consistently meet all program guidelines. Incomplete or non-compliant data submissions can result in the loss of interchange incentives or disqualification from the program entirely.

 

What are the fields required for program participation?

• Field 34: Device ID, IP address
• Field 56: Billing address, email address
• Field 111: DCAP indicator*

*The DCAP indicator is the specific technical signal used to identify a DCAP-qualified transaction. Technically, it is defined as a value of "1" in Field 111, Data Set ID 56, Tag 89, of the 0110/0210 authorization response message.

 

What are the DCAP-qualified enhanced data fields?

DCAP offers to support a layered security model by standardizing and financially encouraging the transmission of enhanced, high-quality data that strengthens risk decisions.

Key DCAP-qualified enhanced authorization message fields include:

• Device ID
• IP Address
• Email or Phone Number
• Billing Address

Visa's position is that these signals will help build a more comprehensive view of trust across devices, identities, and program participation.

Visa's position is that these signals will help build a more comprehensive view of trust across devices, identities, and program participation.

 

What ways can you send the enhanced data?

There are four ways to send enhanced data.

1. 3DS rails: Enhanced data can be passed through the 3DS message flow during the authentication request, allowing issuers to receive richer transaction details to make better authorization decisions.
2. Visa Token Service and Visa Token Management Service rails: For tokenized payment flows, enhanced transaction data is securely linked to Visa network tokens, allowing issuers to receive deeper transaction context during authorization.
3. Visa Intelligent Data Exchange API: The direct API integration allows merchants to securely transmit enhanced ecommerce data to Visa, where it is mapped into the authorization message for improved issuer decisioning.
4. Passkeys: In the context of DCAP, passkeys can serve as a channel through which enhanced authentication and identity data are captured and transmitted during the payment or verification flow, strengthening fraud signals and reducing reliance on passwords.

 

How Does Data Only Authentication Work?

Instead of triggering a full 3DS (3D-Secure) challenge, Data Only authentication sends enriched transaction data to Visa, allowing issuers to assess risk without requiring step-up verification in many cases. This approach helps maintain a streamlined checkout experience while still operating within the 3DS framework.

With traditional authentication processes, transactions may involve a challenge step (such as a one-time passcode), which can add friction to the checkout process.

DCAP leverages Visa's Data Only flow to:

• Send enriched transaction data (e.g., device, behavioral, and purchase information) to Visa
• Enable issuers to perform risk assessment without initiating a full challenge flow

It's important to note that the 3DS Data Only flow does not include liability shifts present in full 3DS transactions that include a potential issuer challenge.

 

How can merchants and acquirers prepare to participate?

DCAP may launch in April 2026, but operational work begins earlier, including eCommerce data capture, data mapping, and ensuring that terms, conditions, and privacy remain compliant for these additional data fields, as currently stated.

Here's a practical preparation step-by-step:

1. Audit Data Capture at Checkout

   The "Data Only" flow relies on your ability to pass enriched signals to the issuer. You must validate that your frontend can reliably capture and transmit:

   • Device ID & IP Address (Field 34): These are required to calculate the transaction's "trust score".
   • Full Billing Address & Email (Field 56): Many e-commerce merchants currently only capture a Zip Code for AVS (Address Verification Service). DCAP requirements are more stringent; you may need to update your checkout flow to capture the full physical address (Line 1, City, and State) to satisfy the network mandate.

2. Implement Technical Mapping & Indicators

   Participation requires specific technical handshakes within the framework. Coordinate with your technical partners to ensure the following are implemented:

   • The DCAP Indicator (Field 111): This must be mapped correctly to signal to the Visa network that the transaction is intended for the DCAP program.
   • Dataset ID 56 / Tag 89: Ensure your payment stack supports these specific dataset requirements. Without these tags, even "rich" data will not be recognized by the network as DCAP-compliant.

3. Review Terms, Conditions, and Privacy

   Passing enriched data, such as Device IDs and IP addresses, adds a layer of compliance complexity.

   • Privacy Review: Work with your legal or privacy team to ensure your data sharing falls under "Payment Processing" or "Fraud Prevention" exceptions. While most DCAP data transmission is considered essential for the security of the transaction, it is a "best practice" to update your privacy policy to reflect these enhanced security signals.
   • The "Gray Area": If a transaction had gone through without this extra data, some privacy frameworks see the additional data sharing as optional. You must determine whether your current T&Cs cover this "enhanced" sharing for the purposes of cost optimization and security.

4. Operational Check

The bottom line on DCAP

At VGS, we specialize in removing the technical and regulatory hurdles that stand between your current stack and system-ready status.

The VGS team provides a comprehensive evaluation of your existing merchant environment, identifying exactly where your data capture falls short of DCAP requirements, from missing Device IDs to incomplete billing profiles.

By leveraging the VGS platform, you can:

• Route Enhanced Data: Seamlessly capture and pass the required fields without a total checkout redesign.
• Simplify Mapping: Implement necessary DCAP indicators and tags with minimal changes to your existing infrastructure.
• Offload Technical Friction: Let us handle the heavy lifting of secure data transmission and field enrichment while you focus on your core business.

Let us help you bridge the gap between compliance and optimization, ensuring a seamless, secure, and strategically sound transition.

Contact Us