← Essays
OnboardingMerchant Acquiring

Visa DCAP Makes Authentication an Acquiring Economics Decision

Visa's Digital Commerce Authentication Program makes Data Only 3DS a commercial acquiring decision: the savings matter only when eligibility, authorization, latency, and disputes are measured together.

June 27, 2026·7 min read·By Rizwan Zafar
Briefing note

Visa DCAP turns richer checkout data into interchange savings, but acquirers must protect authorization, latency, and merchant economics.

Operator-written7 min read8 sectionsRecruiter-readable

Five basis points sounds too small to reshape a checkout roadmap.

At acquiring scale, it is large enough to force one.

Visa's Digital Commerce Authentication Program, or DCAP, rewards eligible card-not-present transactions for sending richer data through a Data Only authentication flow. Stripe says qualifying US transactions can receive a net interchange reduction of up to five basis points. Combine DCAP with network tokenisation and Stripe estimates the net benefit can reach roughly ten basis points for qualifying transactions.

DCAP does not turn every Visa transaction into a cheaper transaction. It makes authentication data quality, issuer behaviour, latency, authorization performance, and transaction eligibility part of the merchant P&L. That is an acquiring product problem, not a scheme-pricing footnote.

The Short Answer

DCAP uses a frictionless Data Only 3DS flow to send richer transaction context to Visa and issuers. Eligible US consumer-credit Visa transactions may receive lower interchange, but only when the required data is present and the end-to-end authorization result remains healthy.

For acquirers and payment service providers, the job is not simply to switch the program on. The job is to route the right customer-initiated transactions into Data Only, prove the economic benefit, and stop or adjust the flow when authorization or latency moves the wrong way.

Eligibility Is A Product Surface

Stripe's implementation guidance identifies four required data elements for US qualification: customer email, full billing address, device ID, and IP address. Stripe.js can capture device and IP signals, but the merchant still has to collect clean customer and billing data.

That turns apparently simple checkout choices into commercial decisions.

Removing billing address fields may improve form completion. It may also reduce DCAP eligibility. Asking for more data may improve the transaction's economics and risk context. It may also create friction before authorization. A product team cannot settle that trade-off in a design review. It needs a controlled measurement plan by device, merchant category, basket value, issuer, and checkout surface.

The correct metric is not “percentage of transactions sent to DCAP.” It is incremental contribution margin after checkout conversion, authentication cost, interchange, authorization, fraud, disputes, and support effects.

This is the same discipline required for 3DS2 frictionless and step-up optimization. Authentication is not a binary compliance gate. It is a decision layer inside the acquiring funnel.

Five Basis Points Is Not Five Basis Points Of Profit

Stripe describes a ten-basis-point interchange reduction, offset by a five-basis-point scheme fee, for net savings of up to five basis points on qualifying transactions. It also notes that the incentive varies by merchant category code and purchase amount.

The word “qualifying” carries most of the risk.

DCAP is for eligible customer-initiated consumer credit Visa transactions. Merchant-initiated transactions, stored-credential recurring payments, mail order and telephone order, account funding transactions, and instalments sit outside the US scope described by Stripe. Data quality rules also matter, and Visa can remove eligibility when program requirements are not met.

A merchant processing $100 million in otherwise eligible volume might see a theoretical $50,000 benefit at five basis points. That is not a forecast. The realized number depends on Visa share, credit mix, customer-initiated volume, merchant category, qualification, and the percentage of transactions for which Data Only is economically sensible.

This is why payment cost must be modelled transaction by transaction, not reduced to one blended rate.

Authorization Must Stay In The Same Dashboard

Data Only adds an authentication network call before authorization. It is frictionless for the cardholder, but it is not operationally free.

Stripe warns that issuers do not handle Data Only requests consistently. Its Auth Boost and Adaptive Acceptance products decide when to submit Data Only based on whether authorization performance is expected to hold or improve. Merchants using standalone 3DS or an external provider carry that decision and monitoring burden themselves.

