The state of payments in 2025: Authentication, regulation and compliance around the world – Ravelin's analysis

Card schemes have largely sunsetted 3DS 2.1 around the world. Visa has announced new metrics and new programs for merchants with high dispute rates.

Unsurprisingly, payment fraud continues to rise globally.

Released in June 2023, EMVCo’s 3DS v2.3 looks to increase the convenience and flexibility of how 3DS challenges appear to consumers, as well as where they appear, with Internet of Things (IoT) devices one of the new, non-traditional channels available via the split-SDK model.

As one example, Out-of-Band (OOB) transitions are going to be automated. Shoppers will no longer have to receive a notification, switch to their banking app, log in and then find the internal notification to approve a transaction.

It also comes with promises of decreased friction, with ample information exchanged to allow full use of SCA exemptions and risk analysis. There are improvements to how data is exchanged between issuer and merchant, including reducing challenge-induced friction for higher risk transactions. Merchants and issuers will also be able to use WebAuthn and SPC (Secure Payment Confirmation) to give consumers more options, such as biometric authentication and passkeys.

In the world of regulatory compliance, it’s fair to say that developments are slow – although they are moving.

Truth is, you can’t just translate what works in one market into another. Take the United States and Europe as an example. American consumers are notorious for disliking friction when it comes to their shopping experience, while their peers across the pond have grown to appreciate a balance.

Even within Europe, cultural differences and diverse attitudes to payments and friction apply. For example, countries in the Baltics are very well used to friction, to the point of appreciating it as an indication of strong security. But Brits don’t like friction. Meanwhile, banks are slower to adapt in Spain and Italy than many other EU countries.

For any company active in regions with shifting regulations, a clear understanding of their payment landscape is instrumental to smooth transition. For example, a lot of these regulations have something to do with transaction value – they might apply to everything over a specific value or exemptions might require a maximum value. Considering your average transaction value can help demonstrate whether it is worth exploring such exemptions.

Let’s now explore shifting legislation and developments around the globe.

Note: This article was first published in our Global Payments Report 2025. Download it to get exclusive data around 3D Secure success rates, CNP payments, merchant attitudes to authentication and related topics of interest to payments and fraud professionals – as well as our advice to merchants and PSPs.

Regional SCA regulations analysis

Having set out the main drivers of change in payments authentication, let's look at developments in each region separately.

Asia-Pacific

In Australia, legislation has remained largely the same since 2019. Although their version of SCA was announced after the EU’s PSD2, they managed to implement a similar scheme before the EU – as a single country rather than a union of several, Australia was able to respond more quickly. However, this only applies to merchants found to have high fraud rates in the previous quarter.

When AusPayNet introduced the CNP Fraud Mitigation Framework back in 2019, one of the biggest challenges was that 3DS 2 had very bad performance, especially in relation to 3DS v1. It’s not clear why that was, but maybe this is why eftpos decided to build its own Directory Server – to improve authentication rates, knowing that 3DS 1 was going to go.

Hopefully, with eftpos running its own server, authentication rates will continue to improve in the country compared to only using Visa and Mastercard’s Directory Servers. Moreover, Australia is also planning to implement tokenization for all payment cards, with the eftpos tokenization platform having rolled out in March 2024 to support wider expansion in 2025.

After talking about it for a long time, Japan is currently taking more solid steps to actually do something about regulating payments. Both the Tokyo Olympics and Covid helped pivot consumers away from cash payments into using their cards more in the country. This is likely to have made card fraud more prevalent. Similar to Australia, Japan-exclusive card scheme. JCB has its own 3DS Directory Server, with 831 card ranges enrolled. Compared to some other countries, it feels like a low number of issuers are enrolled – will it be a major challenge to the Japanese market to roll out new regulations?

India has been quite the innovator, from a certain perspective. The Payment and System Settlements Act (PSS) requires authentication on all domestic debit and credit transactions except low-value transactions. These are heavily reliant on onetime passwords (OTPs). The country was the first to introduce additional authentication for online payments, back in 2009. India also makes use of the unique Aadhaar system of providing UID identification, described by the World Bank as “the most sophisticated ID program in the world”. There is some overlap between this and secure payments, in the sense of consumers using their UID to safely make certain banking transactions. This likely covers some of the use cases of 3D Secure-style authentication elsewhere.

The situation is similar in Singapore, with OTPs being the go-to for all browser-based debit and credit card transactions. However, the country’s banks announced in July 2024 that they are moving away from OTPs and favoring tokenization instead, to protect consumers from social engineering scams, fake websites and phishing attempts.