An acquirer should therefore monitor four results together:

  • qualification and realized interchange benefit;
  • authorization rate and decline-code movement;
  • authentication latency at the p50, p95, and p99;
  • fraud and dispute outcomes, because Data Only does not provide the liability shift associated with regular 3DS.

If finance sees the savings while product sees lower conversion and risk sees unchanged liability, the organization will make the wrong decision. The metrics need one owner and one review cadence.

Network Tokens Change The Calculation

DCAP becomes more interesting when it is combined with network tokenisation. Stripe estimates roughly five basis points of network-token interchange benefit plus the DCAP reduction, less the DCAP scheme fee, for a potential net benefit of about ten basis points on qualifying transactions.

That does not mean every merchant should start a tokenisation migration to chase an incentive. Network tokens have broader value: fresher credentials, lifecycle updates, reduced exposure to primary account numbers, and potentially better authorization performance. The DCAP benefit strengthens an existing business case; it should not be the only one.

Teams should model token coverage, token provisioning success, cryptogram performance, issuer response, and fallback behaviour. The technical architecture behind network tokenisation determines whether the headline savings survive contact with production.

The Acquirer Playbook

I would roll DCAP out as an acquiring experiment with a finance-grade control group.

First, define the eligible population before estimating savings. Separate customer-initiated from merchant-initiated transactions and map Visa consumer-credit share by merchant category.

Second, audit required data completion. Do not assume a field exists because the API accepts it. Measure valid email and billing-address coverage by checkout integration and merchant.

Third, test authorization and latency by issuer and device. A blended authorization rate can hide issuer pockets where Data Only underperforms.

Fourth, reconcile the incentive. Match expected qualification to network fee records and merchant statements. If the product dashboard and settlement economics disagree, the economics are not yet proven.

Finally, give merchants an intelligible report: eligible volume, qualified volume, realized saving, authorization movement, and exceptions. Acquiring products earn trust when merchants can see how a scheme program changes their outcome.

For teams designing this kind of acquiring control plane, work with Rizwan to connect checkout, authorization, scheme cost, and merchant reporting into one operating model.

Actionable Takeaway

DCAP is not “cheaper 3DS.” It is a data-quality and routing program with an interchange incentive attached.

The strongest acquirers will treat it as a portfolio decision: apply Data Only where transaction context is complete, issuer behaviour is understood, latency is acceptable, and the realized margin is visible. Everyone else risks optimizing a basis-point line while damaging the authorization funnel that creates the revenue.

The operator question is simple: can your acquiring dashboard prove the net effect of DCAP per merchant, or can it only confirm that the flag was enabled?

FAQ

What is Visa DCAP?

Visa's Digital Commerce Authentication Program uses Data Only authentication and richer transaction data to support risk assessment. Eligible transactions can receive an interchange incentive.

Does Data Only DCAP create a 3DS challenge?

No. The Data Only flow is frictionless for the cardholder, although it adds a network call and therefore needs latency monitoring.

Does DCAP provide dispute liability shift?

No. Stripe's guidance states that DCAP Data Only authentication does not provide the liability shift available with regular 3DS authentication.

Tags
Visa DCAPmerchant acquiring3D Secureinterchangeauthorization optimizationcheckout conversion
Rizwan Zafar
Written by
Rizwan Zafar

Chief Product Officer · Payments, Fintech & AI

Payments product & program leader — scaled a regulated multi-rail platform from $0 to $1B+ GTV across five frontier markets. These essays are the public version of how I think through the work.

Continue the conversation

This writing is the public version of how I think through product, programme and payment-infrastructure decisions in regulated markets.

Contact Rizwan
Hiring for a senior payments product role?

Rizwan ZafarChief Product Officer · Payments, Fintech & AI.

Payments Infrastructure Notes

One operator email a week. No filler.

Payment acceptance, settlement and product delivery notes from running $1B+ annual GTV across frontier markets — written for founders and payment leaders.

Weekly at most. Unsubscribe with one reply.