North America

In North America, authentication regulations are not seen as positively, especially so in the US. Owing to consumer attitudes and culture, merchants, PSPs and issuers are terrified they will get it – but at the same time, card schemes love the idea.

There is significant reason to believe that some type of authentication mandate is coming up for the United States though, with card schemes pressuring merchants to adopt 3D Secure and legislators considering following the example of the EU. For example, the Consumer Financial Protection Bureau (CFPB) has heavily hinted at favoring additional authentication on several occasions.

Many now think, “We’ve got to start using 3DS more on our own terms, or we’ll be forced to use it in less pleasant ways”. PSD2-style SCA doesn’t seem to be a good cultural match for the USA. It’s the country that invented digital wallets such as Apple Pay, but also one that still uses bank checks. They are really innovative in making sure that payments are frictionless and secure but also have a payments industry that’s quite old-fashioned and slow. Personally, I don’t see how banks would be able to keep up with PSD2 SCA in the United States.

Though consumer attitudes might be somewhat different, Canada is on par with the USA in terms of authentication regulations. The country is lagging behind much of the rest of the world both in terms of what’s enforced and what’s announced.

In both countries, it’s card schemes such as Visa and Mastercard rather than lawmakers who are influencing merchants to consider adopting 3D Secure checks and challenges for online payments. And this is likely to continue.

Latin America

Plenty of rumors are coming out of South America that things will happen, but nothing is concrete yet.

For example, Mexico was supposed to introduce authentication legislation, yet this has not come to pass. One could attribute this to so-called “immature” markets but that would be unfair. These countries tend to do things differently, and quite innovatively, in some cases.

For instance, Brazil has Boleto bancário – a unique, cash-based payment system regulated by the Central Bank of Brazil, which has been reported as making up 10–15% of ecommerce payments today. It is likely that neighboring countries might be considering a similar system for themselves, following Brazil’s example.

Meanwhile, we also saw recent attempts to deploy cryptocurrency and blockchain-related payments solutions – but they have as of now failed.

Europe

We know that the European Commission’s PSD3 legislation is coming in the EU – we have known for years. However, not much has happened since the consultation was initially announced back in May of 2022.

This isn’t surprising. The EU tends to be slow when it comes to regulation but what does come out has a big impact on global payments and sets an example. Around the world, everyone’s eyes are on this, so the EU has chosen to take its time once again. You will remember that PSD3 has, so far at least, been more about allowing the EU to supervise and enforce SCA centrally instead of relying on country-state level regulators, as well as about open banking.

But there is an argument in favor of expecting PSD3 to address the increase in account takeover (ATO) attacks. The argument goes that because PSD2 SCA helped safeguard payments significantly, fraudsters shifted their focus to other markets, such as America, as well as to other attack vectors. PSD2 kicked into effect at the same time when the US introduced EMV chip and PIN, and fraudsters tend to work on a globalized level.

By all accounts, PSD2 did reduce payment fraud in the countries of the EEC. But in the wake of PSD2 implementation, some expected ATO attacks to increase as a result. It is difficult to gauge exactly how much this legislation contributed to the rise of ATOs. We can point to other developments, such as customers saving bank card details in their online accounts more often than before, as well as occasional insufficient protection from companies, as also instrumental.

It would be interesting to know if PSD2 has had an impact on how everyday consumers choose to pay, especially in Europe. Barclaycard Payments metrics indicated that 17% of European ecommerce transactions were soft-declined since the introduction of SCA mandates, per figures presented by the bank at MPE Berlin 2022. Merchants did take note, but did this affect consumer behavior as well?

It will also be interesting to see what the UK will choose to do in relation to new legislation implemented by the EU. There are reasons to believe the UK government is looking to abolish PSD2-style SCA, moving away from the EU's more rigid requirements in favor of more flexible guidelines.

Takeaways

• 3DS versions before 2.2 are now largely unsupported by card schemes.
• Visa is changing its dispute ratio metrics affecting merchants and PSPs.
• APAC is taking steps in mandating authentication.
• There’s slow progress on the EU’s PSD3/PSR legislation.

What does all this mean for merchants and PSPs?

The best way forward is ensuring you have good visibility into your authentication systems. At a bare minimum, your 3DS provider should be telling you, for each region:

• What's working
• Why it's working
• How it's working
• What's not working
• Why it's not working
• What can be improved

To learn how Ravelin's 3D Secure and payments optimization products can supercharge your growth without compromises to compliance and security, book a call with the team today.